Edit tour

Windows Analysis Report
SensorExpo.exe

Overview

General Information

Sample name:	SensorExpo.exe
Analysis ID:	1587435
MD5:	bc13a0403a10a32c7c81e29f430e9cc7
SHA1:	33d3af3457d4bbd3a0b3ce0dd367dcd330d7d4be
SHA256:	bf8d48786e209db46e1b20b1d4c04702427bed6417bdd4b1cc7f98041064304d
Tags:	exeuser-zhuzhu0009
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Tries to resolve many domain names, but no domain seems valid

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SensorExpo.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\SensorExpo.exe" MD5: BC13A0403A10A32C7C81E29F430E9CC7)

cmd.exe (PID: 7680 cmdline: "C:\Windows\System32\cmd.exe" /c move Rotation Rotation.cmd & Rotation.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7760 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7768 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7804 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7812 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7860 cmdline: cmd /c md 342536 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7876 cmdline: extrac32 /Y /E Horses MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7896 cmdline: findstr /V "HARDER" Southwest MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7912 cmdline: cmd /c copy /b ..\Satisfaction + ..\Eau + ..\Whatever + ..\Transparent + ..\Measuring + ..\Basket + ..\Did X MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Breakdown.com (PID: 7928 cmdline: Breakdown.com X MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 7944 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tentabatte.lat", "slipperyloo.lat", "ingreem-eilish.biz", "shapestickyr.lat", "talkynicer.lat", "bashfulacid.lat", "manyrestro.lat", "curverpluch.lat", "wordyfindy.lat"], "Build id": "HpOoIh--3fe7f419a360"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Rotation Rotation.cmd & Rotation.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7680, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7812, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:36.399349+0100	2028371	3	Unknown Traffic	192.168.2.9	49948	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:35.710566+0100	2058480	1	Domain Observed Used for C2 Detected	192.168.2.9	57306	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:35.686145+0100	2058484	1	Domain Observed Used for C2 Detected	192.168.2.9	54992	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingreem-eilish .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:35.610929+0100	2058612	1	Domain Observed Used for C2 Detected	192.168.2.9	63234	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:35.648523+0100	2058492	1	Domain Observed Used for C2 Detected	192.168.2.9	56395	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:35.661984+0100	2058500	1	Domain Observed Used for C2 Detected	192.168.2.9	51760	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:35.636901+0100	2058502	1	Domain Observed Used for C2 Detected	192.168.2.9	55763	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:35.673886+0100	2058510	1	Domain Observed Used for C2 Detected	192.168.2.9	50702	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:35.697445+0100	2058512	1	Domain Observed Used for C2 Detected	192.168.2.9	52668	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:35.624944+0100	2058514	1	Domain Observed Used for C2 Detected	192.168.2.9	63436	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:35:37.291952+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.9	49948	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://bashfulacid.lat:443/api	Avira URL Cloud: Label: malware
Source: https://wordyfindy.lat/api9CA	Avira URL Cloud: Label: malware
Source: https://talkynicer.lat/api	Avira URL Cloud: Label: malware
Source: https://tentabatte.lat:443/apig	Avira URL Cloud: Label: malware
Source: https://slipperyloo.lat/api	Avira URL Cloud: Label: malware
Source: https://shapestickyr.lat:443/api	Avira URL Cloud: Label: malware
Source: https://bashfulacid.lat/api	Avira URL Cloud: Label: malware
Source: https://curverpluch.lat:443/api	Avira URL Cloud: Label: malware
Source: https://curverpluch.lat/api	Avira URL Cloud: Label: malware
Source: https://tentabatte.lat/api570	Avira URL Cloud: Label: malware
Source: https://manyrestro.lat:443/api2	Avira URL Cloud: Label: malware
Source: https://manyrestro.lat/api838	Avira URL Cloud: Label: malware
Source: ingreem-eilish.biz	Avira URL Cloud: Label: malware
Source: https://talkynicer.lat:443/apiapi102f33f33f33f33f70f121f106f117f33f33f33f33f82f118f102f116f117f106f1	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["tentabatte.lat", "slipperyloo.lat", "ingreem-eilish.biz", "shapestickyr.lat", "talkynicer.lat", "bashfulacid.lat", "manyrestro.lat", "curverpluch.lat", "wordyfindy.lat"], "Build id": "HpOoIh--3fe7f419a360"}

Multi AV Scanner detection for submitted file

Source: SensorExpo.exe	Virustotal: Detection: 61%			Perma Link
Source: SensorExpo.exe	ReversingLabs: Detection: 70%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.6% probability

Sample uses string decryption to hide its real strings

Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ingreem-eilish.biz
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String decryptor: HpOoIh--3fe7f419a360

Source: SensorExpo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49948 version: TLS 1.2

Source: SensorExpo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SensorExpo.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\SensorExpo.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0033DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0033DC54
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0034A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_0034A087
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0034A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_0034A1E2
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0033E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	12_2_0033E472
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0034A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_0034A570
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0030C622 FindFirstFileExW,	12_2_0030C622
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_003466DC FindFirstFileW,FindNextFileW,FindClose,	12_2_003466DC
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00347333 FindFirstFileW,FindClose,	12_2_00347333
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_003473D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_003473D4
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0033D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0033D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\342536	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\342536\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058612 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingreem-eilish .biz) : 192.168.2.9:63234 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.9:55763 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.9:56395 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.9:52668 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.9:57306 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.9:50702 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.9:51760 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.9:54992 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.9:63436 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.9:49948 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: ingreem-eilish.biz
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: curverpluch.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: manyrestro.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: talkynicer.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ingreem-eilish.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dGLdANfraLQWkIdncWyNDGTFGl.dGLdANfraLQWkIdncWyNDGTFGl replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: slipperyloo.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tentabatte.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: shapestickyr.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bashfulacid.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wordyfindy.lat replaycode: Name error (3)

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49948 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_0034D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

12_2_0034D889

Source: global traffic

Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=6cb2d3361aef9022b8f411a0; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 10 Jan 2025 10:35:37 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlrE equals www.youtube.com (Youtube)
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: dGLdANfraLQWkIdncWyNDGTFGl.dGLdANfraLQWkIdncWyNDGTFGl
Source: global traffic	DNS traffic detected: DNS query: ingreem-eilish.biz
Source: global traffic	DNS traffic detected: DNS query: wordyfindy.lat
Source: global traffic	DNS traffic detected: DNS query: slipperyloo.lat
Source: global traffic	DNS traffic detected: DNS query: manyrestro.lat
Source: global traffic	DNS traffic detected: DNS query: shapestickyr.lat
Source: global traffic	DNS traffic detected: DNS query: talkynicer.lat
Source: global traffic	DNS traffic detected: DNS query: curverpluch.lat
Source: global traffic	DNS traffic detected: DNS query: tentabatte.lat
Source: global traffic	DNS traffic detected: DNS query: bashfulacid.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SensorExpo.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: SensorExpo.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Montgomery.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SensorExpo.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SensorExpo.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SensorExpo.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SensorExpo.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SensorExpo.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SensorExpo.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Montgomery.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Montgomery.9.dr	String found in binary or memory: http://secure.globalsign.com/
Source: SensorExpo.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: SensorExpo.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Breakdown.com, 0000000C.00000000.1444627136.00000000003A5000.00000002.00000001.01000000.00000007.sdmp, Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Montgomery.9.dr, Breakdown.com.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bashfulacid.lat/api
Source: Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bashfulacid.lat:443/api
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://curverpluch.lat/api
Source: Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://curverpluch.lat:443/api
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://manyrestro.lat/api838
Source: Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://manyrestro.lat:443/api2
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: SensorExpo.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shapestickyr.lat:443/api
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://slipperyloo.lat/api
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725738342.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/g
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725738342.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900(
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://talkynicer.lat/api
Source: Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://talkynicer.lat:443/apiapi102f33f33f33f33f70f121f106f117f33f33f33f33f82f118f102f116f117f106f1
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tentabatte.lat/api570
Source: Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tentabatte.lat:443/apig
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wordyfindy.lat/api9CA
Source: Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Breakdown.com.2.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Breakdown.com.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49948 version: TLS 1.2

Source: C:\Users\user\Desktop\SensorExpo.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_0034F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

12_2_0034F7C7

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_0034F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

12_2_0034F55C

Source: C:\Users\user\Desktop\SensorExpo.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_00369FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

12_2_00369FD2

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_00344763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

12_2_00344763

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_00331B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

12_2_00331B4D

Source: C:\Users\user\Desktop\SensorExpo.exe	Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0033F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		12_2_0033F20D

Source: C:\Users\user\Desktop\SensorExpo.exe	File created: C:\Windows\EssenceDf	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	File created: C:\Windows\ScheduleUniv	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	File created: C:\Windows\TensionRace	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	File created: C:\Windows\PlannerAdware	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	File created: C:\Windows\IndustryCommissioners	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	File created: C:\Windows\CoverageBecomes	Jump to behavior

Source: C:\Users\user\Desktop\SensorExpo.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\SensorExpo.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\SensorExpo.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\SensorExpo.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F8017	12_2_002F8017
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002EE144	12_2_002EE144
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002DE1F0	12_2_002DE1F0
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0030A26E	12_2_0030A26E
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002D22AD	12_2_002D22AD
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F22A2	12_2_002F22A2
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002EC624	12_2_002EC624
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0030E87F	12_2_0030E87F
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0035C8A4	12_2_0035C8A4
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00342A05	12_2_00342A05
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00306ADE	12_2_00306ADE
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00338BFF	12_2_00338BFF
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002ECD7A	12_2_002ECD7A
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002FCE10	12_2_002FCE10
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00307159	12_2_00307159
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002D9240	12_2_002D9240
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00365311	12_2_00365311
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002D74EF	12_2_002D74EF
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002D96E0	12_2_002D96E0
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F1704	12_2_002F1704
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F1A76	12_2_002F1A76
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002D9B60	12_2_002D9B60
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F7B8B	12_2_002F7B8B
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F1D20	12_2_002F1D20
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F7DBA	12_2_002F7DBA
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F1FE7	12_2_002F1FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\SensorExpo.exe	Code function: String function: 004062CF appears 57 times
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: String function: 002EFD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: String function: 002F0DA0 appears 46 times

Source: SensorExpo.exe

Static PE information: invalid certificate

Source: SensorExpo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@24/23@11/1

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_003441FA GetLastError,FormatMessageW,

12_2_003441FA

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00332010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		12_2_00332010
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00331A0B AdjustTokenPrivileges,CloseHandle,		12_2_00331A0B

Source: C:\Users\user\Desktop\SensorExpo.exe

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_0033DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

12_2_0033DD87

Source: C:\Users\user\Desktop\SensorExpo.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_00343A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

12_2_00343A0E

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03

Source: C:\Users\user\Desktop\SensorExpo.exe

File created: C:\Users\user\AppData\Local\Temp\nsn45A1.tmp

Jump to behavior

Source: SensorExpo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\SensorExpo.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SensorExpo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SensorExpo.exe	Virustotal: Detection: 61%
Source: SensorExpo.exe	ReversingLabs: Detection: 70%

Source: C:\Users\user\Desktop\SensorExpo.exe

File read: C:\Users\user\Desktop\SensorExpo.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SensorExpo.exe "C:\Users\user\Desktop\SensorExpo.exe"
Source: C:\Users\user\Desktop\SensorExpo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Rotation Rotation.cmd & Rotation.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 342536
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Horses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "HARDER" Southwest
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Satisfaction + ..\Eau + ..\Whatever + ..\Transparent + ..\Measuring + ..\Basket + ..\Did X
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com Breakdown.com X
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\SensorExpo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Rotation Rotation.cmd & Rotation.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 342536	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Horses	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "HARDER" Southwest	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Satisfaction + ..\Eau + ..\Whatever + ..\Transparent + ..\Measuring + ..\Basket + ..\Did X	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com Breakdown.com X	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\SensorExpo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SensorExpo.exe

Static file information: File size 1416489 > 1048576

Source: SensorExpo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SensorExpo.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: SensorExpo.exe

Static PE information: real checksum: 0x15f3aa should be: 0x15e359

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00320315 push cs; retn 0031h		12_2_00320318
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F0DE6 push ecx; ret		12_2_002F0DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_003626DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		12_2_003626DD
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002EFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		12_2_002EFC7C

Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SensorExpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

API coverage: 3.9 %

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com TID: 8124

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SensorExpo.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\SensorExpo.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0033DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0033DC54
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0034A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_0034A087
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0034A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_0034A1E2
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0033E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	12_2_0033E472
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0034A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_0034A570
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0030C622 FindFirstFileExW,	12_2_0030C622
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_003466DC FindFirstFileW,FindNextFileW,FindClose,	12_2_003466DC
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00347333 FindFirstFileW,FindClose,	12_2_00347333
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_003473D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_003473D4
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_0033D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0033D921

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_002D5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

12_2_002D5FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\342536	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\342536\	Jump to behavior

Source: Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_0034F4FF BlockInput,

12_2_0034F4FF

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_002D338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

12_2_002D338B

Source: C:\Users\user\Desktop\SensorExpo.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_002F5058 mov eax, dword ptr fs:[00000030h]

12_2_002F5058

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_003320AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

12_2_003320AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00302992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00302992
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_002F0BAF
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F0D45 SetUnhandledExceptionFilter,	12_2_002F0D45
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_002F0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_002F0F91

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: Breakdown.com, 0000000C.00000002.1725565907.0000000003800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

12_2_00331B4D

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_002D338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

12_2_002D338B

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_0033BBED SendInput,keybd_event,

12_2_0033BBED

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_0033EC6C mouse_event,

12_2_0033EC6C

Source: C:\Users\user\Desktop\SensorExpo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Rotation Rotation.cmd & Rotation.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 342536	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Horses	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "HARDER" Southwest	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Satisfaction + ..\Eau + ..\Whatever + ..\Transparent + ..\Measuring + ..\Basket + ..\Did X	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com Breakdown.com X	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_003314AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

12_2_003314AE

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_00331FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

12_2_00331FB0

Source: Breakdown.com, 0000000C.00000000.1444524577.0000000000393000.00000002.00000001.01000000.00000007.sdmp, Breakdown.com, 0000000C.00000003.1705250712.00000000041D6000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com.2.dr, Reason.9.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Breakdown.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_002F0A08 cpuid

12_2_002F0A08

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_0032E5F4 GetLocalTime,

12_2_0032E5F4

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_0032E652 GetUserNameW,

12_2_0032E652

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Code function: 12_2_0030BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_0030BCD2

Source: C:\Users\user\Desktop\SensorExpo.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Source: Breakdown.com	Binary or memory string: WIN_81
Source: Breakdown.com	Binary or memory string: WIN_XP
Source: Reason.9.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Breakdown.com	Binary or memory string: WIN_XPe
Source: Breakdown.com	Binary or memory string: WIN_VISTA
Source: Breakdown.com	Binary or memory string: WIN_7
Source: Breakdown.com	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00352263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		12_2_00352263
Source: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	Code function: 12_2_00351C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		12_2_00351C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	21 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SensorExpo.exe	61%	Virustotal		Browse
SensorExpo.exe	71%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://bashfulacid.lat:443/api	100%	Avira URL Cloud	malware
https://wordyfindy.lat/api9CA	100%	Avira URL Cloud	malware
https://talkynicer.lat/api	100%	Avira URL Cloud	malware
https://tentabatte.lat:443/apig	100%	Avira URL Cloud	malware
https://slipperyloo.lat/api	100%	Avira URL Cloud	malware
https://shapestickyr.lat:443/api	100%	Avira URL Cloud	malware
https://bashfulacid.lat/api	100%	Avira URL Cloud	malware
https://curverpluch.lat:443/api	100%	Avira URL Cloud	malware
https://curverpluch.lat/api	100%	Avira URL Cloud	malware
https://tentabatte.lat/api570	100%	Avira URL Cloud	malware
https://manyrestro.lat:443/api2	100%	Avira URL Cloud	malware
https://manyrestro.lat/api838	100%	Avira URL Cloud	malware
ingreem-eilish.biz	100%	Avira URL Cloud	malware
https://talkynicer.lat:443/apiapi102f33f33f33f33f70f121f106f117f33f33f33f33f82f118f102f116f117f106f1	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
wordyfindy.lat	unknown	unknown	false	high
slipperyloo.lat	unknown	unknown	false	high
curverpluch.lat	unknown	unknown	false	high
tentabatte.lat	unknown	unknown	false	high
manyrestro.lat	unknown	unknown	false	high
bashfulacid.lat	unknown	unknown	false	high
ingreem-eilish.biz	unknown	unknown	true	unknown
dGLdANfraLQWkIdncWyNDGTFGl.dGLdANfraLQWkIdncWyNDGTFGl	unknown	unknown	true	unknown
shapestickyr.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
slipperyloo.lat	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
curverpluch.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
bashfulacid.lat	false		high
wordyfindy.lat	false		high
shapestickyr.lat	false		high
talkynicer.lat	false		high
ingreem-eilish.biz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://player.vimeo.com	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Sponsorship.9.dr, Breakdown.com.2.dr	false		high
http://www.valvesoftware.com/legal.htm	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199724331900(	Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bashfulacid.lat:443/api	Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://talkynicer.lat/api	Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tentabatte.lat:443/apig	Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://s.ytimg.com;	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steam.tv/	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/g	Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://slipperyloo.lat/api	Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/points/shop/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Breakdown.com, 0000000C.00000000.1444627136.00000000003A5000.00000002.00000001.01000000.00000007.sdmp, Breakdown.com, 0000000C.00000003.1705250712.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Montgomery.9.dr, Breakdown.com.2.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	SensorExpo.exe	false		high
https://sketchfab.com	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curverpluch.lat:443/api	Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bashfulacid.lat/api	Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shapestickyr.lat:443/api	Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/;	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	SensorExpo.exe	false		high
https://help.steampowered.com/en/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curverpluch.lat/api	Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8	Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://medal.tv	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wordyfindy.lat/api9CA	Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tentabatte.lat/api570	Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sectigo.com/CPS0	SensorExpo.exe	false		high
https://manyrestro.lat:443/api2	Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://recaptcha.net	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com	Breakdown.com, 0000000C.00000002.1725317595.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	Breakdown.com, 0000000C.00000002.1725565907.0000000003886000.00000004.00000800.00020000.00000000.sdmp, Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://manyrestro.lat/api838	Breakdown.com, 0000000C.00000002.1725317595.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	SensorExpo.exe	false		high
https://talkynicer.lat:443/apiapi102f33f33f33f33f70f121f106f117f33f33f33f33f82f118f102f116f117f106f1	Breakdown.com, 0000000C.00000002.1725247823.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	SensorExpo.exe	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop	Breakdown.com, 0000000C.00000002.1725871661.0000000003A7D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587435
Start date and time:	2025-01-10 11:34:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SensorExpo.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@24/23@11/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 70 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:35:03	API Interceptor	1x Sleep call for process: SensorExpo.exe modified
05:35:34	API Interceptor	2x Sleep call for process: Breakdown.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	cache_registerer.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	Invoice.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	NvOxePa.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	asd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	cache_registerer.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	armv5l.elf	Get hash	malicious	Unknown	Browse	23.209.153.127
	http://postman.com/	Get hash	malicious	Unknown	Browse	104.102.43.106
	https://sanctionssearch.ofac.treas.gov	Get hash	malicious	Unknown	Browse	23.49.251.37
	Fantazy.ppc.elf	Get hash	malicious	Unknown	Browse	104.81.98.224
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	184.28.181.149
	6.elf	Get hash	malicious	Unknown	Browse	2.16.79.96
	Invoice.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	cache_registerer.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	CY SEC AUDIT PLAN 2025.docx.doc	Get hash	malicious	Unknown	Browse	104.102.49.254
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.102.49.254
	Invoice.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\342536\Breakdown.com	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse
	'Set-up.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: appFile.exe, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: [UPD]Intel_Unit.2.1.exe, Detection: malicious, Browse Filename: 'Set-up.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: RailProvides_nopump.exe, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: installer_1.05_36.8.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\342536\X

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	460666
Entropy (8bit):	7.999675338799437
Encrypted:	true
SSDEEP:	12288:+4l+8IoDw2ztawo6+5TE9ssdu/0FSoZAbD5mcn9q5E:Umw2pawo6Ao9hu/0EoZpct
MD5:	C202ED7F00344030B47CCF5081EA3B00
SHA1:	54259D45BA7E8D1A7E93A7639AAD54266C159332
SHA-256:	B576B1FE600E868416D5B913DC7EE17E791E743730B1B7E312A223AE1098F53D
SHA-512:	506D0FAC4D98B4C15751B0F26D14A827488C03EE7626258E2A26B2403621BB466833122D7DFC6068CF7139D16C560C92220F3B1F92E3F2EF9EDC842D7BCBB816
Malicious:	false
Preview:	wf.w....,B.{6c.."%a..%]......"$V.G... q.wT.U..0....}.5_R...Y.....er.[....s.u...N.FDQ.....YQ..zly7V.A.....T......#...w...#......'.q(......:....2........;..5...q..0V...&.5.....M.~...?g..B...We.uK.z.9;....%..3oEC.....".d.+.'...&..'..C\|.D....?......}.{X....u..;.jHG..Z$.K.E5Vt.)o....o. ...!.O.Vf..l.of.Q}.X..K._...x~....}~$...6.U!.. m...e.>B.KnP:H}...\.....vs!..).l....B.N..3.5.V..A..z ...6.9.!Y.D).0....=.8...h3..G.t...S.2m..\R.,....=l.nE...!8....@@J.....C!.].'DRN.gB[=..~f{.JF...c.Y....+#(Vv.........<y]$$..jHO+..{...w...z'....R~..^O.x.&....K`.D..SCA.R.64...t.......Q.Qu}.0. .!.Gl.6.<..`... .."!..Q9'......"d.........pu..8tzT]).x......3@x.....U.`.j..-.4j.h.yf......b.f.T...].3a%:.w.....n..............K.Ej4..^.b?imp......V....D.-..<,.......H..8#..........M...1..-@.sk..[.aa?...&...f7\..VS...df.z.....'i.O.:...gK./F...#vX.j..%'.......0sQo.T..G.".t4 ...C...&*.@.J.d,...W!.em........%..F...I.s.k.#...6M.\.e....y.e.9h.&:....c[0.o..q.....W.hl..,D.....q.N0.NiV5.

C:\Users\user\AppData\Local\Temp\Attack

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	5.878908814268878
Encrypted:	false
SSDEEP:	1536:/6R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPr:/q8QLeAg0Fuz08XvBNbjaAtsPr
MD5:	FA26932C4812351A370FD1A812BCDC0D
SHA1:	E303C4D9384FC8C395037B0DDE114829A6DEF073
SHA-256:	A2CD403DA3720AE9ACE204CE17907480E273B62EB177571E44E8E3A9C3E2F1CA
SHA-512:	D3BDA520A7597A8B8DB7301E8AE2A3DC318E714CDD4AA0E04F0EC4E97BEF1850AAAA30D5CD0B0452F64E247AC5CCFF7682205E4C42C70693EC13D1EC02DA7600
Malicious:	false
Preview:	F...............F.............4...............4...............4...#...N...-..+......{2........0.................F...............F...............F...............F...............F...............F...............F...............F...............F.".hN.......@Gp.".hN.......@Gp...............F.Z....M..`.* ......a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.s.y.n.c.h.-.l.1.-.2.-.0...d.l.l.....k.e.r.n.e.l.3.2...d.l.l.....InitializeConditionVariable.SleepConditionVariableCS....WakeAllConditionVariable.....CL...B...B.Unknown exception...0DL...B...B.bad allocation..\|DL...B...B.bad array new length.....DL.n.B.X.M...M.((I.8A.O....^......E.R.R.O.R. .:. .U.n.a.b.l.e. .t.o. .i.n.i.t.i.a.l.i.z.e. .c.r.i.t.i.c.a.l. .s.e.c.t.i.o.n. .i.n. .C.A.t.l.B.a.s.e.M.o.d.u.l.e.......csm................. .............J...J.H.J.a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.f.i.b.e.r.s.-.l.1.-.1.-.1...a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.s.y.n.c.h.-.l.1.-.2.-.0.....k.e.r.n.e.l.3.2.....a.p.i.-.m.s.-...e.x.t.-.m.s.-...........FlsAlloc............Fls

C:\Users\user\AppData\Local\Temp\Basically

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	136192
Entropy (8bit):	6.696437419692178
Encrypted:	false
SSDEEP:	3072:yBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u58:yL/sZ7HS3zcNPj0nEo3tb25
MD5:	41E984A536609A71325AD9BDD5DE06DE
SHA1:	4AFD56F000F9BCFC749C1905170E345F5A633F9F
SHA-256:	0421D96D9BF70F6946D790420A7620C478B5AF86C2AE348397B21E5C54CB65B4
SHA-512:	41EEB990709F325E5D31236A97891E69F47AE25BB43A2BAE2E3DC197D0FFD96F48BAB26C9F26275103E031C13784C60EF003DF99B1B3B4B75C961A7F7FFC96E1
Malicious:	false
Preview:	.....4...$...E..E.;.......;~\|sN.}.......t#f...E.....f#E..E.....f;E.E.u.......}.........<O.M.A.}..M.;.\|..................;.......~....Fh.............j....U4..;M...\...;~\|.......}........E.....t5..%....=....u"..O...............................U.....................L.........E.,K.......K....t....t....t.3........;E........E.<W@.}..E.;E...P....................;............Fh.............w....e3..;M...l...;~\|s..}........E.....t5..%....=....u"..O...............................U.........u..............L......3....E.,K.......K.94. cL..u....;M........E.<W@.}..E.;E...Z.......;M.......;~\|.......}........E.....t5..%....=....u"..O...............................U.....................L......3....E.,K.......K.;E....;M...+....E.<W@.}..E.;E...`........;M.......;~\|..Z....}........E.....t5..%....=....u"..O...............................U.....................L......3....E.,K.......K.;E....;M...}....E.<W@.}..E.;E...`....b...;M...\...;~\|.......}........E.....t5..%....=....u"..O...................

C:\Users\user\AppData\Local\Temp\Basket

Download File

Process:	C:\Users\user\Desktop\SensorExpo.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.997011283741353
Encrypted:	true
SSDEEP:	1536:S/FZRLBC2ZZu5wJfxbWipkdwzC4kEcI/F13IFRO09:SNrTM6pCOWE//z3IFQ09
MD5:	392ED1189EC538B7ED8CC5BA628AF94A
SHA1:	FCF5D4EB1D777AE70550FD5FFE27F9F4CC2D93E3
SHA-256:	C74B5293E9514A7914E6BDF8A72849940A276CB9AFBFE0967B59168D298E5D5C
SHA-512:	B8EC1FD63FEBE7567A31E9CB09D7B8519EF086B4D7383774E1E2C98CCFF30AEA7B268F0B6C5E70F15D16E0980E622F99307F81512848521B9F1544F894537EE7
Malicious:	false
Preview:	..!...+..$....W....]O.(......`...;...z.`....A.l.8..K.....b....X.&..iG..aj.6.!.sD......7....G.x..dR.2"...Y.P.+C"\|#..C....5)+n2{...O:..k.......6. .a...R.....\_..^....g......../......L9M.......#..g\-...e.ru.t1o5L}G%58.Y.a'..'.3...2'~.]CK.\.....D..h..2Y.......,..F9...+.+F..~.`.#.z.......F.C.0_...e..&..c.CRm..."..SF......r...%...P..3....[.....C...V;.\...9.W..r..U..XF....o..W....g..C..E...JK......P.......n..q.Qz..t.);....W..#.ek8c.k....;f.+.b.&K"......-..8..+=.\..2r.....j.a.+d........Js.D?.h:%.4l.8.jN.F]r.tS.-....l.4~~..'...o.....w.N..'..~.J......yU...,..c...7.\|....N.]F...5........U.9g....t.x..oz.......Yz........$w..q...y...g_W...2V.J.Y=J..8....F.M.4".8....%.)C.'. ..+.\Q7.G.....C.y...l......i....P<'B....q....d?>..K?j.x...XG......z...(..Q.....Ok.i$V.<.7.Z...j...au.';`.n......R..f........(".p..n...W..QW`.E.:7/.Ar..U...........r....V1.-.VS..0=f..\.@.*l......b.Lc$YY.w......x.-..e..:....8.{h......)..U?...WG......\|@..C.~....I..Zd\|uTX...".-.l.a.

C:\Users\user\AppData\Local\Temp\Decor

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.646824066450382
Encrypted:	false
SSDEEP:	1536:Hxv5mjKu2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcLSU:x5mjccBiqXvpgF4qv+32eOyKOU
MD5:	2F680F988E05B442521976E9E49FD5C0
SHA1:	7902E5CD66809B2191C725AD8E5DAE100FBC56D7
SHA-256:	4F2B71CA8BB390FABD1BC3E533372DF449A71A3018468E86E863C55B4E15D13E
SHA-512:	A957BFE3FAB992A656C3C3AFE7C119344F49984B19E9B97BF7D0A1B7656A0F179BD7BE77A8BE293E0587AA0E450406C825B531C7C937DEC31C45AF266BCDB7C6
Malicious:	false
Preview:	.B.+.t.3.......M........N...B.+.t.3........E......3....(....F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3........j Y+.....;....................$.(&B..F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3....A....F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tP..B...~.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3..u_.F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3..u.3.._......F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3..u..F.;B.tO.....B.+.u...~...B.+.u

C:\Users\user\AppData\Local\Temp\Did

Download File

Process:	C:\Users\user\Desktop\SensorExpo.exe
File Type:	data
Category:	dropped
Size (bytes):	45946
Entropy (8bit):	7.995773084684587
Encrypted:	true
SSDEEP:	768:rUGM7Jt1OQr5JThyTzDTHYsQCNzmz3+sTFzVyBksamJdqIsDM8QJJ7YB7n45/pO:AT7VzrDT0vDTHNQuzmDVJQfa+/KM8eYZ
MD5:	8A89247880D14937661C2DD1F1DC8093
SHA1:	43C8626489FEB6257CB694EA460DDEAFE38B759B
SHA-256:	90206382515FDF2656DF35985365936481204887AD135F89778501024AEC0EB6
SHA-512:	E05F47158AD8E384BD5E071E7D3C4FD605E9845CF9B6628291E9E2541A938C67DEDD64A3933F4EFC9F6C6B87AC60727431F9E4F1D524AEFF105CEEF92277223C
Malicious:	false
Preview:	..U"h..5....N....M?.2.c.O..;/..CX."o...f...f....Y....l.wp`0.?.e..r"$:.~..%D...Ky.%.GQ.-...S..,..C%.}2.8.'......?...h..../.>x.X.5/p..8..U...&.....{.8..Q....F...$... ..6/5..9.$@......A..V.82.1.(@..zRW.N.L.f.K@.L.s)l.V......g.... .fP......7.....:.qG^.......>..v@{r..9[DI.D$..4)G9T.B.Y.2...U..tg<...v.\|S..Z!^....B..D.......3..N.3..z....9.<\|.%..R.qK.B..D....4.....#..&..&D..).i..j.$..z...t~..V..E.ok&...GMC...!.<)P.?&i.J..6.....Ei.v`mJ.w.{.^.;..........;.\.....4..9.`...z...=_.m...>...=....x..C5...pVK\|}i.qk3....G]b...=B...Te.....F+.q.m..U.&.t.............j..Cz..=#...8..IY.`...6..:..l.Y..S.oq.Z1.....]i...E...#.{../..]..C..;._./.....&.%.....U.. ..Z..a.h.3...P...1.v....@0.`@...A(.L:.......Z@..Q..PT..74D..>.d..;.]...........i.;i2....sF.96.$..\|....H.\|.,j&. S=..T....7..WG.#.P..Q:.K....E....~.-x....Em.b.nX....j......?lj9.jS6......K2B^.....U..J.0....%.e.bPH...#N......<^.[.. 7...j..'V.l{..,E..D.G...,...q..S..W....o.a.H.u.Ew..=".Sf....."..$[+..^5r..w%.f.`!..

C:\Users\user\AppData\Local\Temp\Eau

Download File

Process:	C:\Users\user\Desktop\SensorExpo.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.998051154733769
Encrypted:	true
SSDEEP:	1536:XmhppR5mfTt2NpW3LEeWCr2eU4YA6x2UnEXr1IHLmnM6gUvLLvR:CppRAfJ2NpW3QvCr2z4/l7+KMajLJ
MD5:	6B2C2D848C040C1EEEEC93765FAB1473
SHA1:	9B038E6F3225DE7A94795A86E8E45D57C06A6E1D
SHA-256:	B74E8DF32C9ED809A70D57B4E3446392F27B88EC5B0B8674C4FEA554396ABADF
SHA-512:	A590A1162E3C040E4D3015020E251E7CD20FF2D893C0ECD2F3D5916DA273228E4A04C59519162215C1256C467B6EFCF52298C493EE788715FFFA1DE95321DCEE
Malicious:	false
Preview:	...>...(B<.F..[.Sl&.y...W6.......U.......G..4%..\|...?...qk.8....z.F..?9WQ.......F).wQ6[{!W....B....PF.?.U....o..;...D..e..1G.......H@y.......s.&..R.......vdN.e.77..9.E..Q-.g.-6.}D..=d..}......J.SQ..{X..)n8.].{d...P.g..\...)..P&.p.F~...RB K.....IU..AW..m......_R...3.j..-Z....$wR..<D....x...3.S.'..\|Q..J>XG..n..iU...I...q.K..D......WA.<.{r..9%......U.n...\|...p..OEsv.N....o.O...P..I......gq.c]....'....f.E..W...P..XW.#.y...M....?.y.s...W..".\|3Rh.2...&..{..p#...!fy..%........H...5...<...O.6K......C..z...aeAX...#.-7...i.).&..:.\..u.p.Qr.CLH.v.zv........n..@....C....6...~p.D..._2..#.C.AL..?.bF..cmp..ARJ").ro@.yY".>].{z.....t....aZ..{g..........0..U.'J.9../.2...G.{.0..H9.U.y.I./n.X.3<.>......V....L...C.u>...<...4.&..........G....v........cX .MW....].n.p...t.........t?~......D...U..L(.1\|...IR..E..t`....MLV.!Jd..[..=w...8&@...A.........'Ox....rQ..K,.7i!..D.$#yl?8?e(..[.I...)H.y...f.i.B]..k...7.kL.p....x..\.n...`..-........5X......+.N\S....(..

C:\Users\user\AppData\Local\Temp\Horses

Download File

Process:	C:\Users\user\Desktop\SensorExpo.exe
File Type:	Microsoft Cabinet archive data, many, 489921 bytes, 11 files, at 0x2c +A "Decor" +A "Reason", ID 7329, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	489921
Entropy (8bit):	7.998612921042226
Encrypted:	true
SSDEEP:	12288:QT86BkSoZc4JQ4uZHunC+W9HknELxqDsWN1siFT:I8wom4JQH5OC+eHwEAsWNC2
MD5:	D19B498594B52EB8A3234C312326B158
SHA1:	94C5905D99C323798A90F2640269ADC272589DDF
SHA-256:	F0EF223F8F88581613C9CCFDE90234AB1160AEC17C55EAD17EE3C4C7655B8690
SHA-512:	43FC11E619E58523BDF09FD7D849AF99F28B614214641C0199B7BF57ED7E1326C9E88ECDE489E7FF65A5BE29A495233D859FE0951E11D993235E0CDECCD037BB
Malicious:	false
Preview:	MSCF.....y......,............................ .........Y.D .Decor..(... .....Y.D .Reason......H.....Y.D .Sponsorship......f.....Y.D .Lace..l...R.....Y.D .Attack............Y.D .Basically............Y.D .Older......b.....Y.D .Nd......j.....Y.D .Montgomery......6.....Y.D .Southwest..8..^<.....Y.D .Loud......E..CK.}\|...8>.;I&a.Y!@..Q...m`Q.6jva....i..MR.l..V.....9I..u....Uk..O[Z. f.L..Z.._.F.a"..a....sgv.Ab_..?~.....N...{..{..e.gFVXr8w7..CA{...i..m+f..<3.z........v/....n.y...HA....n..pzVXN...]..K m.4 ....l..=1.n+..2.....w.#.#.n;e{C97[...A....Wx..>../.E...G.....cH.<...@.'.s.b7..C#..I....&...>:......Z....3.!0`.......A.....C....3....`...I...O..NB....NA....b..\.!...C.m....?3).Czx........^..B...G..6.......YH....9.;7.......<#..#&..!...\|... .N..9<I....}....0B.C.L....1.. .C.'".sR....I..'&rjj.}Lc/.....G`..I...h...I`..X...^......xg...wy.G..7....k.....04xB....S....S&.!TZ.....$`(....3..]..l..J.6)D4.>....`h......).sy.E.p.$0bj.}Lk/H.....\|.....Ng..MK ?...>...s$......M....

C:\Users\user\AppData\Local\Temp\Lace

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	125952
Entropy (8bit):	6.458398944959998
Encrypted:	false
SSDEEP:	3072:LpIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfz:0phfhnvO5bLezWWt/Dd314V14ZgP0w
MD5:	45753DB856B58834EDD743B4B68706D2
SHA1:	00519A17FB5D42EB7210130BA0AD497CA2A92B21
SHA-256:	D38E011C515162E0E2C7808B8DC6B777EA2A0DD912832C3A1316D2F4E939FCE5
SHA-512:	B9CFA9D114540A789D4851C77F0A5A30A6A7081125F35B500E13ADBBAD755272C5EB718BB22DC0C402CDA9F0B7153089BE8E3F376836298C51640AAEC322FF08
Malicious:	false
Preview:	}....E.u........}.;........E.M...P................E..+.j.Y....M.....h..j.j.P.E..fn......}..t..].+....]...+].j.j.j..u..p...........d...3..B.}...V.t......]..].+].RRj..u..=...........1......]..F......u.}...E.....E.]...3....M..U..U.+M..]..u.U.M..........u.......}.Y..u;.].........#.3.B.S....@..\|8...L8.t..I8.Q..\|8...L8.t..I8.A.._^3.[....U..E.j..p.P.U...]...U..E.j..p.P.@...]...U..=t#M..SW.}.._........G.V...8...3...x,.G....(.....e}..G.V.......Ph.....5t#M...H.I....rd.G..p....'w...F.3..f9.t#.G..p.....w...F..03.Pj..5l#M...H.I....v#.G..p.....v...F..03.Pj..5p#M...H.I.^_3.[]...U....V.u.W.......~...F.u&.H..r....V..2...t..v..j..v....&......0...~v..j..v....>..._3.^..]...U..VW.}...G....!......R..\|2...L2.t..I8.A..\|2...D2.t..@8.@...G....v..G.j..H.....P...H....b...G....v..G..M..p......_3.^]...U..VW.}...j..G......P...H....zb......v..G..M..p...._3.^]...U....SV.u..~..u .F..H..^...3.C;.u..F..0...~u.....F..0...pu..2.N........^3.[..]...U..E.W...@........jdY;.w.i..................Qj....

C:\Users\user\AppData\Local\Temp\Loud

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	6.584608546934193
Encrypted:	false
SSDEEP:	1536:wHRu+OoQjz7nts/M26N7oKzYkBvRmLORuCYm9PrpmESvn+pqFqaynBG:OVOoQ7t8T6pUkBJR8CThpmESv+AqVnBG
MD5:	6127DBA357D0395DE32B85CE5E84A6A5
SHA1:	97DCB2E9F23126884BC098A1DB0B8D592A3EC5C5
SHA-256:	492DCD039DCA605681207BA5141F47CD62331773055DAAE0067245F7F9AA92B2
SHA-512:	E7A8B8B23F191014A7328728FAD4C86AAF999107E45022B7F0F8C1A4F78BF820CE06E00C745859FB37BCA0CD3A35B2ADAA68D1E94A305F5E912B5B744E44B2BD
Malicious:	false
Preview:	..D$HPW....I..u.......A..........D$HPW....I...........L$......L$(.x....D$lP.L$<. ....D$(3.P.D$.Pj..L$D.nx......L$8.l....D$(P.L$..{....D$.j..p..0.t$(.t$(........D$Pt...t.;.u..L$.......L$(.$....L$.......>...N...W..`.I._^..[..].U...<SVW3......VPj.Vj...PQ.3....I...U....tKj.Y3..u.V.}.u..E..u.Pj(.E.u.Pj..E.Ph..-.R..L.I..u.....`.I...t..E.......2._^[..U.....=.#M..SVtk3......VPj.Vj.PQ....I.....tNW3..E......}.u..V.u..u....E.Pj..E.Pj..E.Ph..-.S..L.I.S....`.I._..t.3.8E........@..^[..U...4...SVW3.Vh....j.[SVSh....Q....I......t~h(.........VP..F...........................u.j(Yj.XVf.......E.PR......f......PRPh,...W........L.I.W....`.I...t.3.f.}.........@.._^[..V..F.HP.....f.8\t.h0.I........^.U......SVW...h.sL...........u..M.;.......V.7........M.......M.......\|........M......M......M......M......M......E.3.P..\|...3.PS...u......E.U...P.E.P.E.P.tu......M.S.8...j.^f90u.j.S.M.....S.M......f90u.j.S.M......u..E.;.t.P...u....E...P.F....E.P.U.M.....Y.E.P.U...\|.......YS.M.....

C:\Users\user\AppData\Local\Temp\Measuring

Download File

Process:	C:\Users\user\Desktop\SensorExpo.exe
File Type:	data
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	7.996303226806384
Encrypted:	true
SSDEEP:	1536:iwj2pNFsA9V6ikP/FMwgJN9zqYnaYuubP+xT29h:pONFsAvkP/eN9zFa3ubQ69h
MD5:	2C79D50DD7EFADE05C935A159CB28EA5
SHA1:	DE158E5F98F42D878F8EC2AA8BAAD3195EF37AE3
SHA-256:	F2ED358FBF8B0BDC7AB3CA3F63370FDEB295508E7F7D1AE2DFD324FF18266426
SHA-512:	2B362E7667890B205A264B1D52180DAAF39840E2AF9C5E7CFF85081D6EE1E9D975D5B38B2E5F66EB47404BE2135A8B23E797A3B4EE1866E32E81D840F7AF52F9
Malicious:	false
Preview:	..Z;..{@.....t@...[.U:.&../Y1...Z{.TD....;p.'X....\.Eo.....$.?R.................G....x..Q..T.W..#..}s"....B.. -.Pq..<...s.,a.+....H<.g.>K..A.yS0.k.D....]G.,.2CZRY)%Mqyk.@.h..D.R......~.k.w.....q.........%.ga3..d..t....K..3..K..F...Y.i......kkT...{....L........8l.$)H.j9..)-..C. I...Y...N..^.1.I."}.x..2.pX.V.l..?l.$X9..$[.w.M....K].]"...U\|.....XF..k ....vF...-.....n$.k3[X>..yID.ix.......Rq$}.V.A....w:....I`v_.!6;..1.^b..7x.....B..7X.Z.s($.5..t....HH..Z.\|t.}g.g.^......a#mu..E.g....Ma....t{.$]{...SJ..@..g\5/...%........,.8.!c...m...T..5...hQ4-...4jz...\>w...1.N.^.z6.@k.X.;.......R.4.B.2...R...'(......{F....v....`...r..d....\B. c5...+s.@.C..M?.j^....T....;&Pd.^kpz#.R..b3'.,...Y.&&.Y.u<..E.o....[.S...a..z...c....C.]_.W....c:.l..3.q.nR.......VL. ./....T.-.....A.>..6O%..I....R..Y.z,4......5...N.yJ......A.S"..0..}.z..feI..{9..Y.n.:.n....G..S..A.....#3.E4A..8.L{"".h.Z.n...?..z........jZ..@..rX2Lh..6-...h6.".C....Y..M?..\|#=.@.(.^...C.S.nb....>......

C:\Users\user\AppData\Local\Temp\Montgomery

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	117760
Entropy (8bit):	5.969341322808828
Encrypted:	false
SSDEEP:	1536:JxjgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2z:JxjgarB/5elDWy4ZNoGmROL7F1G7ho2z
MD5:	7E4BD7B934F388E3BA57D99C34568992
SHA1:	016FF4B516BC06FADB9EDFA76A6C044613F7C594
SHA-256:	98CC9532CA7C087E606743EE465A7EA4897A2C50FED6B34AE09F2A368004BADA
SHA-512:	D84AAF5712BF26AD6D313539F215E04439D9C92BB0525681FA94BD6C30FA1E2BFA364BF93D43E07ADEBAAB6B06B359EC4E07ACB54E342AB9CE899119D8E489D5
Malicious:	false
Preview:	.................8...............8...................................................\|...l...\...J.......,...:...N...d...................................0...@...J...X...t...........8...........(...................X...p.............................,...D...................................................\|...p...d...Z..........N...B...6...".......................@...P...........................v...j...^.........................................(...:...F...N...d...z....................................".......:...N...h...x.................................... ...4...P...b...t.........................n..................>...T...p....................................(...@...P...^...t................................&...B...`............................. ...8...J...\...r..................................."......@...N...Z...n............................V...J...:...........................................................*...<...V...l...x..............................

C:\Users\user\AppData\Local\Temp\Nd

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	6.376202350184543
Encrypted:	false
SSDEEP:	3072:DZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWfI:DK5vPeDkjGgQaE/loUDtfI
MD5:	02BA0D611FFCB0256F1CC85C2581BC4E
SHA1:	2A5E12342E816C452D9EC9E02843D759F28DB40E
SHA-256:	469708DD595C68B5D8E58F2DC7920880EB4FD3C9FC3393FDA62979E056A62A6F
SHA-512:	E03BBA2A9B31058779CDF01A8591CB8437BEFC6A36184C37FD577F1901CDAD1ED8CF7FBA73961E557A05FE0CDC46773E1327D42DA09000793A1F84BA593EBC48
Malicious:	false
Preview:	..F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0.........F.;G.u{............8......../.....................VW......~d...(....~h...0....~D...8....~P...@....>.t..6..<.I..&..u........d)M..U.B.U.;..._....u... .........$.........@)M........t.Q.=.....@)M..... ..5.)M..E.N.5.)M.;.L)M.u...L)

C:\Users\user\AppData\Local\Temp\Older

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	6.71432976003208
Encrypted:	false
SSDEEP:	1536:oOSpZ+Sh+I+FrbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7Qt:oOSpQSAU4CE0Imbi80PtCZEMnVIPC
MD5:	020CCAD2655C4343AB7EEA1277AB0CBF
SHA1:	711F53611F2152C9FF03817E593ED5093206DD97
SHA-256:	993EFCFA687637EAAC5C6DD5DF2A565F3AA847EE242C6B3E9B11CD747F405F0B
SHA-512:	11643A91A1A47BA60575D06A97CA9DF3866DCC6AE96DBD97C53265A8A3C70BBD3300655AAD5939BC158253837961C0F4FEB19D350DD5CFDBE4A0DB814FF0DF80
Malicious:	false
Preview:	.j............t'.e...E.j.P......I....zu.3...M.A......j.X...M...2.^.M.3........]..U..}..u'V...M..>.t..>.t..6....I..&......X.M.u.^..]..U..Q.....HL.M..M.QP......E.YY....]..U..QQf.E......f;.u.3..B.....f;.s......L....H.$f.E.3.f.E..E.Pj..E.Pj.....I...t...E...M.#...]..U...$...L.3.E.S.u..]..M..3....C.=....w..E.....X.z..M.....E.Q...P.+..YY..t..E.E.3.j..].E.Y..3..].3.E.A.E.f.E..E.j..p..E.PQ.E.P.E.j.P.........u.8E.t..E...P....3.....E.#E..}..t..M...P.....M.3.[.m.....]..U..V.u....w0..u.F...f.....t V.f...Y..t.Vj..5.#M...p.I...t....s.........3.^]..U..Qj..u.QQ...u..u.P.\......j..m........]..U..Qj..u.QQ...u..u.P.0......j..i........]..U....SV.u...t..]...t..>.u..E...t.3.f..3.^[..].W.u..M......E......u..M...t....f..3.G.....E.P...P....YY..t@.}....~';_.\|%3.9E....P.u..w.Vj..w.....I..}..u.;_.r..~..t(....13.9E....3.P.u..E.GWVj..p.....I...u..7............}..t..M...P......_.1.....U..j..u..u..u.........]..U....S.].W.}...u...t..E...t.. .3..z.E...t....V......v....j.^.0......S.u..

C:\Users\user\AppData\Local\Temp\Reason

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	5.023087256394978
Encrypted:	false
SSDEEP:	384:1u88888888888888888888888888888zv888888NfU84444Qnoooooooooooooou:1/SGKAGWRqA60dTcR4qYnGfAHE9AUs7
MD5:	66C088763E0956A8ECC949C14CE47688
SHA1:	D902F4BF1D423395E8F60C768C8AE33635491C3B
SHA-256:	0B99F2240B4EC4967EC88D8588FEC0BC38035BCE67FF5DDA5C12D24072699089
SHA-512:	315ED41793B7CB6B76DD7D513ACD9137789EBA6C992319CFE0917C811FC6542D8036E42EEFDBAE7334E6B9C99D1A841A03019B10FF03F42C5FEF660025DC889C
Malicious:	false
Preview:	.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................r.r.................................................................r.r.....................................................................r.r.r..................

C:\Users\user\AppData\Local\Temp\Rotation

Download File

Process:	C:\Users\user\Desktop\SensorExpo.exe
File Type:	ASCII text, with very long lines (435), with CRLF line terminators
Category:	dropped
Size (bytes):	16206
Entropy (8bit):	5.129988862428514
Encrypted:	false
SSDEEP:	384:OMzVHQcMXhaX+tYoRr2O1MIawRTBuV4VUBYNOFjT/qN5b:RzCpXkX+LFf1nnRFuqVHQ05b
MD5:	243B22FA741C855B880482727C63FC08
SHA1:	F32DDAC67A491965522DB07D120B5759922C8D74
SHA-256:	8267C39E49963EE9E50A357D85756E96BFBF78B4217D82DFB47CFF187F3F14C0
SHA-512:	5971891EF8DBE9E79D3D4584EBC3B8DFF4FC3944BA4FB69FC06ED9E0FC56F38340BF97F74F63FDDAE8BEADAFBD77DF98AC7AA14E1403DBB18B7BC359A52DED21
Malicious:	false
Preview:	Set Britain=8..DXpYMighty-Reunion-Lodge-Anchor-Comparing-Genes-Piano-Labels-..sBBobby-..hiHonors-Submit-Invitations-Mails-..XCPMFurther-Causing-..txhZLabels-Disclaimer-Readily-Fy-Independently-Handhelds-Contemporary-Bt-..kcJWPerformance-Chronicle-Logs-Excess-Levy-..TQYIgnored-Cuisine-Eggs-..vhiBreeds-Illegal-Retention-Teams-Precious-Arm-Heart-Atmospheric-..DYsAug-Dating-Soa-Kb-..Set Bunch=9..xdfLNn-Customer-..emViews-Nor-Tent-Iii-Must-Handed-Suggests-Arizona-Compete-..FxTiming-Sprint-..kVMExport-Shoppingcom-Civil-Fuji-..pTProvincial-Fwd-Warned-Ebay-Syria-Economics-Logos-..nmRbCoffee-Expensive-Occurrence-Seekers-Turkey-..QdYorkshire-..fiHImplementing-Links-..Set Cleared=l..GYOZUntitled-Designated-Climbing-..HrHChange-Nashville-..rxOThemes-..zgKTranslate-Iraq-..gXTXRadius-Spyware-Matters-Acknowledge-Considers-Herein-Cumshots-Tables-..WhRPasses-Assistant-Salaries-Mailman-Salvador-Thru-Mississippi-Summer-..EACity-Afraid-Sail-..gJpGourmet-Hours-Representing-Springfield-Architectural-Congo-F

C:\Users\user\AppData\Local\Temp\Rotation.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (435), with CRLF line terminators
Category:	dropped
Size (bytes):	16206
Entropy (8bit):	5.129988862428514
Encrypted:	false
SSDEEP:	384:OMzVHQcMXhaX+tYoRr2O1MIawRTBuV4VUBYNOFjT/qN5b:RzCpXkX+LFf1nnRFuqVHQ05b
MD5:	243B22FA741C855B880482727C63FC08
SHA1:	F32DDAC67A491965522DB07D120B5759922C8D74
SHA-256:	8267C39E49963EE9E50A357D85756E96BFBF78B4217D82DFB47CFF187F3F14C0
SHA-512:	5971891EF8DBE9E79D3D4584EBC3B8DFF4FC3944BA4FB69FC06ED9E0FC56F38340BF97F74F63FDDAE8BEADAFBD77DF98AC7AA14E1403DBB18B7BC359A52DED21
Malicious:	false
Preview:	Set Britain=8..DXpYMighty-Reunion-Lodge-Anchor-Comparing-Genes-Piano-Labels-..sBBobby-..hiHonors-Submit-Invitations-Mails-..XCPMFurther-Causing-..txhZLabels-Disclaimer-Readily-Fy-Independently-Handhelds-Contemporary-Bt-..kcJWPerformance-Chronicle-Logs-Excess-Levy-..TQYIgnored-Cuisine-Eggs-..vhiBreeds-Illegal-Retention-Teams-Precious-Arm-Heart-Atmospheric-..DYsAug-Dating-Soa-Kb-..Set Bunch=9..xdfLNn-Customer-..emViews-Nor-Tent-Iii-Must-Handed-Suggests-Arizona-Compete-..FxTiming-Sprint-..kVMExport-Shoppingcom-Civil-Fuji-..pTProvincial-Fwd-Warned-Ebay-Syria-Economics-Logos-..nmRbCoffee-Expensive-Occurrence-Seekers-Turkey-..QdYorkshire-..fiHImplementing-Links-..Set Cleared=l..GYOZUntitled-Designated-Climbing-..HrHChange-Nashville-..rxOThemes-..zgKTranslate-Iraq-..gXTXRadius-Spyware-Matters-Acknowledge-Considers-Herein-Cumshots-Tables-..WhRPasses-Assistant-Salaries-Mailman-Salvador-Thru-Mississippi-Summer-..EACity-Afraid-Sail-..gJpGourmet-Hours-Representing-Springfield-Architectural-Congo-F

C:\Users\user\AppData\Local\Temp\Satisfaction

Download File

Process:	C:\Users\user\Desktop\SensorExpo.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	7.996954116333727
Encrypted:	true
SSDEEP:	1536:exg+tqLvs2Zg5M5tvZh1DJC5J58yK/+AQ+fY:eidcMjvT1DJCz58N/+7
MD5:	5704CFC222D0A12088676D36EC385BB1
SHA1:	7FA54CF1E0A0D38EC26EDE4A773A007F6F1823EA
SHA-256:	18C299E7AC6A454BECB014AAA488454E2959FDAC8438D05C0EC56757A5D20BD7
SHA-512:	0152CD90D73A0681E74E50D4125724DE88B0F2F902F3872B5BF9DE5D8EBAA24A1BA700654F6866DE490304B1A969607734FD76F04BA38B33F862B0C3884EA29E
Malicious:	false
Preview:	wf.w....,B.{6c.."%a..%]......"$V.G... q.wT.U..0....}.5_R...Y.....er.[....s.u...N.FDQ.....YQ..zly7V.A.....T......#...w...#......'.q(......:....2........;..5...q..0V...&.5.....M.~...?g..B...We.uK.z.9;....%..3oEC.....".d.+.'...&..'..C\|.D....?......}.{X....u..;.jHG..Z$.K.E5Vt.)o....o. ...!.O.Vf..l.of.Q}.X..K._...x~....}~$...6.U!.. m...e.>B.KnP:H}...\.....vs!..).l....B.N..3.5.V..A..z ...6.9.!Y.D).0....=.8...h3..G.t...S.2m..\R.,....=l.nE...!8....@@J.....C!.].'DRN.gB[=..~f{.JF...c.Y....+#(Vv.........<y]$$..jHO+..{...w...z'....R~..^O.x.&....K`.D..SCA.R.64...t.......Q.Qu}.0. .!.Gl.6.<..`... .."!..Q9'......"d.........pu..8tzT]).x......3@x.....U.`.j..-.4j.h.yf......b.f.T...].3a%:.w.....n..............K.Ej4..^.b?imp......V....D.-..<,.......H..8#..........M...1..-@.sk..[.aa?...&...f7\..VS...df.z.....'i.O.:...gK./F...#vX.j..%'.......0sQo.T..G.".t4 ...C...&*.@.J.d,...W!.em........%..F...I.s.k.#...6M.\.e....y.e.9h.&:....c[0.o..q.....W.hl..,D.....q.N0.NiV5.

C:\Users\user\AppData\Local\Temp\Southwest

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	1465
Entropy (8bit):	4.348427914613753
Encrypted:	false
SSDEEP:	24:gyGS9PvCA433C+sCNC1skNkvQfhSHQU2L55e1yb/J:p9n9mTsCNvEQH5O5U1I
MD5:	AE41F0DDAD9BC34935CAB81725EF9C18
SHA1:	BDE20CF518D2B98D3041D239DCB0E8C1E6B14A93
SHA-256:	55D4569F7B4B24AE51EFD8D8E87548B5520C7818AED9782797AE7F230B8DA4DD
SHA-512:	2000702528C0F4E267ED1EBFD418CA8186AAAEB5E432A4007EADE5296AA3319124D65295CF1F229F00A55E045690B7B069FC6041A0C60B3D21AACE12EA5ACA48
Malicious:	false
Preview:	HARDER........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B..........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Sponsorship

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	7845
Entropy (8bit):	7.574697546773328
Encrypted:	false
SSDEEP:	192:UeAH6N8VEVFJ84kcGNq4/C+Q3ISVSWMZMQ3rw:UVrVEVFJ8ZcGwGBk7/UMQ3rw
MD5:	B16208342F1EE1C1129BC39DACC15542
SHA1:	9FE161312AF2D3989D26CC1D988F5CCB81B29E4C
SHA-256:	1AB132A5F4D40A307CB211CBF24FF6CF79783951ED5D80D0A1CDFB5B78B371E0
SHA-512:	1259DDF12FF07C115F4DD083E7480963ADA0B4DF3BC8B85890DAB6D89F906C4B48EBDCBF203BA32ECC2F3C65C486590BC7CC59FD6AED900D9A9A54EE2CD05428
Malicious:	false
Preview:	cacert/gscodesignsha2g3ocsp.crt08..+.....0..,http://ocsp2.globalsign.com/gscodesignsha2g30V..U. .O0M0A..+.....2.20402..+........&https://www.globalsign.com/repository/0...g.....0...U....0.0?..U...80604.2.0..http://crl.globalsign.com/gscodesignsha2g3.crl0...U.%..0...+.......0...U.#..0....:..t-..s....I?..T0...U.......J....F3...1..u...v0....H.............{m....p+......)r..)..9...t.Qg..Y.....[A.......\|k..H;.^q..w.WP......2lnF.;....}.......X....&-`.d...H}.)..f..+....";Y.}..#....). .%\|.X.[.....tgo..!sN....9v.\...\|.)F.....1.I4V(F.......x.t.2.............T.Ia.S..&zp2....5..U..ye.{.$.;..!.f...E...1..70..3...0j0Z1.0...U....BE1.0...U....GlobalSign nv-sa100...U...'GlobalSign CodeSigning CA - SHA256 - G3..8.Hn...04.J0...`.H.e.........0....H......1...+.....7...0...+.....7...1.0...+.....7...0/...H......1". .g.6..l....#..t.X..n\|$>.......0^..+.....7...1P0N.". .A.u.t.o.I.t. .v.3. .S.c.r.i.p.t.(.&https://www.autoitscript.com/autoit3/ 0...*.H............>./.f..m..6.5.f..V..6....

C:\Users\user\AppData\Local\Temp\Transparent

Download File

Process:	C:\Users\user\Desktop\SensorExpo.exe
File Type:	data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	7.997830680370164
Encrypted:	true
SSDEEP:	1536:Wio4ee/shhXZ+vCLHYRzJByd7VECTVm9TbIpS83cZEcyIoISuXvr0y:WiQh7+JBOECTVmtbIc8MZ5yIoNuN
MD5:	FF5B7D98E34394520C9EDE32F05CC3B6
SHA1:	6155871A11331FC3D256EB51134264BC6BCC4918
SHA-256:	32DC32B23412022E0B5131A979531DCAFC5B62D2E53AC6E7EE410A4D17131982
SHA-512:	04526F489AC162CAB319B3F3D4D2DE1246F2E5F0BDAC5F31199946F11125B1EF52034F239A41BD5B66BF3F68A3DD5B3D0973C31EE5B9777D83FA1B3672E15CC0
Malicious:	false
Preview:	[.X....8d.........-.m&.o.B..!(...l.,........(7..&../e.Yf........L..9.'.6tR)?..FI.8.8.\..G^.A..c<.%!\|}.x..;...C5B...8.<.z.L.e.D...<....q.=.X.:..6.].]bZ..3.yG.k%v.''....0.QGV5.. ...J.k.8O..P.-.kS(....$.. .w...uR.Zw^...E d=.r....i...W....:..>..v`...+......73.`.w.3...".....9g>.......I....[N.I.J........_.....=......(.$.....":...;..1...Z_@........8r.g......V...P.a.I...[O.5+..y./b.)W..<!.E..c.r...V.`........h..!3}......1...uA.ld.....Qc`y......_..:..>..`.B......x.....dSD...a...g..u7....E......'[.........i.....u1...[..)..~e...@.$..0.j..n..v.+...&.l.......Zc....."W......M..L.s..^2..]...@.....w...}.BWh...j. ...8e4E.......v.........+....Q.'CXjTI...H.{..@.,.1;...=.v..F..L....#.\|.....rH.M.e.z"QA.....ut...q...U.h.rw......1..b..w......Q...}.F..s9..v.`....G..t9.[S..2..".Q...o[..D...H..LR.z..X...v.s3.mGN.....2.?.....i4L.p....U.....h..T.~2I.a....gG[m.28.+....{...,y\|......)1:N..b..4.nIF..a.....*wDU.@.6.^.db....mVX$..@.4.U}..Y.....i.E..C......@X...g

C:\Users\user\AppData\Local\Temp\Whatever

Download File

Process:	C:\Users\user\Desktop\SensorExpo.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	7.996718730004496
Encrypted:	true
SSDEEP:	1536:y1uXfELuHQ+6ztj6c3cJwg9QmSoewzEg1xEo:lX86T6JGnR9QmSolEEEo
MD5:	152BEC8986015E9D0C191CA7B38A095A
SHA1:	C821F7858B1B32F94E5693E954F9C766A9AE0DF2
SHA-256:	2CB3E7C8AAFE58EDC503CFBF7403C258C330AA18C260DCB5B60FB2759029706D
SHA-512:	CA45C92B920FC697A010C46C81AB26876F08E1108C9C10055A74838A277BDB58C2F14186F1BDF7CE1C26E96D9620B0C716F10C4F0AB5F4D47F5FF3DAA345F3FF
Malicious:	false
Preview:	5..,.,.<....WD..w..g....N..l.t..._IJf...I.jR.o.W.../.wE.........0%.\:......v.....x........uI..[.).p...C..W...f.9.P8..j.$....M.V-.!...T..i..."...Kq.m..}%H+)N..#X.-....G.p.q...0.$....}.(.}..o32.G.Qu..ku.U.. uNX/.e>.1..%B2._TY.y.~..l1\|...B.l\|Oq...2.5).W.H.f=k...B...R..-vw5..R...;.....F.N@...>O.!...3...% s..L...../U..hI.V...d.......<^<...6T..2.e(b....1......-v9.{...f.?.....W,...Ed..`.......pB.{...G.=H+-...1.#hx..r..d/....l...{>..I.Q.Y..pjH~.Ik..)G...3.71....~...=.C.c......B.A..<.<7...Ap..^.^b.1..gc........Zq....0.c..D....48.S..`...PpK.c.o..M......1X.>.....(..U^Oz..rV...3.O.p.nwj_.F$l;=...8n7.K&k..!>{$!...!&.Zk$..&....C.........~...=&G..8..}\|..bT^".'\|.j#/L.D)4......2..[.Vq...D&..L. ..8^.5.4.Lo..C+.eh.R.I.....0....c...xD..WJ\..L.Oq.V...;....#......X.[..N8&...f...[..'....\3.Fw...*..C..j..u.FE>JN.OC..{@...3...Y....ac.#.....?.....t.......b.".#Jf..@~.s.o..\|.JA.Oy......\....Z{.">......Jb..<.=J..A.iB....Z.)\|.....W.v....Z..+....T..(dq..h..16e%O..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.96199725751763
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SensorExpo.exe
File size:	1'416'489 bytes
MD5:	bc13a0403a10a32c7c81e29f430e9cc7
SHA1:	33d3af3457d4bbd3a0b3ce0dd367dcd330d7d4be
SHA256:	bf8d48786e209db46e1b20b1d4c04702427bed6417bdd4b1cc7f98041064304d
SHA512:	7e0f2eee87cd4698e6cec41352e7c11521c88a53686cc9841749ba8336b9d8473473f1e88bb11add16f702afe36a345f8191595d44d8c6ba8ba7a7eb47d1415d
SSDEEP:	24576:LGHIyRpP/DhpWN6R7W2g3+Qp2bo6AR2X0MnO42Qu5KCL8mLsWNk2ACANK0EoZe3j:6JrhpZQ1ukqXnO4C5KC4gOWYrU
TLSH:	B16533ABEFCAB533E6E12B7055F22931D979E6220CF049832254D85C74A5AC3CB19773
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...N...B...8.....

File Icon


Icon Hash:	fe93bc2c343aba80

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	20/03/2024 14:23:35 21/03/2026 14:23:35
Subject Chain	CN=YANDEX LLC, O=YANDEX LLC, STREET="Lev Tolstoy street, 16", L=Moscow, S=Moscow, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Moscow, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1027700229193, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	9906E73CDAF5570B04FDE09A4BCB74A9
Thumbprint SHA-1:	46E2F09D295573BB09DACC6B209B142C244A30D6
Thumbprint SHA-256:	6E4B1A3C72EF08F8311CF4F596DE8CCA679D06C51A87E1C5714F8DECB84BCB37
Serial:	6F126C9CC287DE458CE890F6

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007F5DE0EA584Bh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007F5DE0EA552Dh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007F5DE0EA551Bh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007F5DE0EA2E1Ah
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007F5DE0EA51F1h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F5DE0EA2EA3h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F5DE0EA2E1Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x5e0c6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1571f1	0x2b38	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0x5e0c6	0x5e200	2e0d182e822fd2e516565c70819bfc6c	False	0.9722360557768924	data	7.858114689723732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15f000	0xfd6	0x1000	bcec1b973271be93025ad79d89ad3005	False	0.56787109375	data	5.3162851479506354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x100298	0x53f05	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States	0.9897444250217414
RT_ICON	0x1541a0	0x5b2a	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.9982432085011569
RT_ICON	0x159ccc	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.6222538649308381
RT_ICON	0x15c334	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.6755464480874317
RT_ICON	0x15d45c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8218085106382979
RT_DIALOG	0x15d8c4	0x100	data	English	United States	0.5234375
RT_DIALOG	0x15d9c4	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x15dae0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x15db40	0x4c	data	English	United States	0.8026315789473685
RT_VERSION	0x15db8c	0x264	data	English	United States	0.5065359477124183
RT_MANIFEST	0x15ddf0	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T11:35:35.610929+0100	2058612	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingreem-eilish .biz)	1	192.168.2.9	63234	1.1.1.1	53	UDP
2025-01-10T11:35:35.624944+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.9	63436	1.1.1.1	53	UDP
2025-01-10T11:35:35.636901+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.9	55763	1.1.1.1	53	UDP
2025-01-10T11:35:35.648523+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.9	56395	1.1.1.1	53	UDP
2025-01-10T11:35:35.661984+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.9	51760	1.1.1.1	53	UDP
2025-01-10T11:35:35.673886+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.9	50702	1.1.1.1	53	UDP
2025-01-10T11:35:35.686145+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.9	54992	1.1.1.1	53	UDP
2025-01-10T11:35:35.697445+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.9	52668	1.1.1.1	53	UDP
2025-01-10T11:35:35.710566+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.9	57306	1.1.1.1	53	UDP
2025-01-10T11:35:36.399349+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49948	104.102.49.254	443	TCP
2025-01-10T11:35:37.291952+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.9	49948	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:35:35.738010883 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:35.738056898 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:35.738137960 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:35.741462946 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:35.741480112 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:36.399262905 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:36.399348974 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:36.421730042 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:36.421757936 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:36.422127962 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:36.470194101 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:36.727550030 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:36.771348953 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.291909933 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.291935921 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.291969061 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.291980028 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.292006016 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:37.292006016 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:37.292013884 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.292037964 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.292067051 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:37.292067051 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:37.292124987 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:37.292537928 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.292578936 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.292615891 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.292627096 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:37.292685032 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:37.295197964 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:37.295218945 CET	443	49948	104.102.49.254	192.168.2.9
Jan 10, 2025 11:35:37.295247078 CET	49948	443	192.168.2.9	104.102.49.254
Jan 10, 2025 11:35:37.295253992 CET	443	49948	104.102.49.254	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:35:09.853699923 CET	60245	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:09.862298012 CET	53	60245	1.1.1.1	192.168.2.9
Jan 10, 2025 11:35:35.610929012 CET	63234	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:35.620579958 CET	53	63234	1.1.1.1	192.168.2.9
Jan 10, 2025 11:35:35.624943972 CET	63436	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:35.633796930 CET	53	63436	1.1.1.1	192.168.2.9
Jan 10, 2025 11:35:35.636900902 CET	55763	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:35.645648003 CET	53	55763	1.1.1.1	192.168.2.9
Jan 10, 2025 11:35:35.648523092 CET	56395	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:35.658943892 CET	53	56395	1.1.1.1	192.168.2.9
Jan 10, 2025 11:35:35.661983967 CET	51760	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:35.670540094 CET	53	51760	1.1.1.1	192.168.2.9
Jan 10, 2025 11:35:35.673886061 CET	50702	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:35.682553053 CET	53	50702	1.1.1.1	192.168.2.9
Jan 10, 2025 11:35:35.686145067 CET	54992	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:35.694516897 CET	53	54992	1.1.1.1	192.168.2.9
Jan 10, 2025 11:35:35.697444916 CET	52668	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:35.707289934 CET	53	52668	1.1.1.1	192.168.2.9
Jan 10, 2025 11:35:35.710566044 CET	57306	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:35.720669031 CET	53	57306	1.1.1.1	192.168.2.9
Jan 10, 2025 11:35:35.724356890 CET	57909	53	192.168.2.9	1.1.1.1
Jan 10, 2025 11:35:35.731898069 CET	53	57909	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:35:09.853699923 CET	192.168.2.9	1.1.1.1	0xb443	Standard query (0)	dGLdANfraLQWkIdncWyNDGTFGl.dGLdANfraLQWkIdncWyNDGTFGl	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.610929012 CET	192.168.2.9	1.1.1.1	0xa4f5	Standard query (0)	ingreem-eilish.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.624943972 CET	192.168.2.9	1.1.1.1	0x6ca6	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.636900902 CET	192.168.2.9	1.1.1.1	0xb456	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.648523092 CET	192.168.2.9	1.1.1.1	0x431d	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.661983967 CET	192.168.2.9	1.1.1.1	0x96ce	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.673886061 CET	192.168.2.9	1.1.1.1	0xc24f	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.686145067 CET	192.168.2.9	1.1.1.1	0xb8a8	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.697444916 CET	192.168.2.9	1.1.1.1	0xed70	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.710566044 CET	192.168.2.9	1.1.1.1	0xd4cc	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.724356890 CET	192.168.2.9	1.1.1.1	0x71f7	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:35:09.862298012 CET	1.1.1.1	192.168.2.9	0xb443	Name error (3)	dGLdANfraLQWkIdncWyNDGTFGl.dGLdANfraLQWkIdncWyNDGTFGl	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.620579958 CET	1.1.1.1	192.168.2.9	0xa4f5	Name error (3)	ingreem-eilish.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.633796930 CET	1.1.1.1	192.168.2.9	0x6ca6	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.645648003 CET	1.1.1.1	192.168.2.9	0xb456	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.658943892 CET	1.1.1.1	192.168.2.9	0x431d	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.670540094 CET	1.1.1.1	192.168.2.9	0x96ce	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.682553053 CET	1.1.1.1	192.168.2.9	0xc24f	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.694516897 CET	1.1.1.1	192.168.2.9	0xb8a8	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.707289934 CET	1.1.1.1	192.168.2.9	0xed70	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.720669031 CET	1.1.1.1	192.168.2.9	0xd4cc	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:35:35.731898069 CET	1.1.1.1	192.168.2.9	0x71f7	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49948	104.102.49.254	443	7928	C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:35:36 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-10 10:35:37 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 10 Jan 2025 10:35:37 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=6cb2d3361aef9022b8f411a0; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-10 10:35:37 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-10 10:35:37 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	05:35:02
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\SensorExpo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SensorExpo.exe"
Imagebase:	0x400000
File size:	1'416'489 bytes
MD5 hash:	BC13A0403A10A32C7C81E29F430E9CC7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:35:03
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Rotation Rotation.cmd & Rotation.cmd
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:35:03
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:35:05
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x1f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:35:05
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x5c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:35:06
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x1f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:35:06
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x5c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:35:06
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 342536
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:35:06
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Horses
Imagebase:	0x1b0000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:35:08
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "HARDER" Southwest
Imagebase:	0x5c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:35:08
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Satisfaction + ..\Eau + ..\Whatever + ..\Transparent + ..\Measuring + ..\Basket + ..\Did X
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:35:08
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\342536\Breakdown.com
Wow64 process (32bit):	true
Commandline:	Breakdown.com X
Imagebase:	0x2d0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:35:08
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x4b0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	25

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004280BE,76F923A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

NSIS Error, xrefs: 0040390E
_?=, xrefs: 00403A90
SeShutdownPrivilege, xrefs: 00403C42
\Temp, xrefs: 00403A47
/D=, xrefs: 004039D2
Error launching installer, xrefs: 00403AA9
NCRC, xrefs: 004039A8
~nsu.tmp, xrefs: 00403B23

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename: %s, xrefs: 004018F8
Rename failed: %s, xrefs: 0040194B
detailprint: %s, xrefs: 00401679
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
CreateDirectory: "%s" (%d), xrefs: 004017BF
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
BringToFront, xrefs: 004016BD
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Rename on reboot: %s, xrefs: 00401943
Call: %d, xrefs: 0040165A
Sleep(%d), xrefs: 0040169D
Aborting: "%s", xrefs: 0040161D
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
SetFileAttributes failed., xrefs: 004017A1
Jump: %d, xrefs: 00401602
SetFileAttributes: "%s":%08X, xrefs: 0040177B

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

_Nb, xrefs: 00405AFD
F, xrefs: 00405A22
RichEdit, xrefs: 00405BF0
.DEFAULT\Control Panel\International, xrefs: 004059C5
RichEd20, xrefs: 00405BC9
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
.exe, xrefs: 00405A69
@jG, xrefs: 00405AF2
RichEd32, xrefs: 00405BD4
RichEdit20A, xrefs: 00405BE2, 00405BE7
"F, xrefs: 00405A4B

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004280BE,76F923A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004280BE,76F923A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004280BE,76F923A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user cancel, xrefs: 00401B93
File: error, user abort, xrefs: 00401B53
File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0
open, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user retry, xrefs: 00401B40

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
API String ID: 4286501637-2478300759
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Null, xrefs: 004036AA
Error launching installer, xrefs: 00403603
Inst, xrefs: 00403698
soft, xrefs: 004036A1

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,004280BE,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

... %d%%, xrefs: 004034C8
-#B, xrefs: 00403458, 0040346A
pAB, xrefs: 004033AB
Set Britain=8DXpYMighty-Reunion-Lodge-Anchor-Comparing-Genes-Piano-Labels-sBBobby-hiHonors-Submit-Invitations-Mails-XCPMFurther-Causing-txhZLabels-Disclaimer-Readily-Fy-Independently-Handhelds-Contemporary-Bt-kcJWPerformance-Chronicle-Logs-Excess-L, xrefs: 004033FD

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: -#B$... %d%%$Set Britain=8DXpYMighty-Reunion-Lodge-Anchor-Comparing-Genes-Piano-Labels-sBBobby-hiHonors-Submit-Invitations-Mails-XCPMFurther-Causing-txhZLabels-Disclaimer-Readily-Fy-Independently-Handhelds-Contemporary-Bt-kcJWPerformance-Chronicle-Logs-Excess-L$pAB
API String ID: 651206458-2810070320
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,004280BE,76F923A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,004280BE,76F923A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004280BE,76F923A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004280BE,76F923A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
open, xrefs: 00402770

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004280BE,76F923A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004280BE,76F923A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004280BE,76F923A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

N, xrefs: 00404C32
@, xrefs: 00404BBC
, xrefs: 00404F65
M, xrefs: 00404B6F

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
Delete: DeleteFile failed("%s"), xrefs: 00406E29
\*.*, xrefs: 00406D2F
Delete: DeleteFile("%s"), xrefs: 00406DE8
ptF, xrefs: 00406D1A
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004280BE,76F923A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

%s: failed opening file "%s", xrefs: 00406F38
GetTTFNameString, xrefs: 00406F33
name, xrefs: 00406FEB

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004280BE,76F923A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,004280BE,76F923A0,00000000), ref: 00406A73

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
F, xrefs: 00406858
F, xrefs: 00406A7F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Unknown, xrefs: 00406528
Process32FirstW, xrefs: 004065E9
CreateToolhelp32Snapshot, xrefs: 004065E1
Module32NextW, xrefs: 0040660A
Kernel32.DLL, xrefs: 004065C7
EnumProcessModules, xrefs: 004064B6
PSAPI.DLL, xrefs: 00406490
EnumProcesses, xrefs: 004064AE
GetModuleBaseNameW, xrefs: 004064C0
Module32FirstW, xrefs: 004065FF
Process32NextW, xrefs: 004065F4

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

N, xrefs: 00404298
F, xrefs: 004042D3
open, xrefs: 0040430B

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

^F, xrefs: 00406ACF
plF, xrefs: 00406B54
NUL, xrefs: 00406ACA
%s=%s, xrefs: 00406B6F
[Rename], xrefs: 00406BF4, 00406C03

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMulusermePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004280BE,76F923A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004280BE,76F923A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004280BE,76F923A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB
`G, xrefs: 0040246E
Error registering DLL: %s not found in %s, xrefs: 0040249A
8Fo, xrefs: 00402473

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: 8Fo$Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-1190650409
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004280BE,76F923A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004280BE,76F923A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004280BE,76F923A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00069800,00000064,00159D29), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00401EB9 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNEL32(006F4638), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
8Fo, xrefs: 00401EBC, 00401F06, 00401F15, 00401F48, 00401F6E, 00401F75
open, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: 8Fo$Exch: stack < %d elements$Pop: stack empty$open
API String ID: 1459762280-397448724
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNEL32(006F4638), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

..., xrefs: 004062BF
%02x%c, xrefs: 0040629C

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Section: "%s", xrefs: 004050A5
Skipping section: "%s", xrefs: 004050E1

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004280BE,76F923A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.1400713356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1400591021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400751499.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400959740.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401125912.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SensorExpo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Breakdown.comPID: 7928, Parent PID: 7680COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	67

Executed Functions

Function 002D5FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002D5FF7

Part of subcall function 002D8577: _wcslen.LIBCMT ref: 002D858A

GetCurrentProcess.KERNEL32(?,0036DC2C,00000000,?,?), ref: 002D6123
IsWow64Process.KERNEL32(00000000,?,?), ref: 002D612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 002D6155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002D6167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 002D6175
FreeLibrary.KERNEL32(00000000,?,?), ref: 002D617C
GetSystemInfo.KERNEL32(?,?,?), ref: 002D61A1

Strings

kernel32.dll, xrefs: 002D6150
|O, xrefs: 003150F7
GetNativeSystemInfo, xrefs: 002D6161

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: d4c2f4efb0080596f3f4bd0fe2d839c026ccfb027c79e0428251a617363c2bcc
Instruction ID: 72813eb9f79fd5729704433bd92129ce21ce5af86ae8f322b6f25aefc220ea99
Opcode Fuzzy Hash: d4c2f4efb0080596f3f4bd0fe2d839c026ccfb027c79e0428251a617363c2bcc
Instruction Fuzzy Hash: D4A1952AA1A2C4DFCF17CB6C7C491D73F6C6B6B300F09489AD485973A2C2AD4948CB31

Function 002D338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,002D3368,?), ref: 002D33BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,002D3368,?), ref: 002D33CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,003A2418,003A2400,?,?,?,?,?,?,002D3368,?), ref: 002D343A

Part of subcall function 002D8577: _wcslen.LIBCMT ref: 002D858A

Part of subcall function 002D425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002D3462,003A2418,?,?,?,?,?,?,?,002D3368,?), ref: 002D42A0

SetCurrentDirectoryW.KERNEL32(?,00000001,003A2418,?,?,?,?,?,?,?,002D3368,?), ref: 002D34BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00313CB0
SetCurrentDirectoryW.KERNEL32(?,003A2418,?,?,?,?,?,?,?,002D3368,?), ref: 00313CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003931F4,003A2418,?,?,?,?,?,?,?,002D3368), ref: 00313D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00313D81

Part of subcall function 002D34D3: GetSysColorBrush.USER32(0000000F), ref: 002D34DE
Part of subcall function 002D34D3: LoadCursorW.USER32(00000000,00007F00), ref: 002D34ED
Part of subcall function 002D34D3: LoadIconW.USER32(00000063), ref: 002D3503
Part of subcall function 002D34D3: LoadIconW.USER32(000000A4), ref: 002D3515
Part of subcall function 002D34D3: LoadIconW.USER32(000000A2), ref: 002D3527
Part of subcall function 002D34D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002D353F
Part of subcall function 002D34D3: RegisterClassExW.USER32(?), ref: 002D3590

Part of subcall function 002D35B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D35E1
Part of subcall function 002D35B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D3602
Part of subcall function 002D35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,002D3368,?), ref: 002D3616
Part of subcall function 002D35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,002D3368,?), ref: 002D361F

Part of subcall function 002D396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D3A3C

Strings

runas, xrefs: 00313D75
0$:, xrefs: 002D3495
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00313CAA
AutoIt, xrefs: 00313CA5

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$:$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2548913474
Opcode ID: 880ce38310cd5628da6bc6f5695a06b635efc640c0479c1a383990e2a6790889
Instruction ID: 31686ca739c90bb0274a76500a5116c5002826f30046c1d16d5813a460a07085
Opcode Fuzzy Hash: 880ce38310cd5628da6bc6f5695a06b635efc640c0479c1a383990e2a6790889
Instruction Fuzzy Hash: AC510870218341AECB07FF65DC15DAF7BAC9F9A744F00042EF581562A2DB688E59CB63

Function 0033DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D55D1,?,?,00314B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 002D5871

Part of subcall function 0033EAB0: GetFileAttributesW.KERNEL32(?,0033D840), ref: 0033EAB1

FindFirstFileW.KERNEL32(?,?), ref: 0033DCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 0033DD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 0033DD2C
FindClose.KERNEL32(00000000), ref: 0033DD43
FindClose.KERNEL32(00000000), ref: 0033DD4C

Strings

\*.*, xrefs: 0033DC9D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 443ba64dc7c7438efdddc2b6237944f8bdb80a0f214d26059ab9e5e1491876bd
Instruction ID: 8f39bcee899203e21627e382ae0d5ae162de7300df4be4a4e040d36346109648
Opcode Fuzzy Hash: 443ba64dc7c7438efdddc2b6237944f8bdb80a0f214d26059ab9e5e1491876bd
Instruction Fuzzy Hash: 73318C31028345AFC302EB20D8958AFB7ECBE95304F414E1EF4D592291EB60DE19CB63

Function 0033DD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0033DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 0033DDBA
Process32NextW.KERNEL32(00000000,?), ref: 0033DDDA
CloseHandle.KERNEL32(00000000), ref: 0033DE87

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ffd53a917458f9e368822426397662aa5899b34b6984922c7cb3258b8c01f48e
Instruction ID: b32f0390274fd6f1fb4d0ce67993f55555c4f7fd4e3cd6746b861cb928fe7183
Opcode Fuzzy Hash: ffd53a917458f9e368822426397662aa5899b34b6984922c7cb3258b8c01f48e
Instruction Fuzzy Hash: 0931A271108301DFD302EF60D885AAFBBE8AF99340F14092EF581872A1EB719D45CF92

Function 002EAC3E Relevance: 37.4, APIs: 1, Strings: 20, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P6, xrefs: 002EAD3D
(:, xrefs: 002EAD65
d10m0, xrefs: 002EACF0
i, xrefs: 002EB0A3
`*:, xrefs: 002EAFF9
(:, xrefs: 002EADD7
6, xrefs: 002EAD8A
6, xrefs: 002EAD74
(:, xrefs: 002EADC1
t6, xrefs: 002EADCC
(:, xrefs: 002EAD4D
d1r0,2, xrefs: 002EACA9
d5m0, xrefs: 002EAE75
46, xrefs: 002EAD45
@6, xrefs: 002EADED
e#:, xrefs: 002EAFA9
`6, xrefs: 002EADE2
d0b, xrefs: 002EAC96, 002EAD10, 002EAEA7
d1b, xrefs: 002EAD55, 002EAE8E
t6, xrefs: 002EAD35

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID: 46$@6$P6$`*:$`6$d0b$d10m0$d1b$d1r0,2$d5m0$e#:$i$t6$t6$(:$(:$(:$(:$6$6
API String ID: 0-1831242781
Opcode ID: c3bbda8eded3ad71176bda006179752fac595273aff8f34ccab3292e130178cb
Instruction ID: 43fefdb31116756d2591622568bc5e1fcf1b09cfa4e2b6f7388d4638a8c6d5fa
Opcode Fuzzy Hash: c3bbda8eded3ad71176bda006179752fac595273aff8f34ccab3292e130178cb
Instruction Fuzzy Hash: 5A6256746193818FC726DF15D094AABBBE0FF89304F50896EE4898B351DB71E949CF82

Function 002D3624 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002D3657
RegisterClassExW.USER32(00000030), ref: 002D3681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D3692
InitCommonControlsEx.COMCTL32(?), ref: 002D36AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D36BF
LoadIconW.USER32(000000A9), ref: 002D36D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D36E4

Strings

TaskbarCreated, xrefs: 002D3687
AutoIt v3 GUI, xrefs: 002D3673
+, xrefs: 002D3640
0+m"-, xrefs: 002D366C
0, xrefs: 002D3639

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$0+m"-$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-465318753
Opcode ID: 5232fe029a5b6add109982d49c463c36158181b2a5f9fdbf568b4bcdcc5f8129
Instruction ID: b7fe9e30b83a6f7a9e949593cda2e716e0eef893ff5aca9d192cbaec85468459
Opcode Fuzzy Hash: 5232fe029a5b6add109982d49c463c36158181b2a5f9fdbf568b4bcdcc5f8129
Instruction Fuzzy Hash: 9821C7B5E11318AFDB02DF98EC89BDEBBB8FB09710F00811AF911A62A0D7B54554CF95

Function 002D370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,002D3709,?,?), ref: 002D3777
KillTimer.USER32(?,00000001,?,?,?,?,?,002D3709,?,?), ref: 002D37A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002D37C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,002D3709,?,?), ref: 002D37D1
CreatePopupMenu.USER32 ref: 002D37E5
PostQuitMessage.USER32(00000000), ref: 002D3806

Strings

TaskbarCreated, xrefs: 002D37CC
0$:, xrefs: 00313DA9
0$:, xrefs: 00313DF7

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$:$0$:$TaskbarCreated
API String ID: 129472671-446676720
Opcode ID: e75a33d66d0d4ccd95c706c8dea61247aa34ae3ca22021585fe2568847a3c5a9
Instruction ID: bdf0efe57f71a02431073096397bc7cf31acfd0f44ae17f8056820710c3c4df3
Opcode Fuzzy Hash: e75a33d66d0d4ccd95c706c8dea61247aa34ae3ca22021585fe2568847a3c5a9
Instruction Fuzzy Hash: 4741F3F5630681BAEB1AAF2CDC4DBFA7B69E706300F04412AF50185390CAF49F649663

Function 003109DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0031071A: CreateFileW.KERNEL32(00000000,00000000,?,00310A84,?,?,00000000,?,00310A84,00000000,0000000C), ref: 00310737

GetLastError.KERNEL32 ref: 00310AEF
__dosmaperr.LIBCMT ref: 00310AF6
GetFileType.KERNEL32(00000000), ref: 00310B02
GetLastError.KERNEL32 ref: 00310B0C
__dosmaperr.LIBCMT ref: 00310B15
CloseHandle.KERNEL32(00000000), ref: 00310B35
CloseHandle.KERNEL32(?), ref: 00310C7F
GetLastError.KERNEL32 ref: 00310CB1
__dosmaperr.LIBCMT ref: 00310CB8

Strings

H, xrefs: 00310C3D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8875aa646b66021b2bee12f23052db5336df65c275817e167a4627f4f6038032
Instruction ID: 001504562090f376e1952e0fd8e94ac771a2605b203aecee46159a68d4754450
Opcode Fuzzy Hash: 8875aa646b66021b2bee12f23052db5336df65c275817e167a4627f4f6038032
Instruction Fuzzy Hash: CFA11332A141488FDF1EAF68D852BEE7BA4AF0A324F144159F811EF3D1CB719892CB51

Function 002D52A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D5594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00314B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 002D55B2

Part of subcall function 002D5238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002D525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002D53C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00314BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00314C3E
RegCloseKey.ADVAPI32(?), ref: 00314C80
_wcslen.LIBCMT ref: 00314CE7
_wcslen.LIBCMT ref: 00314CF6

Strings

Include, xrefs: 00314BF4, 00314C35
\, xrefs: 00314CFC
Software\AutoIt v3\AutoIt, xrefs: 002D53BA
\Include\, xrefs: 002D5381

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 29325e99c4e03fdb64afcae649c506f9b12c83b7c2cdf1f4292de7f4d18f3296
Instruction ID: 078d04cc25f5f562d1e1ce4013b0d83dc50c538cd941528d5c46bb8cb4c824ec
Opcode Fuzzy Hash: 29325e99c4e03fdb64afcae649c506f9b12c83b7c2cdf1f4292de7f4d18f3296
Instruction Fuzzy Hash: 8D71AD75519305AEC706EF65EC859ABBBECFF49340F80442EF441872A0EBB19A58CF91

Function 002D34D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002D34DE
LoadCursorW.USER32(00000000,00007F00), ref: 002D34ED
LoadIconW.USER32(00000063), ref: 002D3503
LoadIconW.USER32(000000A4), ref: 002D3515
LoadIconW.USER32(000000A2), ref: 002D3527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002D353F
RegisterClassExW.USER32(?), ref: 002D3590

Part of subcall function 002D3624: GetSysColorBrush.USER32(0000000F), ref: 002D3657
Part of subcall function 002D3624: RegisterClassExW.USER32(00000030), ref: 002D3681
Part of subcall function 002D3624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D3692
Part of subcall function 002D3624: InitCommonControlsEx.COMCTL32(?), ref: 002D36AF
Part of subcall function 002D3624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D36BF
Part of subcall function 002D3624: LoadIconW.USER32(000000A9), ref: 002D36D5
Part of subcall function 002D3624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D36E4

Strings

AutoIt v3, xrefs: 002D357F
0, xrefs: 002D355F
#, xrefs: 002D3566

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: aa4b6eb656a2d4d95faf6ef413509708f86c4d2a06e00f7056ee41961a7f3b6a
Instruction ID: 609a03020de03dc7f3e731778a675d6e55c4bbb7fce4aa3547e237a7cce1184c
Opcode Fuzzy Hash: aa4b6eb656a2d4d95faf6ef413509708f86c4d2a06e00f7056ee41961a7f3b6a
Instruction Fuzzy Hash: FE213D78E00354AFDF129FA9EC45A9A7FFCFB0A750F00401AE604A62A0D3B949448F94

Function 00350FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00351019
inet_addr.WSOCK32(?), ref: 00351079
gethostbyname.WS2_32(?), ref: 00351085
IcmpCreateFile.IPHLPAPI ref: 00351093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00351123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00351142
IcmpCloseHandle.IPHLPAPI(?), ref: 00351216
WSACleanup.WSOCK32 ref: 0035121C

Strings

Ping, xrefs: 003510D3

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6cf85e117bfa98ab397d8c83d60d06e7cceab31d07bccf1a46c898f19d339258
Instruction ID: 58846283278f8f9dc2932703d76b50c859a409efdaf28a8f569555fc1cebdbf1
Opcode Fuzzy Hash: 6cf85e117bfa98ab397d8c83d60d06e7cceab31d07bccf1a46c898f19d339258
Instruction Fuzzy Hash: 5191DE316046419FD722DF15C888F16BBE4AF48318F1585A9F9698B7B2C770ED89CF81

Function 002DF6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

t5:, xrefs: 002DF8E0
Variable must be of type 'Object'., xrefs: 003248C6
t5:, xrefs: 0032463C
t5:t5:, xrefs: 002DF97E
t5:, xrefs: 002DFBB1
t5:, xrefs: 003245E9

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$t5:$t5:$t5:$t5:$t5:t5:
API String ID: 0-1912908887
Opcode ID: cf4e6427be1187044d4dc464c53cf86b7057af512f2fd0146bc42a7194d46ad3
Instruction ID: 2310b8183635a0583759f041e337b36eb402501a280090fe36a36729ebe303c1
Opcode Fuzzy Hash: cf4e6427be1187044d4dc464c53cf86b7057af512f2fd0146bc42a7194d46ad3
Instruction Fuzzy Hash: 09C29C75E10219DFCB24CF98D980AADB7F1FF09300F25816AE946AB391D371AD61CB94

Function 002E0340 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002E15F2

Strings

t5:, xrefs: 00325FF9
t5:, xrefs: 0032604D
t5:, xrefs: 002E06B7
t5:t5:, xrefs: 002E075B
t5:, xrefs: 002E0A6A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5:$t5:$t5:$t5:$t5:t5:
API String ID: 1385522511-3774406750
Opcode ID: 1dc7f3af54d1b9b61f7e6baadb5212257d3e3c12cb44cf073ac7e356e1a761e0
Instruction ID: 70672b9adaec9b7a7e3d6e27edaaafcd6b64824b201dbb02a78a3f63c5e7bea2
Opcode Fuzzy Hash: 1dc7f3af54d1b9b61f7e6baadb5212257d3e3c12cb44cf073ac7e356e1a761e0
Instruction Fuzzy Hash: E1B27D74A58381CFCB25CF16C480A2AB7E1BF95300F94496DE9898B351D7B1EDA2CF52

Function 002D2793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D32AF
Part of subcall function 002D327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 002D32B7
Part of subcall function 002D327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D32C2
Part of subcall function 002D327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D32CD
Part of subcall function 002D327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 002D32D5
Part of subcall function 002D327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 002D32DD

Part of subcall function 002D3205: RegisterWindowMessageW.USER32(00000004,?,002D2964), ref: 002D325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002D2A0A
OleInitialize.OLE32 ref: 002D2A28
CloseHandle.KERNEL32(00000000,00000000), ref: 00313A0D

Strings

d(:, xrefs: 002D2964
4':, xrefs: 002D2948
$:, xrefs: 002D280A
(&:, xrefs: 002D2932
0$:, xrefs: 002D2A2E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&:$0$:$4':$d(:$$:
API String ID: 1986988660-2141184192
Opcode ID: 5bb3f5c66d3c3d17e44b14b19c864775e6f5924f482605545f65d7d7a49646f8
Instruction ID: 7073d02a4e738619c145f652942624e4cf5a6539d666b42120738fc3dceec700
Opcode Fuzzy Hash: 5bb3f5c66d3c3d17e44b14b19c864775e6f5924f482605545f65d7d7a49646f8
Instruction Fuzzy Hash: 6F719BB4D112008EC78BEF6EAD69617BAECFB5B300B51812AE808C7771EB7449458F54

Function 003090C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b333f942a7567162ad9d3c335d5a6982832f6bcdbffadeceb86ea12fcef902b
Instruction ID: c33021bb9b3e2189f509c3e4a769db6e2526388980ab6388aa91516a3eb2ee92
Opcode Fuzzy Hash: 1b333f942a7567162ad9d3c335d5a6982832f6bcdbffadeceb86ea12fcef902b
Instruction Fuzzy Hash: 59C1F374A052499FDF13DFA9D861BADBBB8AF09300F15419AE560AB3D3C7308942CF61

Function 002D35B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D35E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D3602
ShowWindow.USER32(00000000,?,?,?,?,?,?,002D3368,?), ref: 002D3616
ShowWindow.USER32(00000000,?,?,?,?,?,?,002D3368,?), ref: 002D361F

Strings

AutoIt v3, xrefs: 002D35D9, 002D35DE, 002D35DF
edit, xrefs: 002D35FC

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1423d84ad271d3fb8b80d953a90a7cfad8a07459c936176a72fb85ac1c3223f2
Instruction ID: 44f8c38501212f4cce99d8e9f1316823fe40e9af09b62bd5a07fc4ec9d7eb5c6
Opcode Fuzzy Hash: 1423d84ad271d3fb8b80d953a90a7cfad8a07459c936176a72fb85ac1c3223f2
Instruction Fuzzy Hash: EAF0DA79A402947EEB335B1BAC08E772FBDD7CBF50F00401EB904A71A0D6A91851DAB0

Function 002D61A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00315287

Part of subcall function 002D8577: _wcslen.LIBCMT ref: 002D858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 002D6299

Strings

AutoIt - , xrefs: 002D620D
Line %d: , xrefs: 00315305

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 1aa4301526625eacc6edae874a56ee808c19cc17808dbaba84afcc4a41e08482
Instruction ID: eccbb5c64c627826afc356a9cdd620ca03faaa4d835bbe006bbf1e4ea13bec4e
Opcode Fuzzy Hash: 1aa4301526625eacc6edae874a56ee808c19cc17808dbaba84afcc4a41e08482
Instruction Fuzzy Hash: 8E41E571418304AEC712EB20DC49AEF77DCAF59320F00492FF99592291EF749A59CB92

Function 00308A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,OV1,0030894C,?,00399CE8,0000000C,003089AB,?,OV1,?,0031564F), ref: 00308A84
GetLastError.KERNEL32 ref: 00308A8E
__dosmaperr.LIBCMT ref: 00308AB9

Strings

OV1, xrefs: 00308A30

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: OV1
API String ID: 2583163307-968419591
Opcode ID: 72e97b1d13879bf3668958cd4d4aee6bde972c9ba107980462c968d5843b969b
Instruction ID: d35963d5652b45dd0b092a436d7926a635bda7683184c586bfc19158f468e54c
Opcode Fuzzy Hash: 72e97b1d13879bf3668958cd4d4aee6bde972c9ba107980462c968d5843b969b
Instruction Fuzzy Hash: 6C018932B071A01AC7276334AC66B3F674D8B92B34F3B021AF8548F9C2DF708C805994

Function 002D58CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002D58BE,SwapMouseButtons,00000004,?), ref: 002D58EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002D58BE,SwapMouseButtons,00000004,?), ref: 002D5910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,002D58BE,SwapMouseButtons,00000004,?), ref: 002D5932

Strings

Control Panel\Mouse, xrefs: 002D58ED

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8d65532506834a6831bc7f5fae659d71a38a3bbefefb1366a0e793195790fc8a
Instruction ID: 262a02dc4042ce983dbf63b2a559fdd9c8cd0e3b21be59b1a877ac531d54b3fd
Opcode Fuzzy Hash: 8d65532506834a6831bc7f5fae659d71a38a3bbefefb1366a0e793195790fc8a
Instruction Fuzzy Hash: DF117075621628FFDB218F64CC40DEE7BBCEF00750F10841AF801D7210D2B19E5197A4

Function 002E2B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002E3006

Strings

CALL, xrefs: 002E2FD6
bn3, xrefs: 002E2B36, 002E2E8D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$bn3
API String ID: 1385522511-3849853933
Opcode ID: 564efb00b1239fb8a4de959f6ff5603c5af6d209f6824702a8ee4f8224fe5708
Instruction ID: 494970656a9478a3c8091e29b223871c5fc222551aa64a908b33237a3d4c0c71
Opcode Fuzzy Hash: 564efb00b1239fb8a4de959f6ff5603c5af6d209f6824702a8ee4f8224fe5708
Instruction Fuzzy Hash: 7D22BC70618281DFC715CF25C884B2ABBF5BF84304F64895DF58A8B3A2D771E965CB82

Function 002D3A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 0031413B

Part of subcall function 002D5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D55D1,?,?,00314B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 002D5871

Part of subcall function 002D3A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002D3A76

Strings

`u9, xrefs: 00314134
X, xrefs: 00314109

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`u9
API String ID: 779396738-2760607205
Opcode ID: 63669574eea8ed6972196cd9a7fd0f365d59f129eda578393018f433479f2276
Instruction ID: 0641d1226ed31e3aa0b1b4e1d7e4155f226433f4c0c2f9ea3279038619de90a5
Opcode Fuzzy Hash: 63669574eea8ed6972196cd9a7fd0f365d59f129eda578393018f433479f2276
Instruction Fuzzy Hash: 68218471A102589BCF56DF94CC057EE7BFC9F49304F00805AE545A7381DBF49A998F61

Function 002F014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002F09D8

Part of subcall function 002F3614: RaiseException.KERNEL32(?,?,?,002F09FA,?,00000000,?,?,?,?,?,?,002F09FA,00000000,00399758,00000000), ref: 002F3674

__CxxThrowException@8.LIBVCRUNTIME ref: 002F09F5

Strings

Unknown exception, xrefs: 002F0A02

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: c66baa8258badb8a9e0df15123f60629850303b08b197797e554c56bc2e5c386
Instruction ID: 36e96f42c3abc03a5ecad8985f0454f3970f79f6204daa7a739b5bda426c84e4
Opcode Fuzzy Hash: c66baa8258badb8a9e0df15123f60629850303b08b197797e554c56bc2e5c386
Instruction Fuzzy Hash: A1F0A43492020DB69F11BAA8DC869BEF76C5E00BD0B504135BB1896593FBB0EA35C990

Function 003589B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00358D52
TerminateProcess.KERNEL32(00000000), ref: 00358D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00358F3A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 3c26d97cde99655d859d5eca2cb25c0505c9d803c15f51f29a38ebdbfd53a01f
Instruction ID: 470594c68fcc682a1d8468c203d1ae58d9bb75194b1dc81e8b2d9b53a961bdb6
Opcode Fuzzy Hash: 3c26d97cde99655d859d5eca2cb25c0505c9d803c15f51f29a38ebdbfd53a01f
Instruction Fuzzy Hash: 56126B71A083409FC715DF28C484B2ABBE5BF88315F15895DE8899B362DB30ED49CF92

Function 002EFCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D61A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 002D6299

KillTimer.USER32(?,00000001,?,?), ref: 002EFD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002EFD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0032FE33

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 1efcf871c4a2bd562e265724eb91f722a1361b2217cac24e8cdc1ee6236ef13b
Instruction ID: 841a110366a5dbe2ab28a7515eb278d5b666e15b6808bd60aeb89b4687980d63
Opcode Fuzzy Hash: 1efcf871c4a2bd562e265724eb91f722a1361b2217cac24e8cdc1ee6236ef13b
Instruction Fuzzy Hash: 4731C171904354AFEB73CF24D895BE7BBFCAB02708F0044AEE69A97242C7745A85CB51

Function 0030970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,003097BA,FF8BC369,00000000,00000002,00000000), ref: 00309744
GetLastError.KERNEL32(?,003097BA,FF8BC369,00000000,00000002,00000000,?,00305ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,002F6F41), ref: 0030974E
__dosmaperr.LIBCMT ref: 00309755

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 4a06fe095223a77866ea78926e81ff9c41ff0509168817a1439f5440a78653c4
Instruction ID: b281a0ca3fd7d86c00516bab9f7a2401e4f646e1c31e003445cb718e94ee9b07
Opcode Fuzzy Hash: 4a06fe095223a77866ea78926e81ff9c41ff0509168817a1439f5440a78653c4
Instruction Fuzzy Hash: 46016833630118ABCB169F99DC0596E7B2DDB85B30F24021AF8108B1D1EA709D018B90

Function 002E1990 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71e28c5e3e66355b77410bf67febf0826769e3f24f3a3a5e251f08dfb717c13
Instruction ID: 32d12ce60205327c93bc8f13f8c46d17d03cf454c4c359deba099f8d66964e8e
Opcode Fuzzy Hash: b71e28c5e3e66355b77410bf67febf0826769e3f24f3a3a5e251f08dfb717c13
Instruction Fuzzy Hash: 1032FF30A10259DFCF21DF55D892ABEB3B4FF04314F148569E81AAB2A2E731ED60CB51

Function 002D396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D3A3C

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4b17027537dbbf222b85d32f106f6cb591865e829ffa63bf03fba6246d36c764
Instruction ID: b5c243ef65468c69ea956248d999d0526710f5649674421ba5bf333090c9cdcf
Opcode Fuzzy Hash: 4b17027537dbbf222b85d32f106f6cb591865e829ffa63bf03fba6246d36c764
Instruction Fuzzy Hash: F9318F706143019FD722DF25D884797BBE8FB4A318F00092EEAD987381E7B5AD58CB52

Function 002D331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 002D333D

Part of subcall function 002D32E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002D32FB
Part of subcall function 002D32E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002D3312

Part of subcall function 002D338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,002D3368,?), ref: 002D33BB
Part of subcall function 002D338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,002D3368,?), ref: 002D33CE
Part of subcall function 002D338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,003A2418,003A2400,?,?,?,?,?,?,002D3368,?), ref: 002D343A
Part of subcall function 002D338B: SetCurrentDirectoryW.KERNEL32(?,00000001,003A2418,?,?,?,?,?,?,?,002D3368,?), ref: 002D34BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 002D3377

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 7b54a8727c532f3fac12cd3860b3cafcd50fc9f606327f1e4690a98f73c0c2b4
Instruction ID: 691fb7946e6110f6c9092ccb8ba773a3529a6b0d55d16ebd5b3557a090f1d142
Opcode Fuzzy Hash: 7b54a8727c532f3fac12cd3860b3cafcd50fc9f606327f1e4690a98f73c0c2b4
Instruction Fuzzy Hash: FBF089359647449FDB03AF78ED0FB267798A707749F004816F605461E2CBF985608F41

Function 002EFFE0 Relevance: 2.6, APIs: 2, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 002F007D
Sleep.KERNEL32 ref: 002F008F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 40e0332478b43473e10d23fac28d26db6bd3eab5188db4b894e96b44c6a5a49b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: FC31C570A1010ADBD718CF58D4D0A79F7A5FB59380B2486A9E509CB252DB72EDE1CBC0

Function 002DCAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002DCEEE

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: f642750def9ab5a9a09ae78f94ab93180fdf0190df2d4a463c06c25a27ebf298
Instruction ID: 0d61ff54499aa6054618329d006bdcdc42e2686fb95dcd0929bb2c8c58917d81
Opcode Fuzzy Hash: f642750def9ab5a9a09ae78f94ab93180fdf0190df2d4a463c06c25a27ebf298
Instruction Fuzzy Hash: 5A32E174A142169FCF21CF58C984ABEB7BAFF45314F25806AE906AB391C770ED51CB90

Function 00357AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 9d2ef8b69b58c18037be69961a4a8868d1098cfc1e1967d69c626864ca508c59
Instruction ID: b7d2e0918417a531b43547aa3b32512a676a4bf281bc2d6361623f2533795cf1
Opcode Fuzzy Hash: 9d2ef8b69b58c18037be69961a4a8868d1098cfc1e1967d69c626864ca508c59
Instruction Fuzzy Hash: 3ED16974A04209EFCB15EF98D881DADBBB5FF48310F15405AE915AB3A1DB30AE95CF90

Function 002FF106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bc52557e8a96ef7df7f392df56912d39ad080a412852cb2424c54b76dec784
Instruction ID: f05ca0cb57fd703702fc9f0e82bf779ababbe1d2190de7b366886dec1c84e5e1
Opcode Fuzzy Hash: 69bc52557e8a96ef7df7f392df56912d39ad080a412852cb2424c54b76dec784
Instruction Fuzzy Hash: AD514935A2010CAFDB50DF68C950BBABBA5EF853A0F198178ED089B391D771ED52CB50

Function 0033FCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0033FCCE

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 13531168df0dfc7384a23cf215dcdf597e7dca1e3fb98aa07fcc04ae8ee273e0
Instruction ID: e5a155fdab291824bf170a3cdc897f804ea18b785539ae7de2834e7e0211fab5
Opcode Fuzzy Hash: 13531168df0dfc7384a23cf215dcdf597e7dca1e3fb98aa07fcc04ae8ee273e0
Instruction Fuzzy Hash: 3541C4B6900209AFCB12EF68C8C49AEB7B8EF44314F61853EE516DB255EB70DE45CB50

Function 002D6679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002D668B,?,?,002D62FA,?,00000001,?,?,00000000), ref: 002D664A
Part of subcall function 002D663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002D665C
Part of subcall function 002D663E: FreeLibrary.KERNEL32(00000000,?,?,002D668B,?,?,002D62FA,?,00000001,?,?,00000000), ref: 002D666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002D62FA,?,00000001,?,?,00000000), ref: 002D66AB

Part of subcall function 002D6607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00315657,?,?,002D62FA,?,00000001,?,?,00000000), ref: 002D6610
Part of subcall function 002D6607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002D6622
Part of subcall function 002D6607: FreeLibrary.KERNEL32(00000000,?,?,00315657,?,?,002D62FA,?,00000001,?,?,00000000), ref: 002D6635

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 483f392d87ce46d9b3048218922f3bb13ecdf357a45b6e98d98b3f6239328d6c
Instruction ID: a06eea155624c58d5a1c8de8a2e29eef5f66686c86888d73e352c0a740e6fdb2
Opcode Fuzzy Hash: 483f392d87ce46d9b3048218922f3bb13ecdf357a45b6e98d98b3f6239328d6c
Instruction Fuzzy Hash: D1112B31620205AACF15AF60C80ABAD77A99F40700F10842FF442A62C2DEB5DE24DF90

Function 00308782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 003087C0

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 694788d818769c5189fa2ad521b8296327c54dcae41f576c320060d244378837
Instruction ID: 880ce9c601103d617482c7948b8cb05245083fdd6976ce5b49ccd6d80212f1ee
Opcode Fuzzy Hash: 694788d818769c5189fa2ad521b8296327c54dcae41f576c320060d244378837
Instruction Fuzzy Hash: 2F112A7690420AAFCF06DF58E9459DE7BF8EF49310F114069F809AB351DA31EA11CB65

Function 002FE972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: ffffb9ae88983f0073b7203fa489001eafd8aff2eb67c639381479b554d1cffb
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 51F0F93252162856DA333E2A9C15B7EB2588F423B0F110736F661971E1DFB0E81186F2

Function 002DB329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002DB333

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: c53acead108652b6966d74250c151279fcd93de51f0d84c53e9efb8c259c5007
Instruction ID: 00b99f9305f6de9c0c279bfa7b94f6c3e22e05e071767920d44451f685bb32eb
Opcode Fuzzy Hash: c53acead108652b6966d74250c151279fcd93de51f0d84c53e9efb8c259c5007
Instruction Fuzzy Hash: 1FF0A972511605AED7159F28D806B67FB54EB443A0F50813AF71DCB2D1DB71E5208AA0

Function 00303B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,002F6A79,?,0000015D,?,?,?,?,002F85B0,000000FF,00000000,?,?), ref: 00303BC5

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 367311fed00670cb1607734766c5498c4c374edb1f4f25c00d8ed5a06f40e853
Instruction ID: fec254d8aff63e4c44f811dc2f37ee266e4adb15c6d1907ce0e54ad990983603
Opcode Fuzzy Hash: 367311fed00670cb1607734766c5498c4c374edb1f4f25c00d8ed5a06f40e853
Instruction Fuzzy Hash: 0EE02B3131262466EA23377A9C11B7B7A4C9F023E4F160170FD05D64D0EFB0CD0085E0

Function 002D66E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09a4b72ce50350d4c5eb4d4af8bd3c5c643f4af74cca9fd966a31154df474d1
Instruction ID: 695b5c03332893d2e8b987bcc1cc7174a5a7b9d4ab090622ddb8c60772bbed68
Opcode Fuzzy Hash: f09a4b72ce50350d4c5eb4d4af8bd3c5c643f4af74cca9fd966a31154df474d1
Instruction Fuzzy Hash: 8FF0F271525702CFDB399F6498A4866BBE4AE14329325893EE2D686620C7B19C90DF60

Function 00326AD5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00326AE0

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 4aea11e4d39693b4e01d1f7e6e71de972b28374368e64e28869e087c120c6442
Instruction ID: 61b93ebed42ff67bff882cff267b30d3fc7c109313ce53e0b0c1524678e0c0d2
Opcode Fuzzy Hash: 4aea11e4d39693b4e01d1f7e6e71de972b28374368e64e28869e087c120c6442
Instruction Fuzzy Hash: 3AF0E5B1714249AAE7318BA6B80A7B5F7ECBF00314F10492AD4D982182CBF244B49B51

Function 002D684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002D6868

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 02c3f04553102894601f8cba586883a8d3e4134562235cb306b2015a6d5ca554
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 9BF0F87551020DFFDF05DF90C941EAEBB79FB08318F208445F9159A251C376EA61ABA1

Function 002D3907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 002D3963

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 302d6fb8ab9344fe19fd5af3d2215f947d71f0c128e7263399e6d5c503b3c98d
Instruction ID: 0633f6f804dc4e627133a1fc23dd9bc0685480d7174c79274c7aa9c7248bbf75
Opcode Fuzzy Hash: 302d6fb8ab9344fe19fd5af3d2215f947d71f0c128e7263399e6d5c503b3c98d
Instruction Fuzzy Hash: 71F037719143589FEB53DF28DC457D77BBCA702708F0000A5A64496285DBB45B98CF51

Function 002D3A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002D3A76

Part of subcall function 002D8577: _wcslen.LIBCMT ref: 002D858A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 416237f5aca2d52e78b6650a76db59106a6865958b4cbccfa4e0e5b013fd728d
Instruction ID: 4c1d1b51c7eb4d1b67cd5b5c0b56826eb2089638e41793de29b15f0feb8f2b8f
Opcode Fuzzy Hash: 416237f5aca2d52e78b6650a76db59106a6865958b4cbccfa4e0e5b013fd728d
Instruction Fuzzy Hash: 54E0CD72A0012457C7219258AC05FDE77DDDFC8790F054071FC05D7254D9B4DDC08690

Function 0031071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00310A84,?,?,00000000,?,00310A84,00000000,0000000C), ref: 00310737

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 61244a992cd8f05ddfe00d28425a3c2cf44ad9cac7f11039a207780a5c0fec78
Instruction ID: 752b8f3b30ed61f06531acb909488c8d639cc24e52bb52b5793b6f8f2ff422b1
Opcode Fuzzy Hash: 61244a992cd8f05ddfe00d28425a3c2cf44ad9cac7f11039a207780a5c0fec78
Instruction Fuzzy Hash: 43D06C3210010DBBDF028F84DD06EDA3BAAFB4C714F018000FE1856020C772E821AB90

Function 0033EAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0033D840), ref: 0033EAB1

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c24802ef37dbbe6f407ef8b31801083138bfab769a926a91f79a2d06715a8dc9
Instruction ID: bebc6b52d09641503d2e13ef9888fd7ec635220a467919d922a10d48a8b6cba7
Opcode Fuzzy Hash: c24802ef37dbbe6f407ef8b31801083138bfab769a926a91f79a2d06715a8dc9
Instruction Fuzzy Hash: A7B0922440061005AD2A0E3C6AD9999330478423A5FDE1FC0E479C50E1C379A80FA950

Function 0034664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0033DC54: FindFirstFileW.KERNEL32(?,?), ref: 0033DCCB
Part of subcall function 0033DC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 0033DD1B
Part of subcall function 0033DC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 0033DD2C
Part of subcall function 0033DC54: FindClose.KERNEL32(00000000), ref: 0033DD43

GetLastError.KERNEL32 ref: 0034666E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: b38c3e187f289217eba4feb4c85fe1abe66b885ec71be71925419aa1717181c9
Instruction ID: aac015f699114a4d901b30474ea6b7c33368274ae6b5954fecd75c0a94129837
Opcode Fuzzy Hash: b38c3e187f289217eba4feb4c85fe1abe66b885ec71be71925419aa1717181c9
Instruction Fuzzy Hash: BFF08C366102008FCB11EF59D845B6EB7E9AF88320F05840AF9098B352CB74BC11CF91

Non-executed Functions

Function 003314AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00331A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00331A60
Part of subcall function 00331A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,003314E7,?,?,?), ref: 00331A6C
Part of subcall function 00331A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003314E7,?,?,?), ref: 00331A7B
Part of subcall function 00331A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003314E7,?,?,?), ref: 00331A82
Part of subcall function 00331A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00331A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00331518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0033154C
GetLengthSid.ADVAPI32(?), ref: 00331563
GetAce.ADVAPI32(?,00000000,?), ref: 0033159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003315B9
GetLengthSid.ADVAPI32(?), ref: 003315D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 003315D8
HeapAlloc.KERNEL32(00000000), ref: 003315DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00331600
CopySid.ADVAPI32(00000000), ref: 00331607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00331636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00331658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0033166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00331691
HeapFree.KERNEL32(00000000), ref: 00331698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003316A1
HeapFree.KERNEL32(00000000), ref: 003316A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003316B1
HeapFree.KERNEL32(00000000), ref: 003316B8
GetProcessHeap.KERNEL32(00000000,?), ref: 003316C4
HeapFree.KERNEL32(00000000), ref: 003316CB

Part of subcall function 00331ADF: GetProcessHeap.KERNEL32(00000008,003314FD,?,00000000,?,003314FD,?), ref: 00331AED
Part of subcall function 00331ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,003314FD,?), ref: 00331AF4
Part of subcall function 00331ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003314FD,?), ref: 00331B03

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7202730796e4ff5ca45fd777af68989099110a72454723ed6e539cd401acef57
Instruction ID: 6ad21e091b8ba7b590b86dcbb52809993f4310e2483398a6003dbc731ea6f80e
Opcode Fuzzy Hash: 7202730796e4ff5ca45fd777af68989099110a72454723ed6e539cd401acef57
Instruction Fuzzy Hash: C6716CB2A00209ABDF12DFA5DC89FAEBBBCBF04341F098515F915E7191D7B19905CBA0

Function 0034F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0036DCD0), ref: 0034F586
IsClipboardFormatAvailable.USER32(0000000D), ref: 0034F594
GetClipboardData.USER32(0000000D), ref: 0034F5A0
CloseClipboard.USER32 ref: 0034F5AC
GlobalLock.KERNEL32(00000000), ref: 0034F5E4
CloseClipboard.USER32 ref: 0034F5EE
GlobalUnlock.KERNEL32(00000000), ref: 0034F619
IsClipboardFormatAvailable.USER32(00000001), ref: 0034F626
GetClipboardData.USER32(00000001), ref: 0034F62E
GlobalLock.KERNEL32(00000000), ref: 0034F63F
GlobalUnlock.KERNEL32(00000000), ref: 0034F67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 0034F695
GetClipboardData.USER32(0000000F), ref: 0034F6A1
GlobalLock.KERNEL32(00000000), ref: 0034F6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0034F6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0034F6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0034F72F
GlobalUnlock.KERNEL32(00000000), ref: 0034F750
CountClipboardFormats.USER32 ref: 0034F771
CloseClipboard.USER32 ref: 0034F7B6

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 16db62db9b82d0a0d643f9bee7678305720fcc8ffcddee35c6bb46a4e2a6e609
Instruction ID: c155fce1b74076e805321e510d233603dec8b72a216e3c1df5e7bc6049791ef8
Opcode Fuzzy Hash: 16db62db9b82d0a0d643f9bee7678305720fcc8ffcddee35c6bb46a4e2a6e609
Instruction Fuzzy Hash: F361C3352043019FD302EF20D899F6ABBE8EF84744F19856DF8468B2A2DB75ED45CB61

Function 003473D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00347403
FindClose.KERNEL32(00000000), ref: 00347457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00347493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003474BA

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

FileTimeToSystemTime.KERNEL32(?,?), ref: 003474F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00347524

Strings

%4d, xrefs: 003475F6
%03d, xrefs: 003477E7
%4d%02d%02d%02d%02d%02d, xrefs: 003475AF
%02d, xrefs: 00347645, 0034764F, 0034769F, 003476EF, 0034773F, 0034778F
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00347577

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: a3d0bf056436013b395ebcd755f7d0772a361f7ce0aabadfac260ecbe455b533
Instruction ID: 4d370994502ec2b4cb381ef1f7a448aaa353496da3eb00044b31b6d8047c6728
Opcode Fuzzy Hash: a3d0bf056436013b395ebcd755f7d0772a361f7ce0aabadfac260ecbe455b533
Instruction Fuzzy Hash: F0D18072518344AEC711EB64C891EBBB7ECAF88704F44491EF585C7292EB74EE44CB62

Function 0034A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0034A0A8
GetFileAttributesW.KERNEL32(?), ref: 0034A0E6
SetFileAttributesW.KERNEL32(?,?), ref: 0034A100
FindNextFileW.KERNEL32(00000000,?), ref: 0034A118
FindClose.KERNEL32(00000000), ref: 0034A123
FindFirstFileW.KERNEL32(*.*,?), ref: 0034A13F
SetCurrentDirectoryW.KERNEL32(?), ref: 0034A18F
SetCurrentDirectoryW.KERNEL32(00397B94), ref: 0034A1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 0034A1B7
FindClose.KERNEL32(00000000), ref: 0034A1C4
FindClose.KERNEL32(00000000), ref: 0034A1D4

Strings

*.*, xrefs: 0034A13A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 4059387e04866a76513fc7b9fbfaf651ba312ec75faefdc88850320e6e9b16d8
Instruction ID: 6e0da5eec95203976c49989a768a96048f5bdc34230bd4cf699d0cf59a18f7b8
Opcode Fuzzy Hash: 4059387e04866a76513fc7b9fbfaf651ba312ec75faefdc88850320e6e9b16d8
Instruction Fuzzy Hash: 89312732A4061D6BDF12AFB4DC4AADE73EC9F08360F104465F914E71D0EB70EE448A21

Function 00344763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00344785
_wcslen.LIBCMT ref: 003447B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 003447E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00344803
RemoveDirectoryW.KERNEL32(?), ref: 00344813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0034489A
CloseHandle.KERNEL32(00000000), ref: 003448A5
CloseHandle.KERNEL32(00000000), ref: 003448B0

Strings

\, xrefs: 003447BC
:, xrefs: 003447C7
\??\%s, xrefs: 003447A0

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 66cf5f28c8f0941325e4834fe1583449c7fe27024d3a300c65bfc8f6c17c1fe6
Instruction ID: f0d2ad164cda1120d675aae1cace7b82bc0c2e8b0a4baaffe8d33278a1bad892
Opcode Fuzzy Hash: 66cf5f28c8f0941325e4834fe1583449c7fe27024d3a300c65bfc8f6c17c1fe6
Instruction Fuzzy Hash: 6E31C775A00249ABDB229FA0DC49FEF37BCEF89740F1040B6F619D6160E7B096548B24

Function 0034A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0034A203
FindNextFileW.KERNEL32(00000000,?), ref: 0034A25E
FindClose.KERNEL32(00000000), ref: 0034A269
FindFirstFileW.KERNEL32(*.*,?), ref: 0034A285
SetCurrentDirectoryW.KERNEL32(?), ref: 0034A2D5
SetCurrentDirectoryW.KERNEL32(00397B94), ref: 0034A2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 0034A2FD
FindClose.KERNEL32(00000000), ref: 0034A30A
FindClose.KERNEL32(00000000), ref: 0034A31A

Part of subcall function 0033E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0033E3B4

Strings

*.*, xrefs: 0034A280

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 29d876cfc8565aea0e7c238d011d172b6f6a9c2543d9ddd36b6ded436dfda0b9
Instruction ID: fc9edd958195d0f681efcd9ae3aab013f653a2213f7902d1bfd80ace6e0da566
Opcode Fuzzy Hash: 29d876cfc8565aea0e7c238d011d172b6f6a9c2543d9ddd36b6ded436dfda0b9
Instruction Fuzzy Hash: C9314635640A1D6ECF12AFA0EC09ADE73EC9F04324F114461F900AB190EBB1EE85DA15

Function 0035C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0035D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035C10E,?,?), ref: 0035D415
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D451
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D4C8
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0035CA09
RegCloseKey.ADVAPI32(00000000), ref: 0035CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0035CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0035CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0035CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0035CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0035CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0035CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0035CDE2
RegCloseKey.ADVAPI32(00000000), ref: 0035CDEF

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 3852c0b7110fa0523380c9f71edacfd0256d446b720ea6abcf170bf17f319986
Instruction ID: 12a0b3d8c0015649ca82a560ef0e10ad56ca60e421cc60177e39502dd4173f81
Opcode Fuzzy Hash: 3852c0b7110fa0523380c9f71edacfd0256d446b720ea6abcf170bf17f319986
Instruction Fuzzy Hash: 4E022B716142009FD715DF28C895E2ABBE5EF48318F1984ADF849CB2A2DB31ED46CB91

Function 0033D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002D5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D55D1,?,?,00314B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 002D5871

Part of subcall function 0033EAB0: GetFileAttributesW.KERNEL32(?,0033D840), ref: 0033EAB1

FindFirstFileW.KERNEL32(?,?), ref: 0033D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0033DA88
MoveFileW.KERNEL32(?,?), ref: 0033DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 0033DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 0033DAE2

Part of subcall function 0033DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0033DAC7,?,?), ref: 0033DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 0033DAFE
FindClose.KERNEL32(00000000), ref: 0033DB0F

Strings

\*.*, xrefs: 0033D978, 0033D981, 0033D996

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 7490d803a8020b7fac66d0ec04db149e681f69d6ae4867b339e6baa029b1b931
Instruction ID: e52d8d8e49d3ffa8dde5961fff097e0e7bc91d0eff50cd3e012d6a1777953546
Opcode Fuzzy Hash: 7490d803a8020b7fac66d0ec04db149e681f69d6ae4867b339e6baa029b1b931
Instruction Fuzzy Hash: 01614D31D0510DEECF06EBA0EA929EDB7B9AF14304F2141A6E402B7295EB715F09CF60

Function 0034F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0034F7EE
EmptyClipboard.USER32 ref: 0034F7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 0034F809
CloseClipboard.USER32 ref: 0034F900

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8f7bcef98044bc09cf146cff142261cf63999b258eb2417aa206affe68c26bc0
Instruction ID: 483659e3f2217ec16f1c3464f3a8a1b3beab507479d47b3f997a28b727fb9e16
Opcode Fuzzy Hash: 8f7bcef98044bc09cf146cff142261cf63999b258eb2417aa206affe68c26bc0
Instruction Fuzzy Hash: FE418A35A04611AFD712DF15D888B16BBE8EF44318F19C4A9E8198F762CB75FD42CB90

Function 0033F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00332010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0033205A
Part of subcall function 00332010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00332087
Part of subcall function 00332010: GetLastError.KERNEL32 ref: 00332097

ExitWindowsEx.USER32(?,00000000), ref: 0033F249

Strings

, xrefs: 0033F237
, xrefs: 0033F273
SeShutdownPrivilege, xrefs: 0033F219
@, xrefs: 0033F23C

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 5e089f4f30c45f17dd5652524fead97e5d985078953fdf62ed9e4386b27239b9
Instruction ID: 853ffbc8df9b3973279ee9354a5919d4f209a2702f8274538c5e84598a1e3f66
Opcode Fuzzy Hash: 5e089f4f30c45f17dd5652524fead97e5d985078953fdf62ed9e4386b27239b9
Instruction Fuzzy Hash: 9C01D67EF10214AFEB1A66B89CCAFBB726C9B08345F554D31FD02E61D2D6609D049190

Function 002D22AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 002D233E
GetSysColor.USER32(0000000F), ref: 002D2421
SetBkColor.GDI32(?,00000000), ref: 002D2434

Strings

(:, xrefs: 002D240A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Color$Proc
String ID: (:
API String ID: 929743424-2137056132
Opcode ID: eed194bd145f3e1c02ba16ceb2af0a09b180fd31a32cff0f7c744cf935e13945
Instruction ID: 6bb170fa3d615636559ce33aeaba2ccccbe753694caf954720767f3e67839085
Opcode Fuzzy Hash: eed194bd145f3e1c02ba16ceb2af0a09b180fd31a32cff0f7c744cf935e13945
Instruction Fuzzy Hash: 76813DB0134400FDE62F6A3C4C58EBF255DDB5A310F16414BF102DABD5C9A98FAA9276

Function 00343A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003156C2,?,?,00000000,00000000), ref: 00343A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003156C2,?,?,00000000,00000000), ref: 00343A35
LoadResource.KERNEL32(?,00000000,?,?,003156C2,?,?,00000000,00000000,?,?,?,?,?,?,002D66CE), ref: 00343A45
SizeofResource.KERNEL32(?,00000000,?,?,003156C2,?,?,00000000,00000000,?,?,?,?,?,?,002D66CE), ref: 00343A56
LockResource.KERNEL32(003156C2,?,?,003156C2,?,?,00000000,00000000,?,?,?,?,?,?,002D66CE,?), ref: 00343A65

Strings

SCRIPT, xrefs: 00343A2B

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c0cbb94dbe33d49cf761d1a8c03894894654464df5c80babcbd5bd456aa53668
Instruction ID: 25d062465b864d094d0db15ca79a32e34b580be31e3ae82be28f3347851f815c
Opcode Fuzzy Hash: c0cbb94dbe33d49cf761d1a8c03894894654464df5c80babcbd5bd456aa53668
Instruction Fuzzy Hash: 31115770640701AFE7268B25DC48F277BBDEBC9B40F15866CF4029B2A0DBB1E9008A20

Function 003320AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00331900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00331916
Part of subcall function 00331900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00331922
Part of subcall function 00331900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00331931
Part of subcall function 00331900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00331938
Part of subcall function 00331900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0033194E

GetLengthSid.ADVAPI32(?,00000000,00331C81), ref: 003320FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00332107
HeapAlloc.KERNEL32(00000000), ref: 0033210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00332127
GetProcessHeap.KERNEL32(00000000,00000000,00331C81), ref: 0033213B
HeapFree.KERNEL32(00000000), ref: 00332142

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3fd20d10b9d93bc5ef76f27725ac1194f07ac02ff842a55b5efaa960197dbfdd
Instruction ID: 8ce5731ec22ed93517532e33303603b959720e6aeb2b3367db8c39029f75d21f
Opcode Fuzzy Hash: 3fd20d10b9d93bc5ef76f27725ac1194f07ac02ff842a55b5efaa960197dbfdd
Instruction Fuzzy Hash: 9411D071A00204FFDB169FA4DD89FAF7BBDEF45355F158018EA4197120C7B59944CB60

Function 0034A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0034A5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0034A6D0

Part of subcall function 003442B9: GetInputState.USER32 ref: 00344310
Part of subcall function 003442B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003443AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0034A5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0034A6BA

Strings

*.*, xrefs: 0034A5A2

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 806d3a4e502f2ab50e19ffa8c343232f293ad885dbdfc73769eaee741d0b884c
Instruction ID: ec3ebf076170f79d26e4bc522c1f23740ba0774d859e3f57a729ea4029ce9870
Opcode Fuzzy Hash: 806d3a4e502f2ab50e19ffa8c343232f293ad885dbdfc73769eaee741d0b884c
Instruction Fuzzy Hash: AB41A37194020AAFDF12DFA4C949AEEBBF8EF05310F254056E805A7291EB74AE54CF61

Function 00352263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00353AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00353AD7
Part of subcall function 00353AAB: _wcslen.LIBCMT ref: 00353AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003522BA
WSAGetLastError.WSOCK32 ref: 003522E1
bind.WSOCK32(00000000,?,00000010), ref: 00352338
WSAGetLastError.WSOCK32 ref: 00352343
closesocket.WSOCK32(00000000), ref: 00352372

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 2583f383b6486dedd1dfcfc89aac550e68a08fe6d861d4d91b8b1814c09acf4b
Instruction ID: 662e3aa4c0709a812ef663257928a2ee70929842069380006439931b8ecc0ff2
Opcode Fuzzy Hash: 2583f383b6486dedd1dfcfc89aac550e68a08fe6d861d4d91b8b1814c09acf4b
Instruction Fuzzy Hash: 6051E375A00200AFEB11AF24C886F2A77E9AB45718F588099F9469F3D3C774ED51CBE1

Function 003626DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0036275C
IsWindowEnabled.USER32 ref: 0036276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00362777
IsIconic.USER32 ref: 00362785
IsZoomed.USER32 ref: 00362793

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c6096407a5070948b8f70446b727959ca278887b07b4b89f87982b9c1f0307dd
Instruction ID: 93765ec8c843df5ce5150bb2008aea129f7cf30fb158bdb8307f0926bd98a2e4
Opcode Fuzzy Hash: c6096407a5070948b8f70446b727959ca278887b07b4b89f87982b9c1f0307dd
Instruction Fuzzy Hash: D021E231B006108FD7129F26C844F5B7BA9EF95314F5BC069E84A8B356CBB2ED42CB90

Function 0034D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0034D8CE
GetLastError.KERNEL32(?,00000000), ref: 0034D92F
SetEvent.KERNEL32(?,?,00000000), ref: 0034D943

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: f6245c3580d62b22688273c1d09b28dec6c51423843e500de40019f014510332
Instruction ID: fdeafdf3deb0645641016978461b9369ea204c49163e9b5f74fcaabf3db0dd05
Opcode Fuzzy Hash: f6245c3580d62b22688273c1d09b28dec6c51423843e500de40019f014510332
Instruction Fuzzy Hash: 6E21AF71A00705AFEB229F65D888BAAB7FCEB41314F10882EE646D6551E770FA04CB60

Function 0033E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,003146AC), ref: 0033E482
GetFileAttributesW.KERNEL32(?), ref: 0033E491
FindFirstFileW.KERNEL32(?,?), ref: 0033E4A2
FindClose.KERNEL32(00000000), ref: 0033E4AE

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 571f24bb7950f681736ca4ae13178d6b08345d9734aa81c6db6d0973e3f49bc3
Instruction ID: f743d2302834000cdd676bd0ff18c11472e4583d8f7acffb13e847d036f6690d
Opcode Fuzzy Hash: 571f24bb7950f681736ca4ae13178d6b08345d9734aa81c6db6d0973e3f49bc3
Instruction Fuzzy Hash: 19F0E53081091197D212673CBC4D8AB7B6DAE0A335F508B01F8B6C20F0D7B89D958695

Function 0032E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0032E5F8

Strings

X64, xrefs: 0032E680
%.3d, xrefs: 0032E603

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 53c053671d2ca46ce005d9da928f949324ea007f5ac168becc18b5b20e11b674
Instruction ID: 6602a3a5e2d19e70d4cd3ba8ac779b3ae8ed54c1b4084179f1d87fa3ae3b344f
Opcode Fuzzy Hash: 53c053671d2ca46ce005d9da928f949324ea007f5ac168becc18b5b20e11b674
Instruction Fuzzy Hash: 1BD05BB5C14128DACFD2D791BD8ACBD737CBB19700F548852F906D1440E77499589B21

Function 00302992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00302A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00302A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00302AA1

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: adbdd6bf11d47aa6f9d7e78968adf9bd6bd90176bdf9bd488bb81e44023396ad
Instruction ID: 94c7d336600a9e83d0f8d4e0105ab80ce7234250001c306d7f423ed3881819a0
Opcode Fuzzy Hash: adbdd6bf11d47aa6f9d7e78968adf9bd6bd90176bdf9bd488bb81e44023396ad
Instruction Fuzzy Hash: 7231D77491121C9BCB22DF64D9897DDBBB8AF08310F5041EAE50CA7251EB709F958F45

Function 00332010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002F014B: __CxxThrowException@8.LIBVCRUNTIME ref: 002F09D8
Part of subcall function 002F014B: __CxxThrowException@8.LIBVCRUNTIME ref: 002F09F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0033205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00332087
GetLastError.KERNEL32 ref: 00332097

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 324c09120dfd8212fc539a9767610b9879d1d43a65a0a53d359ebdd8136fb566
Instruction ID: 6e3b9ff991af0a4d117599e994ed14941dac103b5a32ae33c887dfaa7e36e0fe
Opcode Fuzzy Hash: 324c09120dfd8212fc539a9767610b9879d1d43a65a0a53d359ebdd8136fb566
Instruction Fuzzy Hash: D611BFB1914205AFD7289F54DCC6E6BB7BCFB04750F21842EF04653651DB70BC45CA20

Function 002F5058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,002F502E,?,003998D8,0000000C,002F5185,?,00000002,00000000), ref: 002F5079
TerminateProcess.KERNEL32(00000000,?,002F502E,?,003998D8,0000000C,002F5185,?,00000002,00000000), ref: 002F5080
ExitProcess.KERNEL32 ref: 002F5092

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bb75eabe040eb4072c3d54c3a9dc3e98cc7b620e4bb887145d29e786cdd1af45
Instruction ID: 8536a0c72e3a20ac18cbff32bbed4c2bdf2b2fb78c62ae1b2629b38f645f7d4c
Opcode Fuzzy Hash: bb75eabe040eb4072c3d54c3a9dc3e98cc7b620e4bb887145d29e786cdd1af45
Instruction Fuzzy Hash: B4E04631510508AFCF226F50CD08E687B6DEB18382F108028FA0A8A221DFBADD52CAC0

Function 0032E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0032E664

Strings

X64, xrefs: 0032E680

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7c4448221597a2c4b8307e678a0120b521ab2ca8a29f98d5f1c8c0a8fe9414a4
Instruction ID: 92807040b92ba9a7e86b78a577d634df55799c52b180847b6fa14bc404d97a8a
Opcode Fuzzy Hash: 7c4448221597a2c4b8307e678a0120b521ab2ca8a29f98d5f1c8c0a8fe9414a4
Instruction Fuzzy Hash: 57D0C9B481112DEACF81CB50EC88DDD737CBB04304F104651F106A2040D77095488B10

Function 003441FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,003552EE,?,?,00000035,?), ref: 00344229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,003552EE,?,?,00000035,?), ref: 00344239

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0efce817bb03ed79e7298c381ce9d4499f3ae14df13f6b1ffcdd96e412c87ede
Instruction ID: cb0f6ecb8c7e225896b195bae8db598c39e7a4ee21c161935226b965057d369f
Opcode Fuzzy Hash: 0efce817bb03ed79e7298c381ce9d4499f3ae14df13f6b1ffcdd96e412c87ede
Instruction Fuzzy Hash: 15F0E530B002286AE72216769C4DFEB76ADEFC5761F000575F505D2281D9B09D40C7B0

Function 00331A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00331B48), ref: 00331A20
CloseHandle.KERNEL32(?,?,00331B48), ref: 00331A35

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 65eaef520c360d6e78cc8409971b96ef7eec6b91c5452f7f6a34f37f7b786af3
Instruction ID: 363d8ff4fb9d2fe1f0eeaabe3bced0744b5c1d3289b448c23238cc6309888fa6
Opcode Fuzzy Hash: 65eaef520c360d6e78cc8409971b96ef7eec6b91c5452f7f6a34f37f7b786af3
Instruction Fuzzy Hash: 48E01A72014614AEE7262B11EC45E73B7A9EB04351F24882DF59580471DAA26CA0DA10

Function 0034F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0034F51A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6fe87637c65aab65faf08591302be619dee98d8dd255ed851430a0374d4fcf27
Instruction ID: ecb93fecf45399c745664231a51d50b0cef2520dd4be1eb03a5636f3f889bbfb
Opcode Fuzzy Hash: 6fe87637c65aab65faf08591302be619dee98d8dd255ed851430a0374d4fcf27
Instruction Fuzzy Hash: 13E04F326142059FC711AF69D804A9AF7ECAFA5761F058466F84ACB361DAB0FD40CBA1

Function 0033EC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0033EC95

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ae907156e6231b826affdbc5047e55bfbc1f59a1e945f5149b567e809488fd3f
Instruction ID: a344f04c4f305ef107e81eaa8d25e7087a39ab7c213755c67c8424fa9bc773a3
Opcode Fuzzy Hash: ae907156e6231b826affdbc5047e55bfbc1f59a1e945f5149b567e809488fd3f
Instruction Fuzzy Hash: B3D05EB6194200B9E81F0A3C8FAFF3E090DE302743F856349F202D99D5E5C1A9009121

Function 002F0D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,002F075E), ref: 002F0D4A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fb667b8a580fa2af356097b1d4cf1d0ec931faff81ef4f54f9015dffe8fe4000
Instruction ID: 91d11f4b5a4825b68e6a0bd03e54f22acc9d07829c1aea00a2f8dbe8666b94a1
Opcode Fuzzy Hash: fb667b8a580fa2af356097b1d4cf1d0ec931faff81ef4f54f9015dffe8fe4000
Instruction Fuzzy Hash:

Function 0035353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0035358D
DeleteObject.GDI32(00000000), ref: 003535A0
DestroyWindow.USER32 ref: 003535AF
GetDesktopWindow.USER32 ref: 003535CA
GetWindowRect.USER32(00000000), ref: 003535D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00353700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 0035370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00353755
GetClientRect.USER32(00000000,?), ref: 00353761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0035379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003537BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003537D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003537DD
GlobalLock.KERNEL32(00000000), ref: 003537E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003537F5
GlobalUnlock.KERNEL32(00000000), ref: 003537FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00353805
GlobalFree.KERNEL32(00000000), ref: 00353810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00353822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00370C04,00000000), ref: 00353838
GlobalFree.KERNEL32(00000000), ref: 00353848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 0035386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 0035388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003538AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00353A9C

Strings

, xrefs: 00353A22
AutoIt v3, xrefs: 0035374F
static, xrefs: 00353797, 003538EE
DISPLAY, xrefs: 003538FF

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0f2aa639b397250b96e32a29eae295e93df4e17410babfd6dd2d40fb973f4f5f
Instruction ID: 23ba413640c916c4105fe94f2773d07fd50c8c674f21fd1d480a3e1b977ab478
Opcode Fuzzy Hash: 0f2aa639b397250b96e32a29eae295e93df4e17410babfd6dd2d40fb973f4f5f
Instruction Fuzzy Hash: 42027C75A00205AFDB16DF64CC89EAE7BB9EF49311F108518F915AB2A0DBB4ED05CF60

Function 002D1625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 002D16B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00312B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00312B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00312F85

Part of subcall function 002D1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D1488,?,00000000,?,?,?,?,002D145A,00000000,?), ref: 002D1865

SendMessageW.USER32(?,00001053), ref: 00312FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00312FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00312FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00312FF9

Strings

(:, xrefs: 00312B86
(:, xrefs: 00312CA1
0, xrefs: 00312E11
(:, xrefs: 00313035

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$(:$(:$(:
API String ID: 2760611726-1109579014
Opcode ID: cc686ccb5ba3136ebcb4081463c2e67c5e57179c70462e679a240997a0cd2672
Instruction ID: 31ef65c26a4939be08a55613ede7010cba61759ad73b775153718444f3e392ec
Opcode Fuzzy Hash: cc686ccb5ba3136ebcb4081463c2e67c5e57179c70462e679a240997a0cd2672
Instruction Fuzzy Hash: E512BE30610201AFD72ACF18C844BABB7E9FB49300F19856AF5959B661C771ECB6CF91

Function 00367B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00367B67
GetSysColorBrush.USER32(0000000F), ref: 00367B98
GetSysColor.USER32(0000000F), ref: 00367BA4
SetBkColor.GDI32(?,000000FF), ref: 00367BBE
SelectObject.GDI32(?,?), ref: 00367BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 00367BF8
GetSysColor.USER32(00000010), ref: 00367C00
CreateSolidBrush.GDI32(00000000), ref: 00367C07
FrameRect.USER32(?,?,00000000), ref: 00367C16
DeleteObject.GDI32(00000000), ref: 00367C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 00367C68
FillRect.USER32(?,?,?), ref: 00367C9A
GetWindowLongW.USER32(?,000000F0), ref: 00367CBC

Part of subcall function 00367E22: GetSysColor.USER32(00000012), ref: 00367E5B
Part of subcall function 00367E22: SetTextColor.GDI32(?,00367B2D), ref: 00367E5F
Part of subcall function 00367E22: GetSysColorBrush.USER32(0000000F), ref: 00367E75
Part of subcall function 00367E22: GetSysColor.USER32(0000000F), ref: 00367E80
Part of subcall function 00367E22: GetSysColor.USER32(00000011), ref: 00367E9D
Part of subcall function 00367E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00367EAB
Part of subcall function 00367E22: SelectObject.GDI32(?,00000000), ref: 00367EBC
Part of subcall function 00367E22: SetBkColor.GDI32(?,?), ref: 00367EC5
Part of subcall function 00367E22: SelectObject.GDI32(?,?), ref: 00367ED2
Part of subcall function 00367E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00367EF1
Part of subcall function 00367E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00367F08
Part of subcall function 00367E22: GetWindowLongW.USER32(?,000000F0), ref: 00367F15

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 408b8f7bb011ebfbac483ee9740bdb560090d9b5e0b369c361b32047aa24f474
Instruction ID: 0caa464bbb91f198c3741610b4804712a476e886084a6143aa0a2d870ab048e1
Opcode Fuzzy Hash: 408b8f7bb011ebfbac483ee9740bdb560090d9b5e0b369c361b32047aa24f474
Instruction Fuzzy Hash: 09A1B172508301BFCB129F64DC48E6BBBADFF49324F508A19FA62961E0D7B1D944CB51

Function 0035316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0035319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003532C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00353306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00353316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0035335D
GetClientRect.USER32(00000000,?), ref: 00353369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 003533B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003533C1
GetStockObject.GDI32(00000011), ref: 003533D1
SelectObject.GDI32(00000000,00000000), ref: 003533D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 003533E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003533EE
DeleteDC.GDI32(00000000), ref: 003533F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00353423
SendMessageW.USER32(00000030,00000000,00000001), ref: 0035343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 0035347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0035348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 0035349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 003534D4
GetStockObject.GDI32(00000011), ref: 003534DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003534EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 003534F4

Strings

AutoIt v3, xrefs: 00353355
static, xrefs: 003533AC, 003534CE
msctls_progress32, xrefs: 00353470
DISPLAY, xrefs: 003533B7

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 67e05fc68480c486086889ab8791a348a9f1b88ee9accc75689ca0ffaaaf5fc1
Instruction ID: b6541a231b3112d809f3d8860cb6b38d5913fe400c25005a14b93946568310cf
Opcode Fuzzy Hash: 67e05fc68480c486086889ab8791a348a9f1b88ee9accc75689ca0ffaaaf5fc1
Instruction Fuzzy Hash: 7CB14B71A10605AFEB15DFA8CC49FAE7BA9EB09710F108515FA15A72A0C7B4AD40CFA0

Function 00345524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00345532
GetDriveTypeW.KERNEL32(?,0036DC30,?,\\.\,0036DCD0), ref: 0034560F
SetErrorMode.KERNEL32(00000000,0036DC30,?,\\.\,0036DCD0), ref: 0034577B

Strings

Fibre, xrefs: 003456F2
Removable, xrefs: 00345655, 0034565A
Unknown, xrefs: 00345632, 003456C8
MMC, xrefs: 00345723
1394, xrefs: 003456E4
USB, xrefs: 003456F9
iSCSI, xrefs: 00345707
SSA, xrefs: 003456EB
SAS, xrefs: 0034570E
Virtual, xrefs: 0034572A
FileBackedVirtual, xrefs: 00345731
Fixed, xrefs: 0034564E
RAID, xrefs: 00345700
Network, xrefs: 00345647
SSD, xrefs: 0034568F
SATA, xrefs: 00345715
CDROM, xrefs: 00345640
ATAPI, xrefs: 003456D6
PhysicalDrive, xrefs: 003455BB
RAMDisk, xrefs: 00345639
\\.\, xrefs: 00345584
SCSI, xrefs: 003456CF
ATA, xrefs: 003456DD

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 120b95bdc1540e294ba9b0127f87f99c735d933be3d237e47f012be852055295
Instruction ID: 612ccc0fa2584437d42084c8a3e920b5b9fd352cc8d125e134ac5829ba4d9b82
Opcode Fuzzy Hash: 120b95bdc1540e294ba9b0127f87f99c735d933be3d237e47f012be852055295
Instruction Fuzzy Hash: 2461CF30E58A09DBCB27DF24C9D28B87BE5AF24354B258066E406AF693C771FD01CB51

Function 002D2521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D25F8
GetSystemMetrics.USER32(00000007), ref: 002D2600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D262B
GetSystemMetrics.USER32(00000008), ref: 002D2633
GetSystemMetrics.USER32(00000004), ref: 002D2658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002D2675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002D2685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002D26B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002D26CC
GetClientRect.USER32(00000000,000000FF), ref: 002D26EA
GetStockObject.GDI32(00000011), ref: 002D2706
SendMessageW.USER32(00000000,00000030,00000000), ref: 002D2711

Part of subcall function 002D19CD: GetCursorPos.USER32(?), ref: 002D19E1
Part of subcall function 002D19CD: ScreenToClient.USER32(00000000,?), ref: 002D19FE
Part of subcall function 002D19CD: GetAsyncKeyState.USER32(00000001), ref: 002D1A23
Part of subcall function 002D19CD: GetAsyncKeyState.USER32(00000002), ref: 002D1A3D

SetTimer.USER32(00000000,00000000,00000028,002D199C), ref: 002D2738

Strings

(:, xrefs: 002D271A
AutoIt v3 GUI, xrefs: 002D26B0
<):, xrefs: 002D255C
(:, xrefs: 002D2749
<):, xrefs: 003139A6
(:, xrefs: 00313909

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: <):$<):$AutoIt v3 GUI$(:$(:$(:
API String ID: 1458621304-2052383814
Opcode ID: 75ac3c379a0ea55c02ec5561390ca75f97235fc9e24cb871206de7f619102097
Instruction ID: 586500390465439ba12c143dbf7355fd8f2186cf96bb8d87e2c8ff9e378f9a0c
Opcode Fuzzy Hash: 75ac3c379a0ea55c02ec5561390ca75f97235fc9e24cb871206de7f619102097
Instruction Fuzzy Hash: A2B17B31A00209DFDB1ADFA8DC45BEE7BB8FB49714F11421AFA16A7290C7B0E854CB51

Function 00361A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00361BC4
GetDesktopWindow.USER32 ref: 00361BD9
GetWindowRect.USER32(00000000), ref: 00361BE0
GetWindowLongW.USER32(?,000000F0), ref: 00361C35
DestroyWindow.USER32(?), ref: 00361C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00361C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00361CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00361CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00361CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00361CE1
IsWindowVisible.USER32(00000000), ref: 00361D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00361D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00361D6C
GetWindowRect.USER32(00000000,?), ref: 00361D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00361DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00361DC4
CopyRect.USER32(?,?), ref: 00361DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00361E46

Strings

0, xrefs: 00361B6F
tooltips_class32, xrefs: 00361C82
(, xrefs: 00361DB7

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9d5c776acf7dd774f8cb38e0200b94720716ca2269fa410cdb37ce93324c160b
Instruction ID: df4d7055a9accc1a6bed7f53c0d3df5ebf94a66e6d70af3bccae593088f05f72
Opcode Fuzzy Hash: 9d5c776acf7dd774f8cb38e0200b94720716ca2269fa410cdb37ce93324c160b
Instruction Fuzzy Hash: 50B17A71608301AFD715DF64C884B6AFBE5FF84310F448919F99A9B2A1C771E854CBA2

Function 00360CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00360D81
_wcslen.LIBCMT ref: 00360DBB
_wcslen.LIBCMT ref: 00360E25
_wcslen.LIBCMT ref: 00360E8D
_wcslen.LIBCMT ref: 00360F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00360F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00360FA0

Part of subcall function 002EFD52: _wcslen.LIBCMT ref: 002EFD5D

Part of subcall function 00332B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00332BA5
Part of subcall function 00332B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00332BD7

Strings

ISSELECTED, xrefs: 00360F79
GETSUBITEMCOUNT, xrefs: 00360E20, 00360E3B
GETTEXT, xrefs: 00360E88, 00360EA3
FINDITEM, xrefs: 003610C3
SELECTALL, xrefs: 00360FB1
SELECTCLEAR, xrefs: 00360FC9
GETSELECTED, xrefs: 0036107D
SELECT, xrefs: 00360FE4
GETITEMCOUNT, xrefs: 00360DB2, 00360DD3
VIEWCHANGE, xrefs: 00361111
SELECTINVERT, xrefs: 0036101A
GETSELECTEDCOUNT, xrefs: 00360F0C, 00360F27
DESELECT, xrefs: 00361038

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 54497185dc8207b016dad8f268dab836d039833c62093a6736fcf989ef784cff
Instruction ID: c41e2297405b36eea2c9239de436944024a9c78f50b1ea3a2f8e88ccaa476930
Opcode Fuzzy Hash: 54497185dc8207b016dad8f268dab836d039833c62093a6736fcf989ef784cff
Instruction Fuzzy Hash: 64E10E312182418FCB1ADF24C95287BB3E6FF89304B15892DF8969B3A5CB31ED45CB91

Function 003316D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00331A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00331A60
Part of subcall function 00331A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,003314E7,?,?,?), ref: 00331A6C
Part of subcall function 00331A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003314E7,?,?,?), ref: 00331A7B
Part of subcall function 00331A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003314E7,?,?,?), ref: 00331A82
Part of subcall function 00331A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00331A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00331741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00331775
GetLengthSid.ADVAPI32(?), ref: 0033178C
GetAce.ADVAPI32(?,00000000,?), ref: 003317C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003317E2
GetLengthSid.ADVAPI32(?), ref: 003317F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00331801
HeapAlloc.KERNEL32(00000000), ref: 00331808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00331829
CopySid.ADVAPI32(00000000), ref: 00331830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0033185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00331881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00331893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003318BA
HeapFree.KERNEL32(00000000), ref: 003318C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003318CA
HeapFree.KERNEL32(00000000), ref: 003318D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003318DA
HeapFree.KERNEL32(00000000), ref: 003318E1
GetProcessHeap.KERNEL32(00000000,?), ref: 003318ED
HeapFree.KERNEL32(00000000), ref: 003318F4

Part of subcall function 00331ADF: GetProcessHeap.KERNEL32(00000008,003314FD,?,00000000,?,003314FD,?), ref: 00331AED
Part of subcall function 00331ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,003314FD,?), ref: 00331AF4
Part of subcall function 00331ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003314FD,?), ref: 00331B03

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 6b97850dbda053f75d54edfdf8ae49bee26bb042cbb8a495ea29b4084006e599
Instruction ID: 02edd890b1670bf67693eab3543923059d67a8a81cca9ae7bb59acb393c060e0
Opcode Fuzzy Hash: 6b97850dbda053f75d54edfdf8ae49bee26bb042cbb8a495ea29b4084006e599
Instruction Fuzzy Hash: 21714BB2E00209AFDF12DFA5DC89FAEBBBCBF44350F158125F915AA190D7719A05CB60

Function 0035CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,0036DCD0,00000000,?,00000000,?,?), ref: 0035CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0035D004
_wcslen.LIBCMT ref: 0035D054
_wcslen.LIBCMT ref: 0035D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0035D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0035D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0035D2AD
RegCloseKey.ADVAPI32(?), ref: 0035D2E1
RegCloseKey.ADVAPI32(00000000), ref: 0035D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0035D3C0

Strings

REG_DWORD, xrefs: 0035D264
REG_QWORD, xrefs: 0035D323
REG_SZ, xrefs: 0035D0A4
REG_MULTI_SZ, xrefs: 0035D155
REG_EXPAND_SZ, xrefs: 0035D02D
REG_BINARY, xrefs: 0035D373

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 0f45e8c812df9c7f701e4743a744147c7c7e9d53110005a91f83d1bd2b6f3540
Instruction ID: 4e650c1a29faabeeba75ef0d9f8c319670252945cddbb65c949863499a32e7a2
Opcode Fuzzy Hash: 0f45e8c812df9c7f701e4743a744147c7c7e9d53110005a91f83d1bd2b6f3540
Instruction Fuzzy Hash: A51268356142019FCB26EF14C881E2AB7E5EF88714F15885DF98A9B3A2CB31ED45CF81

Function 003613BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00361462
_wcslen.LIBCMT ref: 0036149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003614F0
_wcslen.LIBCMT ref: 00361526
_wcslen.LIBCMT ref: 003615A2
_wcslen.LIBCMT ref: 0036161D

Part of subcall function 002EFD52: _wcslen.LIBCMT ref: 002EFD5D

Part of subcall function 00333535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00333547

Strings

EXPAND, xrefs: 00361694
EXISTS, xrefs: 00361618, 00361633
ISCHECKED, xrefs: 0036177D
GETTOTALCOUNT, xrefs: 0036148E, 003614B3
CHECK, xrefs: 00361521, 0036153C
GETSELECTED, xrefs: 003616EA
UNCHECK, xrefs: 003617DA
SELECT, xrefs: 003617AD
GETITEMCOUNT, xrefs: 003616BA
GETTEXT, xrefs: 00361733
COLLAPSE, xrefs: 0036159D, 003615B8

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 4c914d7184331204560839357bfdb376fd835ac956ff59b6d333559f2a52f9ef
Instruction ID: 933e45b3e15610d60754c8f961a8fa09da1f55858c9072005018a798b3c869f7
Opcode Fuzzy Hash: 4c914d7184331204560839357bfdb376fd835ac956ff59b6d333559f2a52f9ef
Instruction Fuzzy Hash: DFE1CB356183018FCB12EF25C49082AB7F6BF99314F19895DF8969B7A6CB30ED45CB81

Function 0035D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035C10E,?,?), ref: 0035D415
_wcslen.LIBCMT ref: 0035D451
_wcslen.LIBCMT ref: 0035D4C8
_wcslen.LIBCMT ref: 0035D4FE
_wcslen.LIBCMT ref: 0035D559
_wcslen.LIBCMT ref: 0035D58F
_wcslen.LIBCMT ref: 0035D5DF

Strings

HKEY_CURRENT_CONFIG, xrefs: 0035D5D9, 0035D5DE
HKEY_CURRENT_USER, xrefs: 0035D61D
HKLM, xrefs: 0035D4F8, 0035D4FD
HKCU, xrefs: 0035D62E
HKCC, xrefs: 0035D60C
HKU, xrefs: 0035D650
HKCR, xrefs: 0035D589, 0035D58E
HKEY_USERS, xrefs: 0035D63F
HKEY_CLASSES_ROOT, xrefs: 0035D553, 0035D558
HKEY_LOCAL_MACHINE, xrefs: 0035D4C2, 0035D4C7

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 18fa0b43d1ffa7b13f2d8e3859f9362f4f938d5cefc4f15fd59446d85fe818dd
Instruction ID: 89b1607259743dfcb3bf5d67f53e8db14c6211e83c6dd48b01f4ede63b4bd9e8
Opcode Fuzzy Hash: 18fa0b43d1ffa7b13f2d8e3859f9362f4f938d5cefc4f15fd59446d85fe818dd
Instruction Fuzzy Hash: 4471147261012A8BCF329F78CD10DBB33A5AB62356B620525EC569B2B4FB30DD5DC790

Function 00368D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00368DB5
_wcslen.LIBCMT ref: 00368DC9
_wcslen.LIBCMT ref: 00368DEC
_wcslen.LIBCMT ref: 00368E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00368E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00366691), ref: 00368EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00368EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00368F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00368F5C
FreeLibrary.KERNEL32(?), ref: 00368F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00368F78
DestroyIcon.USER32(?,?,?,?,?,00366691), ref: 00368F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00368FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00368FB0

Strings

.exe, xrefs: 00368DE3
.dll, xrefs: 00368E06
.icl, xrefs: 00368DC3

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: c23a8eb5aa5c3fdba4c9b9af9b42dc2c0d65285fb81e7765e767d9fc6a528d76
Instruction ID: 7de32f319a0263d60d3c42d257c8c10659d5ee11a44527fba4aba7c9313a24b1
Opcode Fuzzy Hash: c23a8eb5aa5c3fdba4c9b9af9b42dc2c0d65285fb81e7765e767d9fc6a528d76
Instruction Fuzzy Hash: 6A61F071A10219BAEB16DF64DC45BBEB7ACAF08B10F108606F915DA1D1DFB19990CBA0

Function 003448BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0034493D
_wcslen.LIBCMT ref: 00344948
_wcslen.LIBCMT ref: 0034499F
_wcslen.LIBCMT ref: 003449DD
GetDriveTypeW.KERNEL32(?), ref: 00344A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00344A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00344A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00344ACC

Strings

type cdaudio alias cd wait, xrefs: 00344A46
close cd wait, xrefs: 00344AB7
wait, xrefs: 00344A89
open, xrefs: 00344999, 0034499E
close, xrefs: 00344943, 0034495D
closed, xrefs: 0034494D, 00344972, 0034498B, 003449C3, 003449DC
set cd door , xrefs: 00344A6D
open , xrefs: 00344A2A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: aa4a21b9f03672ca57cd26d129621b33aa054255cc7a9a2be6aa8a250c72ea93
Instruction ID: e390be34ec156c8e29eecdfec1a0b37c3225c640c2865bbc58aea514439c0fdd
Opcode Fuzzy Hash: aa4a21b9f03672ca57cd26d129621b33aa054255cc7a9a2be6aa8a250c72ea93
Instruction Fuzzy Hash: 0A71D0725182019FC711EF24C840A6BB7E8EF94758F11492EF8969B3A1EB30ED45CF91

Function 00336382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00336395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003363A7
SetWindowTextW.USER32(?,?), ref: 003363BE
GetDlgItem.USER32(?,000003EA), ref: 003363D3
SetWindowTextW.USER32(00000000,?), ref: 003363D9
GetDlgItem.USER32(?,000003E9), ref: 003363E9
SetWindowTextW.USER32(00000000,?), ref: 003363EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00336410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0033642A
GetWindowRect.USER32(?,?), ref: 00336433
_wcslen.LIBCMT ref: 0033649A
SetWindowTextW.USER32(?,?), ref: 003364D6
GetDesktopWindow.USER32 ref: 003364DC
GetWindowRect.USER32(00000000), ref: 003364E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 0033653A
GetClientRect.USER32(?,?), ref: 00336547
PostMessageW.USER32(?,00000005,00000000,?), ref: 0033656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00336596

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: a9207eb6b0bc656063fb3fab2efba0b942c754e27e0d34e50f5431209f218607
Instruction ID: 2d4a3a33c5b60e49aefa31276e85c94a498144bd7a5600cac6914e3a86799852
Opcode Fuzzy Hash: a9207eb6b0bc656063fb3fab2efba0b942c754e27e0d34e50f5431209f218607
Instruction Fuzzy Hash: A4719531E00705AFDB22DFA9CD86B6EBBF9FF48704F108528E586A25A0D775E944CB50

Function 0035086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00350884
LoadCursorW.USER32(00000000,00007F8A), ref: 0035088F
LoadCursorW.USER32(00000000,00007F00), ref: 0035089A
LoadCursorW.USER32(00000000,00007F03), ref: 003508A5
LoadCursorW.USER32(00000000,00007F8B), ref: 003508B0
LoadCursorW.USER32(00000000,00007F01), ref: 003508BB
LoadCursorW.USER32(00000000,00007F81), ref: 003508C6
LoadCursorW.USER32(00000000,00007F88), ref: 003508D1
LoadCursorW.USER32(00000000,00007F80), ref: 003508DC
LoadCursorW.USER32(00000000,00007F86), ref: 003508E7
LoadCursorW.USER32(00000000,00007F83), ref: 003508F2
LoadCursorW.USER32(00000000,00007F85), ref: 003508FD
LoadCursorW.USER32(00000000,00007F82), ref: 00350908
LoadCursorW.USER32(00000000,00007F84), ref: 00350913
LoadCursorW.USER32(00000000,00007F04), ref: 0035091E
LoadCursorW.USER32(00000000,00007F02), ref: 00350929
GetCursorInfo.USER32(?), ref: 00350939
GetLastError.KERNEL32 ref: 0035097B

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 2b770c815dd47fa12babaa8d9d253777f25eb7881dbcd25073ca0b5cc4816dfd
Instruction ID: fa7846a8244be8dc4c3a23ced78fcb96c9b1035dcc6a22e40f92723e310d56dc
Opcode Fuzzy Hash: 2b770c815dd47fa12babaa8d9d253777f25eb7881dbcd25073ca0b5cc4816dfd
Instruction Fuzzy Hash: 144174B0D083196ADB109FBA8C85C5EBFE8FF04354B50452AE55CEB291DB78D801CF91

Function 00333A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00333AD9
_wcslen.LIBCMT ref: 00333B44

Strings

INSTANCE, xrefs: 00333D9F
TEXT, xrefs: 00333DC8
CLASS, xrefs: 00333AD4, 00333AF1
k9, xrefs: 00333CE6
REGEXPCLASS, xrefs: 00333BA1, 00333BB2
CLASSNN, xrefs: 00333B3F, 00333B50
NAME, xrefs: 00333C81, 00333C92

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k9
API String ID: 176396367-1618864517
Opcode ID: b44494849cb4b9a55590532821bd3221631791f3eca2d928167283bbb6360bf3
Instruction ID: 2b154a41b44251eb2dc437a3b8bada8d91d8409bee3547fb64eef9ef3b727ebe
Opcode Fuzzy Hash: b44494849cb4b9a55590532821bd3221631791f3eca2d928167283bbb6360bf3
Instruction Fuzzy Hash: A1E1E432A005169BCF169FB4C8916EEFBB4BF14750F51C12AE456E7250EB30AE958B90

Function 00369B7A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

DragQueryPoint.SHELL32(?,?), ref: 00369BA3

Part of subcall function 003680AE: ClientToScreen.USER32(?,?), ref: 003680D4
Part of subcall function 003680AE: GetWindowRect.USER32(?,?), ref: 0036814A
Part of subcall function 003680AE: PtInRect.USER32(?,?,?), ref: 0036815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00369C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00369C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00369C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00369C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00369C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00369CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00369CD3
DragFinish.SHELL32(?), ref: 00369CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00369DCD

Strings

@GUI_DRAGID, xrefs: 00369D45
(:, xrefs: 00369B8C
@GUI_DRAGFILE, xrefs: 00369D7C
(:, xrefs: 00369DAB
@GUI_DROPID, xrefs: 00369CFA

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$(:$(:
API String ID: 221274066-1496664964
Opcode ID: fcf57bf34cd5b616ae2c8f43d8d396da0026d4c8126962503b3e916dd28f20f6
Instruction ID: a8de37a577dd636528cafcd82cb3a9f823779f05d03593c541145e7d14bc31fc
Opcode Fuzzy Hash: fcf57bf34cd5b616ae2c8f43d8d396da0026d4c8126962503b3e916dd28f20f6
Instruction Fuzzy Hash: 07618B71508301AFC702EF64DC85EAFBBECEF89750F00491EF591962A1DB709A59CB52

Function 002F0436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002F0436

Part of subcall function 002F045D: InitializeCriticalSectionAndSpinCount.KERNEL32(003A170C,00000FA0,C7EEB22C,?,?,?,?,00312733,000000FF), ref: 002F048C
Part of subcall function 002F045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00312733,000000FF), ref: 002F0497
Part of subcall function 002F045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00312733,000000FF), ref: 002F04A8
Part of subcall function 002F045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002F04BE
Part of subcall function 002F045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002F04CC
Part of subcall function 002F045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002F04DA
Part of subcall function 002F045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002F0505
Part of subcall function 002F045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002F0510

___scrt_fastfail.LIBCMT ref: 002F0457

Part of subcall function 002F0413: __onexit.LIBCMT ref: 002F0419

Strings

SleepConditionVariableCS, xrefs: 002F04C4
api-ms-win-core-synch-l1-2-0.dll, xrefs: 002F0492
WakeAllConditionVariable, xrefs: 002F04D2
kernel32.dll, xrefs: 002F04A3
InitializeConditionVariable, xrefs: 002F04B8

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 1588335b4758c871133a3790817b2a1a5c894cb2ec975aa3bdef5a2c58e9c848
Instruction ID: 733be144fcc05b934e5e71dd2e3a55b5dc6a240534e33518e461d71ab7fd477a
Opcode Fuzzy Hash: 1588335b4758c871133a3790817b2a1a5c894cb2ec975aa3bdef5a2c58e9c848
Instruction Fuzzy Hash: 7721F936B50719ABD7272BA49C86BBAB799EB06BE1F044135FA05D7281DBF49C008E50

Function 00344F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0036DCD0), ref: 00344F6C
_wcslen.LIBCMT ref: 00344F80
_wcslen.LIBCMT ref: 00344FDE
_wcslen.LIBCMT ref: 00345039
_wcslen.LIBCMT ref: 00345084
_wcslen.LIBCMT ref: 003450EC

Part of subcall function 002EFD52: _wcslen.LIBCMT ref: 002EFD5D

GetDriveTypeW.KERNEL32(?,00397C10,00000061), ref: 00345188

Strings

fixed, xrefs: 0034507A, 0034507F
network, xrefs: 003450E2, 003450E7
unknown, xrefs: 0034514D
all, xrefs: 00344F76, 00344F7B
ramdisk, xrefs: 00345136
cdrom, xrefs: 00344FD4, 00344FD9
removable, xrefs: 0034502F, 00345034

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 8521f057b295063e797586291b656a3ee1b1e9f4347d622a6ea99c611bdc37fe
Instruction ID: 8aaac70d7c4efb409562c47bbd3d0f6f0eb2a6bdfb3f68dc5872489ec2195c3f
Opcode Fuzzy Hash: 8521f057b295063e797586291b656a3ee1b1e9f4347d622a6ea99c611bdc37fe
Instruction Fuzzy Hash: FDB10435A187029FC711EF28C890A6BB7E5BFA4720F51491EF5968B292D770EC44CB92

Function 0035BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0035BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0035BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0035BC34
_wcslen.LIBCMT ref: 0035BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0035BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0035BC96
_wcslen.LIBCMT ref: 0035BD92

Part of subcall function 00340F4E: GetStdHandle.KERNEL32(000000F6), ref: 00340F6D

_wcslen.LIBCMT ref: 0035BDAB
_wcslen.LIBCMT ref: 0035BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0035BE16
GetLastError.KERNEL32(00000000), ref: 0035BE67
CloseHandle.KERNEL32(?), ref: 0035BE99
CloseHandle.KERNEL32(00000000), ref: 0035BEAA
CloseHandle.KERNEL32(00000000), ref: 0035BEBC
CloseHandle.KERNEL32(00000000), ref: 0035BECE
CloseHandle.KERNEL32(?), ref: 0035BF43

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5784f3baf456890ee7af0661a113ff4c1285535817d775a1a749b1bd3ee890e1
Instruction ID: 9207e7b2d27dfba5ffc259af16f925ef6271dcbff79884d847518e545a6568f8
Opcode Fuzzy Hash: 5784f3baf456890ee7af0661a113ff4c1285535817d775a1a749b1bd3ee890e1
Instruction Fuzzy Hash: F8F19C716142409FC716EF24C891F6AFBE5AF84350F19855EF9898B2A2CB70EC49CF52

Function 00354A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0036DCD0), ref: 00354B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00354B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0036DCD0), ref: 00354B4F
FreeLibrary.KERNEL32(00000000,?,0036DCD0), ref: 00354B9B
StringFromGUID2.OLE32(?,?,00000028,?,0036DCD0), ref: 00354C05
SysFreeString.OLEAUT32(00000009), ref: 00354CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00354D25
SysFreeString.OLEAUT32(?), ref: 00354D4F

Strings

GetModuleHandleExW, xrefs: 00354B24
kernel32.dll, xrefs: 00354B13

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 5e6abfabdd52130d6bbdb40c7be712acdfd1e32cfedbd29cf6d7662e2f939132
Instruction ID: 05fa27a046b06129311abe7654b3095257dece20c91643931e335b90c22a41a3
Opcode Fuzzy Hash: 5e6abfabdd52130d6bbdb40c7be712acdfd1e32cfedbd29cf6d7662e2f939132
Instruction Fuzzy Hash: EA124071A00105EFDB19CF54C888EAEB7B9FF45319F258098F9099B261D771ED86CBA0

Function 002D381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(003A29C0), ref: 00313F72
GetMenuItemCount.USER32(003A29C0), ref: 00314022
GetCursorPos.USER32(?), ref: 00314066
SetForegroundWindow.USER32(00000000), ref: 0031406F
TrackPopupMenuEx.USER32(003A29C0,00000000,?,00000000,00000000,00000000), ref: 00314082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0031408E

Strings

0, xrefs: 002D382D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 6b047d2256de095383ec478458693d721951220f410fd9958da91f24781bb0cc
Instruction ID: 67ed65281a88a88cccc2d50506cc1e9752315bb82fafaa9e98a21f6f46be65c2
Opcode Fuzzy Hash: 6b047d2256de095383ec478458693d721951220f410fd9958da91f24781bb0cc
Instruction Fuzzy Hash: 1E713871A04205BFEB269F29DC49FEABF68FF09364F104216F614AA2D0C7B19D60DB51

Function 00367711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00367823

Part of subcall function 002D8577: _wcslen.LIBCMT ref: 002D858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00367897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003678B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003678CC
DestroyWindow.USER32(?), ref: 003678ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002D0000,00000000), ref: 0036791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00367935
GetDesktopWindow.USER32 ref: 0036794E
GetWindowRect.USER32(00000000), ref: 00367955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0036796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00367985

Part of subcall function 002D2234: GetWindowLongW.USER32(?,000000EB), ref: 002D2242

Strings

0, xrefs: 003677D0
tooltips_class32, xrefs: 00367890, 00367915

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 477b9879fff86595e2b9aae02bed075f407084f8716f40b0d4ab07b28f9fe7bc
Instruction ID: bc113ef059b3bc6c010e9a8cdd88354e4b0dfe1e757f44edab3b9298f467fffe
Opcode Fuzzy Hash: 477b9879fff86595e2b9aae02bed075f407084f8716f40b0d4ab07b28f9fe7bc
Instruction Fuzzy Hash: ED717C70504245AFD722CF18CC48F6BBBE9FB89704F958A5EF98587261C7B0E906CB11

Function 002D146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D1488,?,00000000,?,?,?,?,002D145A,00000000,?), ref: 002D1865

DestroyWindow.USER32(?), ref: 002D1521
KillTimer.USER32(00000000,?,?,?,?,002D145A,00000000,?), ref: 002D15BB
DestroyAcceleratorTable.USER32(00000000), ref: 003129B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,002D145A,00000000,?), ref: 003129E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,002D145A,00000000,?), ref: 003129F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002D145A,00000000), ref: 00312A15
DeleteObject.GDI32(00000000), ref: 00312A27

Strings

<):, xrefs: 002D15E0

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: <):
API String ID: 641708696-1350206399
Opcode ID: b78e97b940ddcf30f04d20f66729b8ff8cb70746771821742756e2593354d1dd
Instruction ID: 8e191850807988c86bddd34c5228c042b3bfae9b355ec5c35ec0db4290e1b518
Opcode Fuzzy Hash: b78e97b940ddcf30f04d20f66729b8ff8cb70746771821742756e2593354d1dd
Instruction Fuzzy Hash: 0E615830621711EFDB3A9F18E948B2B77B5FB85722F51811AE44286A60C7B4ACB0DB41

Function 0034CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0034CEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0034CF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0034CF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0034CF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0034CF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0034CF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0034CF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0034CFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0034D021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0034D035
InternetCloseHandle.WININET(00000000), ref: 0034D040

Strings

, xrefs: 0034CFBA

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 1b7492ccb0116633f484c5afd62fcf8df0c313d30775d916c4c983aa3a479731
Instruction ID: 3660b982268c101e12113a07e28140dc0241a3a16d60feb615e739eae9809ba8
Opcode Fuzzy Hash: 1b7492ccb0116633f484c5afd62fcf8df0c313d30775d916c4c983aa3a479731
Instruction Fuzzy Hash: CA519EB1600608BFDB229F61CC88AAB7BFCFF09744F00841AF9458B610D775E949AB61

Function 00368FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,003666D6,?,?), ref: 00368FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,003666D6,?,?,00000000,?), ref: 00368FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,003666D6,?,?,00000000,?), ref: 00369009
CloseHandle.KERNEL32(00000000,?,?,?,?,003666D6,?,?,00000000,?), ref: 00369016
GlobalLock.KERNEL32(00000000), ref: 00369024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003666D6,?,?,00000000,?), ref: 00369033
GlobalUnlock.KERNEL32(00000000), ref: 0036903C
CloseHandle.KERNEL32(00000000,?,?,?,?,003666D6,?,?,00000000,?), ref: 00369043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003666D6,?,?,00000000,?), ref: 00369054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00370C04,?), ref: 0036906D
GlobalFree.KERNEL32(00000000), ref: 0036907D
GetObjectW.GDI32(00000000,00000018,?), ref: 0036909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 003690CD
DeleteObject.GDI32(00000000), ref: 003690F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0036910B

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 66a4f899c6b290a180440f9f20b9e62ae4413f02ee19fe23e78fe0767d89d48a
Instruction ID: 1e0710f4b6aabe0f0d2a841d3dcba17d9ffc3e24097e23b1ae51c3784b1e0047
Opcode Fuzzy Hash: 66a4f899c6b290a180440f9f20b9e62ae4413f02ee19fe23e78fe0767d89d48a
Instruction Fuzzy Hash: E741F875A00208FFDB229F65DC88EAA7BBDFF89711F108459F905DB260DBB09941DB60

Function 0035C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 0035D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035C10E,?,?), ref: 0035D415
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D451
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D4C8
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 0035C26A
RegCloseKey.ADVAPI32(?), ref: 0035C2DE
RegCloseKey.ADVAPI32(?), ref: 0035C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0035C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0035C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 0035C382
FreeLibrary.KERNEL32(00000000), ref: 0035C3E3
RegCloseKey.ADVAPI32(00000000), ref: 0035C3F4

Strings

advapi32.dll, xrefs: 0035C34D
RegDeleteKeyExW, xrefs: 0035C35E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: ec4ebd5e044f5ab6f58c14b9bb665a3cced1aa840af9ea4c2f96bb6624792b26
Instruction ID: 755f0590053005a6f5f8b900ca9c360a4e256b36b1f20181461d5f26ee1b5833
Opcode Fuzzy Hash: ec4ebd5e044f5ab6f58c14b9bb665a3cced1aa840af9ea4c2f96bb6624792b26
Instruction Fuzzy Hash: 8AC15B34218301AFDB12DF14C494F2ABBE5AF84308F15949DE8568B7A2CB75ED4ACB91

Function 0036A94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

GetSystemMetrics.USER32(0000000F), ref: 0036A990
GetSystemMetrics.USER32(00000011), ref: 0036A9A7
GetSystemMetrics.USER32(00000004), ref: 0036A9B3
GetSystemMetrics.USER32(0000000F), ref: 0036A9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 0036AC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0036AC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0036AC54
ShowWindow.USER32(00000003,00000000), ref: 0036AC73
InvalidateRect.USER32(?,00000000,00000001), ref: 0036AC95
DefDlgProcW.USER32(?,00000005,?), ref: 0036ACBB

Strings

@, xrefs: 0036ABD0
(:, xrefs: 0036A95B

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @$(:
API String ID: 3962739598-4229495230
Opcode ID: 7745855f1a88bab899a0b0519f3bb83ce86dcd54c3f626446b5e258ae699633e
Instruction ID: 6523544d96deeaa3cbb741952de4e34678fb4d2e80658b621865a334372db162
Opcode Fuzzy Hash: 7745855f1a88bab899a0b0519f3bb83ce86dcd54c3f626446b5e258ae699633e
Instruction Fuzzy Hash: BBB17770600619DFCB16CF69C9887AE7BB2BF44701F19C069ED45AB299D770A980CF62

Function 0036976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003697B6
GetFocus.USER32 ref: 003697C6
GetDlgCtrlID.USER32(00000000), ref: 003697D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00369879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0036992B
GetMenuItemCount.USER32(?), ref: 00369948
GetMenuItemID.USER32(?,00000000), ref: 00369958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0036998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003699CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003699FD

Strings

(:, xrefs: 00369779
0, xrefs: 003698FB

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$(:
API String ID: 1026556194-275786133
Opcode ID: 3e98fbecf2841f86a02f86dc77672108a4313ea29b6c9067932e915618dd778b
Instruction ID: a0d61f2d97e3b90881da88e1b945528deeb84b84b64d79250928cbebfb1a69d8
Opcode Fuzzy Hash: 3e98fbecf2841f86a02f86dc77672108a4313ea29b6c9067932e915618dd778b
Instruction Fuzzy Hash: 0081AC71A043119FD712CF24C884BABBBECFB89354F01892EF98597295DB70D905CBA2

Function 00352FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00353035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00353045
CreateCompatibleDC.GDI32(?), ref: 00353051
SelectObject.GDI32(00000000,?), ref: 0035305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 003530CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00353109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0035312D
SelectObject.GDI32(?,?), ref: 00353135
DeleteObject.GDI32(?), ref: 0035313E
DeleteDC.GDI32(?), ref: 00353145
ReleaseDC.USER32(00000000,?), ref: 00353150

Strings

(, xrefs: 003530EA

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: bdb44cd5404426f673536022e9976cf114822ef9b68860f56e2a1a14f6542d5d
Instruction ID: dd40f207eca03af592483a187003861bb98e44a2dd9d6ff31acdcd9a9426801d
Opcode Fuzzy Hash: bdb44cd5404426f673536022e9976cf114822ef9b68860f56e2a1a14f6542d5d
Instruction Fuzzy Hash: 4E61C375E00219EFCF15CFA4D884EAEBBB9FF48310F208519E956A7250D771AA51CF90

Function 003352AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 003352E6
GetWindowTextW.USER32(?,?,00000400), ref: 00335328
_wcslen.LIBCMT ref: 00335339
CharUpperBuffW.USER32(?,00000000), ref: 00335345
_wcsstr.LIBVCRUNTIME ref: 0033537A
GetClassNameW.USER32(00000018,?,00000400), ref: 003353B2
GetWindowTextW.USER32(?,?,00000400), ref: 003353EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00335445
GetClassNameW.USER32(?,?,00000400), ref: 00335477
GetWindowRect.USER32(?,?), ref: 003354EF

Strings

ThumbnailClass, xrefs: 003353BD, 00335450

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 711e4f9462461efe0f303b3ea3946b33d3656c9e9b22bdd18876ddce40d15d21
Instruction ID: b6b479d2c65a85d55aed16d26522ea982e038f8e9567028daab14bcda788899f
Opcode Fuzzy Hash: 711e4f9462461efe0f303b3ea3946b33d3656c9e9b22bdd18876ddce40d15d21
Instruction Fuzzy Hash: 7D911171104B06AFDB0ACF24C8D4BAAB7A9FF05314F418529FA8A82191EB71FD55CB91

Function 0033C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(003A29C0,000000FF,00000000,00000030), ref: 0033C973
SetMenuItemInfoW.USER32(003A29C0,00000004,00000000,00000030), ref: 0033C9A8
Sleep.KERNEL32(000001F4), ref: 0033C9BA
GetMenuItemCount.USER32(?), ref: 0033CA00
GetMenuItemID.USER32(?,00000000), ref: 0033CA1D
GetMenuItemID.USER32(?,-00000001), ref: 0033CA49
GetMenuItemID.USER32(?,?), ref: 0033CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0033CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0033CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0033CB0C

Strings

0, xrefs: 0033C904

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 57e82681184a1df4feb14931859a04d1eec0276d17cf39202cb0ccce96af6db3
Instruction ID: 7676c1216aa3b4d70aa67e90990066af618ac024cbb4d6cb6783a5e84659f88d
Opcode Fuzzy Hash: 57e82681184a1df4feb14931859a04d1eec0276d17cf39202cb0ccce96af6db3
Instruction Fuzzy Hash: B961AD70A20249AFDF12CFA8CCC9AEEBBB9FB06344F055015E952B7291D774AD10CB61

Function 0033E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0033E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0033E4FA
_wcslen.LIBCMT ref: 0033E504
_wcsstr.LIBVCRUNTIME ref: 0033E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0033E570

Strings

\VarFileInfo\Translation, xrefs: 0033E568
04090000, xrefs: 0033E5A6
DefaultLangCodepage, xrefs: 0033E5D3
%u.%u.%u.%u, xrefs: 0033E64E
StringFileInfo\, xrefs: 0033E543

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 6fb368ff3db98c3c069314318155f3bfbc36d4f5f2aae10213cca60c4fd6eda8
Instruction ID: a284aaf8964428d85141a044537de72a271e6a074ab17eb531ee352d8cec7fbd
Opcode Fuzzy Hash: 6fb368ff3db98c3c069314318155f3bfbc36d4f5f2aae10213cca60c4fd6eda8
Instruction Fuzzy Hash: 46414872A1020C7AEB02AB648C87FFFB7ACDF55750F000075FA04A61C2EB74DA119BA5

Function 0035D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0035D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0035D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0035D7A8

Part of subcall function 0035D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0035D70A
Part of subcall function 0035D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0035D71D
Part of subcall function 0035D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0035D72F
Part of subcall function 0035D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0035D765
Part of subcall function 0035D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0035D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 0035D753

Strings

advapi32.dll, xrefs: 0035D718
RegDeleteKeyExW, xrefs: 0035D729

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f919ef326ed4ffeeaa87abdf09844682724a74526b921983a20f966a888bd3fb
Instruction ID: f9446c1c1659c3785ccdcf79a2cda19b149d0304683917c0d33c81e5fc060c4e
Opcode Fuzzy Hash: f919ef326ed4ffeeaa87abdf09844682724a74526b921983a20f966a888bd3fb
Instruction Fuzzy Hash: 90316071E01129BBDB329F91DC88EFFBB7CEF46711F014165E806E2150DAB49E499AA0

Function 0033EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0033EFCB

Part of subcall function 002EF215: timeGetTime.WINMM(?,?,0033EFEB), ref: 002EF219

Sleep.KERNEL32(0000000A), ref: 0033EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 0033F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0033F03E
SetActiveWindow.USER32 ref: 0033F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0033F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0033F08A
Sleep.KERNEL32(000000FA), ref: 0033F095
IsWindow.USER32 ref: 0033F0A1
EndDialog.USER32(00000000), ref: 0033F0B2

Strings

BUTTON, xrefs: 0033F030

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e861159772442221cacfaf4f792fe38b99f4946c666f572bc41d7909bc7bf596
Instruction ID: 6a84f1017b4ab865f88a99e98c55991b6e8e063e6ca0fe08db2b723e8c5a602c
Opcode Fuzzy Hash: e861159772442221cacfaf4f792fe38b99f4946c666f572bc41d7909bc7bf596
Instruction Fuzzy Hash: 0921A575A00205BFE7136F34EDC9B26BB6DFB5B749F414025F505822B2CBB19C408A62

Function 0033F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0033F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0033F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0033F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0033F3BE

Strings

alias PlayMe, xrefs: 0033F34D
status PlayMe mode, xrefs: 0033F36F
close PlayMe, xrefs: 0033F385, 0033F3B2
play PlayMe, xrefs: 0033F3B9
open , xrefs: 0033F323
play PlayMe wait, xrefs: 0033F3A8

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6fa12647a02fc954e60b0be95de2c8cd33a47c0470c03a2eeb98f4db082db48e
Instruction ID: a77a4176303a171742adccc79152e6b544de94361599acd99fd22c3fd278a807
Opcode Fuzzy Hash: 6fa12647a02fc954e60b0be95de2c8cd33a47c0470c03a2eeb98f4db082db48e
Instruction Fuzzy Hash: 1611C635A602697DDB22B765CC4AEFF6A7CEBD1B10F40042AF401E20D0DBA05D05C9B1

Function 00302FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00303007

Part of subcall function 00302D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0030DB51,003A1DC4,00000000,003A1DC4,00000000,?,0030DB78,003A1DC4,00000007,003A1DC4,?,0030DF75,003A1DC4), ref: 00302D4E
Part of subcall function 00302D38: GetLastError.KERNEL32(003A1DC4,?,0030DB51,003A1DC4,00000000,003A1DC4,00000000,?,0030DB78,003A1DC4,00000007,003A1DC4,?,0030DF75,003A1DC4,003A1DC4), ref: 00302D60

_free.LIBCMT ref: 00303013
_free.LIBCMT ref: 0030301E
_free.LIBCMT ref: 00303029
_free.LIBCMT ref: 00303034
_free.LIBCMT ref: 0030303F
_free.LIBCMT ref: 0030304A
_free.LIBCMT ref: 00303055
_free.LIBCMT ref: 00303060
_free.LIBCMT ref: 0030306E

Strings

&7, xrefs: 00302FFE

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: &7
API String ID: 776569668-2672997047
Opcode ID: 6a9dd36ac4a16630d09f3763643abc5f6594af4ff8bf694ded0ff7c87eaa8231
Instruction ID: fec92ddfeecb28afa038ce16b0da4c24cfdc889b1eb2d4cd0541fa23b790f761
Opcode Fuzzy Hash: 6a9dd36ac4a16630d09f3763643abc5f6594af4ff8bf694ded0ff7c87eaa8231
Instruction Fuzzy Hash: FC11CB76502108BFCB02EF54C856CDE3B79FF05350B8144A5F9189F172D631DE51AB54

Function 0033A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0033A9D9
SetKeyboardState.USER32(?), ref: 0033AA44
GetAsyncKeyState.USER32(000000A0), ref: 0033AA64
GetKeyState.USER32(000000A0), ref: 0033AA7B
GetAsyncKeyState.USER32(000000A1), ref: 0033AAAA
GetKeyState.USER32(000000A1), ref: 0033AABB
GetAsyncKeyState.USER32(00000011), ref: 0033AAE7
GetKeyState.USER32(00000011), ref: 0033AAF5
GetAsyncKeyState.USER32(00000012), ref: 0033AB1E
GetKeyState.USER32(00000012), ref: 0033AB2C
GetAsyncKeyState.USER32(0000005B), ref: 0033AB55
GetKeyState.USER32(0000005B), ref: 0033AB63

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5c002cf0d530a7dfe15382f802fd70d8f8dc4fb805fb7dec87ebafcf8ae07344
Instruction ID: ce65addfc6d8553198091f12b90e83337d3568c8652f1a585b1225287ff17094
Opcode Fuzzy Hash: 5c002cf0d530a7dfe15382f802fd70d8f8dc4fb805fb7dec87ebafcf8ae07344
Instruction Fuzzy Hash: A551F820A04BC829FB37D7608990BEAFFB99F12340F0A4599C5C25B1C2DB549B4CC763

Function 0033662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00336649
GetWindowRect.USER32(00000000,?), ref: 00336662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 003366C0
GetDlgItem.USER32(?,00000002), ref: 003366D0
GetWindowRect.USER32(00000000,?), ref: 003366E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00336736
GetDlgItem.USER32(?,000003E9), ref: 00336744
GetWindowRect.USER32(00000000,?), ref: 00336756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00336798
GetDlgItem.USER32(?,000003EA), ref: 003367AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003367C1
InvalidateRect.USER32(?,00000000,00000001), ref: 003367CE

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f3d6a7430c0dbfe669c36c18417f0e7e8fed396ee90d54439ec089ad837fb06f
Instruction ID: b7f2e6761002d980498e8c912d54a3c1dc3c6d9b80ff4aa552f962ff118eddea
Opcode Fuzzy Hash: f3d6a7430c0dbfe669c36c18417f0e7e8fed396ee90d54439ec089ad837fb06f
Instruction Fuzzy Hash: D0511EB1F00205AFDF19CF68DD9AAAEBBB9FB48314F518129F919E7290D7709D048B50

Function 002D2128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002D2234: GetWindowLongW.USER32(?,000000EB), ref: 002D2242

GetSysColor.USER32(0000000F), ref: 002D2152

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a8d9b6d0a86bcb9ae526dd11192daf4b8e25ceb439a734b51da78c6ba14bb49f
Instruction ID: c5de2b6c9e892d59ec487c718d397afe0bdde3f6d148e2cc02d6e4b5989e56cd
Opcode Fuzzy Hash: a8d9b6d0a86bcb9ae526dd11192daf4b8e25ceb439a734b51da78c6ba14bb49f
Instruction Fuzzy Hash: A6410631610240EFDB255F388C48BB93B69AB67330F158206FAA6872E2C7B1CD56DB10

Function 002D13A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 003128D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003128EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003128FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00312912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00312933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002D11F5,00000000,00000000,00000000,000000FF,00000000), ref: 00312942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0031295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002D11F5,00000000,00000000,00000000,000000FF,00000000), ref: 0031296E

Strings

(:, xrefs: 00312885

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: (:
API String ID: 1268354404-2137056132
Opcode ID: 56ecfd21067d9d63d7cd8e8db1686ebe2ab33785d9ae7532c1e88b533ff5cf95
Instruction ID: d9d60c37edfc1ad9bdba9ab5432af426ac441141169ef492f8736d63b68c3188
Opcode Fuzzy Hash: 56ecfd21067d9d63d7cd8e8db1686ebe2ab33785d9ae7532c1e88b533ff5cf95
Instruction Fuzzy Hash: 64515930A10205AFDB26DF29CC45BAB7BB9EB58720F108519F942966A0D7B0EDB0DB50

Function 0036955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

Part of subcall function 002D19CD: GetCursorPos.USER32(?), ref: 002D19E1
Part of subcall function 002D19CD: ScreenToClient.USER32(00000000,?), ref: 002D19FE
Part of subcall function 002D19CD: GetAsyncKeyState.USER32(00000001), ref: 002D1A23
Part of subcall function 002D19CD: GetAsyncKeyState.USER32(00000002), ref: 002D1A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 003695C7
ImageList_EndDrag.COMCTL32 ref: 003695CD
ReleaseCapture.USER32 ref: 003695D3
SetWindowTextW.USER32(?,00000000), ref: 0036966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00369681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 0036975B

Strings

(:, xrefs: 00369728
@GUI_DRAGFILE, xrefs: 003696F6
(:, xrefs: 0036956D
@GUI_DROPID, xrefs: 003696AD

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$(:$(:
API String ID: 1924731296-460802257
Opcode ID: 735ff5d084f03801ff9daad8a0a577810e788d3bc84bc5ba5aa25f9125dd8d77
Instruction ID: eebf16cd2022b6d43efbdb8952b6acb0464a2d540a43138327add5cba467028d
Opcode Fuzzy Hash: 735ff5d084f03801ff9daad8a0a577810e788d3bc84bc5ba5aa25f9125dd8d77
Instruction Fuzzy Hash: 04516B74614304AFD706EF14CC56BAA77E8FB88714F40462EF996962E2CB709D18CB52

Function 0033A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00320D31,00000001,0000138C,00000001,00000000,00000001,?,0034EEAE,003A2430), ref: 0033A091
LoadStringW.USER32(00000000,?,00320D31,00000001), ref: 0033A09A

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00320D31,00000001,0000138C,00000001,00000000,00000001,?,0034EEAE,003A2430,?), ref: 0033A0BC
LoadStringW.USER32(00000000,?,00320D31,00000001), ref: 0033A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0033A1E0

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0033A1C4
Error: , xrefs: 0033A197
^ ERROR, xrefs: 0033A175
Line %d:, xrefs: 0033A11A
Line %d (File "%s"):, xrefs: 0033A109

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 6d9d4e924f057bf27a72eac61b81f49e446ed4fe0cfb62107aab630d57ff0977
Instruction ID: e896241b05c2f20ded3c6b2a8124058553947ae5b576b33018e5683ed357ff87
Opcode Fuzzy Hash: 6d9d4e924f057bf27a72eac61b81f49e446ed4fe0cfb62107aab630d57ff0977
Instruction Fuzzy Hash: DF414C72910209AACF06FBE0DD96DEEB778AF18300F500066F501B6192EB756F59CFA1

Function 00330FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 002D8577: _wcslen.LIBCMT ref: 002D858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00331093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003310AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003310CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 003310F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0033111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00331128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0033112D

Strings

\CLSID, xrefs: 00331015
SOFTWARE\Classes\, xrefs: 00330FFF
\IPC$, xrefs: 00331075

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: b650ed941a27dce99fe9fe3bfa91f6a157dc961053b7186848288e5aaede8c53
Instruction ID: d13fcfff4762d28eb973e48e585813d051d230605fbe59de38b6f30632c88253
Opcode Fuzzy Hash: b650ed941a27dce99fe9fe3bfa91f6a157dc961053b7186848288e5aaede8c53
Instruction Fuzzy Hash: F641F872C10229EBCF26EBA4DC95DEEB778BF08750F41416AE901A3261EB719E15CF50

Function 00364A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00364AD9
CreateCompatibleDC.GDI32(00000000), ref: 00364AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00364AF3
SelectObject.GDI32(00000000,00000000), ref: 00364AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00364B06
DeleteDC.GDI32(00000000), ref: 00364B10
GetWindowLongW.USER32(?,000000EC), ref: 00364B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00364B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00364B3C

Strings

static, xrefs: 00364A71

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 19d6dac17f71e047f7fb34b2df7c9ea30898aa45a565ebc77c1dce52dd434f81
Instruction ID: 91eb2d97648256f79014171b99b9ae36ce98b27358e3f5feef08f4b5053e9745
Opcode Fuzzy Hash: 19d6dac17f71e047f7fb34b2df7c9ea30898aa45a565ebc77c1dce52dd434f81
Instruction Fuzzy Hash: 1C311A71A00215BBDF129FA5DC08FDA3BADEF0D364F118211FA55A61A0C7B5D850DBA4

Function 0035468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003546B9
CoInitialize.OLE32(00000000), ref: 003546E7
CoUninitialize.OLE32 ref: 003546F1
_wcslen.LIBCMT ref: 0035478A
GetRunningObjectTable.OLE32(00000000,?), ref: 0035480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00354932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0035496B
CoGetObject.OLE32(?,00000000,00370B64,?), ref: 0035498A
SetErrorMode.KERNEL32(00000000), ref: 0035499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00354A21
VariantClear.OLEAUT32(?), ref: 00354A35

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: fe2472023384deec288f1c66737af3e07162c26156dea442d2c1b35cdf9e5a92
Instruction ID: ca2bf2d8765da170b89c6a4c33b3d519bb4ff58e3c97ff95ac6ae90d41465b77
Opcode Fuzzy Hash: fe2472023384deec288f1c66737af3e07162c26156dea442d2c1b35cdf9e5a92
Instruction Fuzzy Hash: 2BC11171608301AF8706DF68C884D6BB7E9AF89749F10491DF9899B220DB71ED49CB52

Function 003484DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00348538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003485D4
SHGetDesktopFolder.SHELL32(?), ref: 003485E8
CoCreateInstance.OLE32(00370CD4,00000000,00000001,00397E8C,?), ref: 00348634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003486B9
CoTaskMemFree.OLE32(?,?), ref: 00348711
SHBrowseForFolderW.SHELL32(?), ref: 0034879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003487BF
CoTaskMemFree.OLE32(00000000), ref: 003487C6
CoTaskMemFree.OLE32(00000000), ref: 0034881B
CoUninitialize.OLE32 ref: 00348821

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 7ee9fca5d60f6aa9106a95f7772fbbf77835307bf6bbae0cfa006788daa079cd
Instruction ID: d25d54cfca5d140b445cf84e6331108267d34431622b7dd560b46619963b621d
Opcode Fuzzy Hash: 7ee9fca5d60f6aa9106a95f7772fbbf77835307bf6bbae0cfa006788daa079cd
Instruction Fuzzy Hash: 52C11A75A00109AFCB15DFA4C898DAEBBF9FF48304B158499E5199B361DB30ED45CF90

Function 00330378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0033039F
SafeArrayAllocData.OLEAUT32(?), ref: 003303F8
VariantInit.OLEAUT32(?), ref: 0033040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0033042A
VariantCopy.OLEAUT32(?,?), ref: 0033047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00330491
VariantClear.OLEAUT32(?), ref: 003304A6
SafeArrayDestroyData.OLEAUT32(?), ref: 003304B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003304BC
VariantClear.OLEAUT32(?), ref: 003304CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003304D9

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 52d1b5e6d2f0cd6b3b3056ec9546e12a3830020ee853d187517e9f471d43b2e1
Instruction ID: f9932ad2d5d5df07021c3e989fe5778eab390886580144caa5a1d8b4aea76000
Opcode Fuzzy Hash: 52d1b5e6d2f0cd6b3b3056ec9546e12a3830020ee853d187517e9f471d43b2e1
Instruction Fuzzy Hash: 80416035E002199FCB06DF65D8949AEBBB9EF08354F018065E915AB261CB70AE45CFA0

Function 0033A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0033A65D
GetAsyncKeyState.USER32(000000A0), ref: 0033A6DE
GetKeyState.USER32(000000A0), ref: 0033A6F9
GetAsyncKeyState.USER32(000000A1), ref: 0033A713
GetKeyState.USER32(000000A1), ref: 0033A728
GetAsyncKeyState.USER32(00000011), ref: 0033A740
GetKeyState.USER32(00000011), ref: 0033A752
GetAsyncKeyState.USER32(00000012), ref: 0033A76A
GetKeyState.USER32(00000012), ref: 0033A77C
GetAsyncKeyState.USER32(0000005B), ref: 0033A794
GetKeyState.USER32(0000005B), ref: 0033A7A6

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3022922ce2d20735908339734cdf0cb37b114c6897b5c0fa5ea8f8292b8ea986
Instruction ID: 3a4ec9abbbfac7c8678bb558a49bbaf7deca9660899894569ce22af20ad241d5
Opcode Fuzzy Hash: 3022922ce2d20735908339734cdf0cb37b114c6897b5c0fa5ea8f8292b8ea986
Instruction Fuzzy Hash: 9441C874604FC96DFF3396A084C53A5BEF46B11344F09805DD6C64A5C2EBD499C4CB93

Function 00359730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00359750

Part of subcall function 00339805: _wcslen.LIBCMT ref: 00339828

_wcslen.LIBCMT ref: 003597AB
_wcslen.LIBCMT ref: 003597F9
_wcslen.LIBCMT ref: 00359839
_wcslen.LIBCMT ref: 003598CB

Strings

none, xrefs: 003598C2, 003598C7
cdecl, xrefs: 003597A5, 003597AA
winapi, xrefs: 003597F3, 003597F8
stdcall, xrefs: 00359833, 00359838

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: dc06f3146265bbc58a0c08914fdaef17d4f89a1abaae8702e12132d2eac36bd5
Instruction ID: 0dd60233fed4b10c7db372be80edb826bf612349afa2fe1018e5a51dc3a86bd6
Opcode Fuzzy Hash: dc06f3146265bbc58a0c08914fdaef17d4f89a1abaae8702e12132d2eac36bd5
Instruction Fuzzy Hash: BB51B331A10116DBCF15DF68C950EBEB3A5AF59361B22422BEC26EB3A4D731DD44CB90

Function 00354189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 003541D1
CoUninitialize.OLE32 ref: 003541DC
CoCreateInstance.OLE32(?,00000000,00000017,00370B44,?), ref: 00354236
IIDFromString.OLE32(?,?), ref: 003542A9
VariantInit.OLEAUT32(?), ref: 00354341
VariantClear.OLEAUT32(?), ref: 00354393

Strings

Failed to create object, xrefs: 00354241, 003542F7
NULL Pointer assignment, xrefs: 0035427B
Invalid parameter, xrefs: 003542C2

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: ba89467c84558af80e2a7fe5ae64288a24ecdd0a15676f17667b107a50cec4c1
Instruction ID: 8912e5036db66d98da1824c309bd9f7dff3d89e054b40489add9db470be49e1b
Opcode Fuzzy Hash: ba89467c84558af80e2a7fe5ae64288a24ecdd0a15676f17667b107a50cec4c1
Instruction Fuzzy Hash: 7361B2706087119FC716DF64C888F5EB7E8EF89719F004909F9859B2A1CB70ED88CB92

Function 00348BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00348C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00348CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00348CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00348D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00348D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00348D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00348DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00348DDA

Strings

*.*, xrefs: 00348DE0

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 31f17072c7aafd45270a0cbd4569527428fedd0c05bb719ba9032a0661f499b1
Instruction ID: cc50033bd2cf4fc29a9e5a145effcc658ce74254e45c32bbc48f889a8d54235c
Opcode Fuzzy Hash: 31f17072c7aafd45270a0cbd4569527428fedd0c05bb719ba9032a0661f499b1
Instruction Fuzzy Hash: 546149765183059FCB11EF60C8859AEB3E8FF99310F04492AF9898B251DB31ED55CF92

Function 003646E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00364715
SetMenu.USER32(?,00000000), ref: 00364724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003647AC
IsMenu.USER32(?), ref: 003647C0
CreatePopupMenu.USER32 ref: 003647CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003647F7
DrawMenuBar.USER32 ref: 003647FF

Strings

0, xrefs: 003646F0
F, xrefs: 003647EA

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 6a0afb03c63a7de3ae2e556f4517cd9640aabbb0cb1d9182eb6bac5179f45205
Instruction ID: 1fafcd2e55ef1f99bf8c2e38177ed97974b335acf4bf1902cf34cb808f2734bd
Opcode Fuzzy Hash: 6a0afb03c63a7de3ae2e556f4517cd9640aabbb0cb1d9182eb6bac5179f45205
Instruction Fuzzy Hash: C0417875A0130AEFDB16CF64D884EAA7BBAFF0A314F148029FA4697360D771A914CF50

Function 0033282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 003345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00334620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 003328B1
GetDlgCtrlID.USER32 ref: 003328BC
GetParent.USER32 ref: 003328D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 003328DB
GetDlgCtrlID.USER32(?), ref: 003328E4
GetParent.USER32(?), ref: 003328F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 003328FB

Strings

ListBox, xrefs: 0033286E
ComboBox, xrefs: 00332839

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: cade8d87bfc45078b011a8cff56bca9d32cd6ac9841d48f93668600c48c9a72c
Instruction ID: cf2349cd5d8de313157259db29e8bd9a8d5dd5bdf9f1576f37638e2072a715a4
Opcode Fuzzy Hash: cade8d87bfc45078b011a8cff56bca9d32cd6ac9841d48f93668600c48c9a72c
Instruction Fuzzy Hash: DE21D474E00118FBCF02AFA0CC85EEEBBB8EF09310F118156F951A72A1DB795818DB60

Function 0033290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 003345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00334620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00332990
GetDlgCtrlID.USER32 ref: 0033299B
GetParent.USER32 ref: 003329B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 003329BA
GetDlgCtrlID.USER32(?), ref: 003329C3
GetParent.USER32(?), ref: 003329D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 003329DA

Strings

ListBox, xrefs: 0033294F
ComboBox, xrefs: 0033291A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ca7b8119dc7e80bd6a99cf09ce8b1a9f0ab231a197621e4df2eaf7b8dbb43e94
Instruction ID: 659cdb89d37cab070fcd0dd95eae4b78acac4e3b4bc8d5faebd6ef3aeb427854
Opcode Fuzzy Hash: ca7b8119dc7e80bd6a99cf09ce8b1a9f0ab231a197621e4df2eaf7b8dbb43e94
Instruction Fuzzy Hash: E4219F75E00218FBCF02ABA0CC85EEEBBB8EF05300F508156F951A72A5DB755819DB60

Function 003644BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00364539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 0036453C
GetWindowLongW.USER32(?,000000F0), ref: 00364563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00364586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003645FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00364648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00364663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 0036467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00364692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 003646AF

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b989d1672072b860ec0deec2c7fc80b954485e95e933f781457e89117140e6f0
Instruction ID: 152936827d0f1c9a78a8a95e1a28c169cee3ed9ffc51d40f6ec4295fbfb825a6
Opcode Fuzzy Hash: b989d1672072b860ec0deec2c7fc80b954485e95e933f781457e89117140e6f0
Instruction Fuzzy Hash: 18618C75A00208AFDB12DFA8CC81EEE77B8EF0A714F108159FA15EB2A1C774AD55DB50

Function 0033BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0033BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0033ABA8,?,00000001), ref: 0033BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 0033BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0033ABA8,?,00000001), ref: 0033BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 0033BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0033ABA8,?,00000001), ref: 0033BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0033ABA8,?,00000001), ref: 0033BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0033ABA8,?,00000001), ref: 0033BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0033ABA8,?,00000001), ref: 0033BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0033ABA8,?,00000001), ref: 0033BBE4

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a5a9a583356d8a446fc713fa156ad6f6390e3416ae6737610a7939043db71c15
Instruction ID: 35be869076a37f7fb4f3361604b3b5d95acc1b948ec1cd53fff1f3ddbfd718dc
Opcode Fuzzy Hash: a5a9a583356d8a446fc713fa156ad6f6390e3416ae6737610a7939043db71c15
Instruction Fuzzy Hash: 06316F71A04204AFDB1BDB14ECC4F69F7ADAB85352F128015FB06D71A4DBF499409B61

Function 002D2AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002D2AF9
OleUninitialize.OLE32(?,00000000), ref: 002D2B98
UnregisterHotKey.USER32(?), ref: 002D2D7D
DestroyWindow.USER32(?), ref: 00313A1B
FreeLibrary.KERNEL32(?), ref: 00313A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00313AAD

Strings

close all, xrefs: 002D2AF4

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: eda3b5c8f2e06d1ab35fae69762d57f61f7a3f5c58c33c966624b5a50016ab87
Instruction ID: 9ce0f59eab0bbe8b162551deef7195b9f8bb01bae4407b5c89312093d8d4c767
Opcode Fuzzy Hash: eda3b5c8f2e06d1ab35fae69762d57f61f7a3f5c58c33c966624b5a50016ab87
Instruction Fuzzy Hash: 9BD18D31725212CFCB1AEF14C895A69F7A4FF18710F1142AEE54A6B362CB70AD66CF40

Function 00348835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003489F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00348A06
GetFileAttributesW.KERNEL32(?), ref: 00348A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00348A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00348A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00348AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00348AF5

Strings

*.*, xrefs: 00348AAB

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 6a23ad22efe877c5c53d6c84be05636d6b19b38dcb77c98db6fd2f1d64620b5d
Instruction ID: 9aa61545819b59bd2c0667cb029ef1631d44ea9512a3fe377260bb80b8db5496
Opcode Fuzzy Hash: 6a23ad22efe877c5c53d6c84be05636d6b19b38dcb77c98db6fd2f1d64620b5d
Instruction Fuzzy Hash: 41819E729187059BCB26EF14C444ABEB3E8BF88310F554C2AF985DB250DF74E945CB92

Function 003688F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00368992
IsWindowEnabled.USER32(00000000), ref: 0036899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00368A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00368AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00368AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00368B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00368B1E

Strings

(:, xrefs: 003689D5

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: (:
API String ID: 4072528602-2137056132
Opcode ID: 49b8b1fc7bb17d2e00e058e4d901760b59d87f2f334ec1a162f18082e578609b
Instruction ID: f4cb797834a1764471c30399afee69c96f06b9e3e49d120f3c21f8add1507406
Opcode Fuzzy Hash: 49b8b1fc7bb17d2e00e058e4d901760b59d87f2f334ec1a162f18082e578609b
Instruction Fuzzy Hash: 0C71A174601204AFEB239F94C884FBA7BB9FF0D300F15865AE94567269CB31AD94CB61

Function 002D7447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 002D74D7

Part of subcall function 002D7567: GetClientRect.USER32(?,?), ref: 002D758D
Part of subcall function 002D7567: GetWindowRect.USER32(?,?), ref: 002D75CE
Part of subcall function 002D7567: ScreenToClient.USER32(?,?), ref: 002D75F6

GetDC.USER32 ref: 00316083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00316096
SelectObject.GDI32(00000000,00000000), ref: 003160A4
SelectObject.GDI32(00000000,00000000), ref: 003160B9
ReleaseDC.USER32(?,00000000), ref: 003160C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00316152

Strings

U, xrefs: 00316021

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: bdb801af6c087d7dbcc251249a362345b1443688469748773c05ce0871b129a6
Instruction ID: 4bb0ad2970a4095fd7dddf63e3337c3be7bb463679d6f44be94b45208af3c060
Opcode Fuzzy Hash: bdb801af6c087d7dbcc251249a362345b1443688469748773c05ce0871b129a6
Instruction Fuzzy Hash: 8A71D030504205EFCF2B8FA4C886AEA7BB9FF4D310F15426AED555A2A6D7358C90DB50

Function 0034CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0034CCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0034CCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0034CD0F
GetLastError.KERNEL32 ref: 0034CD67
SetEvent.KERNEL32(?), ref: 0034CD7B
InternetCloseHandle.WININET(00000000), ref: 0034CD86

Strings

, xrefs: 0034CD00

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1b5eb44077671be895c9651c14bfc6f7028be89abfdf88f7d131acd9fac4860d
Instruction ID: 61d1f9148ae80cc8962bdc73f44242dc8f45cf74b4cbb18e5e1d81157bd08020
Opcode Fuzzy Hash: 1b5eb44077671be895c9651c14bfc6f7028be89abfdf88f7d131acd9fac4860d
Instruction Fuzzy Hash: 6C31A071A11208AFD762AF658C88AAB7BFCEB4A740F14452EF446DB210DB74ED049B61

Function 0033A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003155AE,?,?,Bad directive syntax error,0036DCD0,00000000,00000010,?,?), ref: 0033A236
LoadStringW.USER32(00000000,?,003155AE,?), ref: 0033A23D

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0033A301

Strings

Error: , xrefs: 0033A2CF
., xrefs: 0033A2E7
Line %d:, xrefs: 0033A28C
Line %d (File "%s"):, xrefs: 0033A2A7
%s (%d) : ==> %s.: %s %s, xrefs: 0033A26B

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: eada6ce80a7aeb7973dce06058bd2492fecd996294facd232ce8a4ddee4120f6
Instruction ID: f56076b085b1dd5c24607c9c11c2a18f8dcbb97d1a69e5f8b0432241f7d7b6f8
Opcode Fuzzy Hash: eada6ce80a7aeb7973dce06058bd2492fecd996294facd232ce8a4ddee4120f6
Instruction Fuzzy Hash: 0C21713191021EEFCF03AB90CC4AEEE7B79BF18304F04445AF505651A2EB719A28DF51

Function 003329EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003329F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00332A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00332A9A

Strings

list, xrefs: 00332A7C
details, xrefs: 00332A48
SHELLDLL_DefView, xrefs: 00332A19
largeicons, xrefs: 00332A2E
smallicons, xrefs: 00332A62

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 2dcfd258de12450ee0f47035c55b1de238821fc860fd3e989d58958871aa3c0e
Instruction ID: cc3493c499017c901c6c4760f7645ef75a51c4373d10819f868bac4ea78b670c
Opcode Fuzzy Hash: 2dcfd258de12450ee0f47035c55b1de238821fc860fd3e989d58958871aa3c0e
Instruction Fuzzy Hash: E911257678830BBBFA277622EC07DE7779C8F14764F210022FA04E40D1FFA1A8504914

Function 002D7567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 002D758D
GetWindowRect.USER32(?,?), ref: 002D75CE
ScreenToClient.USER32(?,?), ref: 002D75F6
GetClientRect.USER32(?,?), ref: 002D773A
GetWindowRect.USER32(?,?), ref: 002D775B

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ef9edcb7421787918589c440b3a99a5d4dd9562294e2cc5c143bef29a45e076b
Instruction ID: d21014a540bb65f509aad3954c2e8a67cfb32c8c4b608184d267c7efdea52a15
Opcode Fuzzy Hash: ef9edcb7421787918589c440b3a99a5d4dd9562294e2cc5c143bef29a45e076b
Instruction Fuzzy Hash: 70C16A3991465AEFDB10CFA8C440BEDB7F4FF08310F14841AE8A5A3250E778E991DBA0

Function 0030D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0030D237
_free.LIBCMT ref: 0030D2A2
_free.LIBCMT ref: 0030D2C8
_free.LIBCMT ref: 0030D2F1
_free.LIBCMT ref: 0030D329
_free.LIBCMT ref: 0030D35A
_free.LIBCMT ref: 0030D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0030D41C
_free.LIBCMT ref: 0030D435

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c7de2719c4a13ce8926066b1fe9313eacb9c6e23a9c6176c0ac2038bbdd7214b
Instruction ID: f92c9a2a158a122183001fdbd8c48e7dbc90f754a873042176b4c0b1e48245f0
Opcode Fuzzy Hash: c7de2719c4a13ce8926066b1fe9313eacb9c6e23a9c6176c0ac2038bbdd7214b
Instruction Fuzzy Hash: 75610871902301AFDB27AFF8D8A5A7EBBEC9F02320F05056DF945AB2D1DA7199008751

Function 00365B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00365C24
ShowWindow.USER32(?,00000000), ref: 00365C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00365C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00365C6F

Part of subcall function 003679F2: DeleteObject.GDI32(00000000), ref: 00367A1E

GetWindowLongW.USER32(?,000000F0), ref: 00365CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00365CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00365CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00365D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00365D34

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: b4149285f469e0c359ddd5c4269759057c0aa3eadb291386ff3a093ca6667d43
Instruction ID: 0a474d246be5834d462363c6b06d2834b32cdf277bab5d0533786e7cb77d6841
Opcode Fuzzy Hash: b4149285f469e0c359ddd5c4269759057c0aa3eadb291386ff3a093ca6667d43
Instruction Fuzzy Hash: B151DF30A50B09BFEF229F65CC49B993B69FB05710F10C122F9149B6E8C771A990DB41

Function 0034CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0034CBC7
GetLastError.KERNEL32 ref: 0034CBDA
SetEvent.KERNEL32(?), ref: 0034CBEE

Part of subcall function 0034CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0034CCB7
Part of subcall function 0034CC98: GetLastError.KERNEL32 ref: 0034CD67
Part of subcall function 0034CC98: SetEvent.KERNEL32(?), ref: 0034CD7B
Part of subcall function 0034CC98: InternetCloseHandle.WININET(00000000), ref: 0034CD86

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 99fb76380c310d2a63d7abb8d2d52300a5f90beab2ed7a620bcba9f1ba621fbd
Instruction ID: 3f4201b29cf07d0810fe93b644cab0e91839506df4668f0a8172dda8d33d8e24
Opcode Fuzzy Hash: 99fb76380c310d2a63d7abb8d2d52300a5f90beab2ed7a620bcba9f1ba621fbd
Instruction Fuzzy Hash: 52317C71612705AFDB629F71CD84A6ABBFCFF04700B14952DF85A8A620C771E815EB60

Function 00332EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00334393: GetWindowThreadProcessId.USER32(?,00000000), ref: 003343AD
Part of subcall function 00334393: GetCurrentThreadId.KERNEL32 ref: 003343B4
Part of subcall function 00334393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00332F00), ref: 003343BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00332F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00332F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00332F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00332F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00332F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00332F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00332F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00332F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00332F74

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1c0a8ed12d6566948ab32794767cd3fab0618faabce63ae5930bc480062f52db
Instruction ID: 383f3a936056a7ffa0aebb195b3982b6c80f6965d2ef0d0527f4fb3c5922af43
Opcode Fuzzy Hash: 1c0a8ed12d6566948ab32794767cd3fab0618faabce63ae5930bc480062f52db
Instruction Fuzzy Hash: 0801D430B84210BBFB116769DCCEF597F5EDB4EB11F104011F318AF1E0C9E264448AAA

Function 00332150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00331D95,?,?,00000000), ref: 00332159
HeapAlloc.KERNEL32(00000000,?,00331D95,?,?,00000000), ref: 00332160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00331D95,?,?,00000000), ref: 00332175
GetCurrentProcess.KERNEL32(?,00000000,?,00331D95,?,?,00000000), ref: 0033217D
DuplicateHandle.KERNEL32(00000000,?,00331D95,?,?,00000000), ref: 00332180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00331D95,?,?,00000000), ref: 00332190
GetCurrentProcess.KERNEL32(00331D95,00000000,?,00331D95,?,?,00000000), ref: 00332198
DuplicateHandle.KERNEL32(00000000,?,00331D95,?,?,00000000), ref: 0033219B
CreateThread.KERNEL32(00000000,00000000,003321C1,00000000,00000000,00000000), ref: 003321B5

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8a5818b49213768e6b37347c2644a940a36cfd915352b3779ede4b92b41b2f4d
Instruction ID: 061d4395d86e80240db9f6f0d2db93637d0fa402ecb844cca0135e8e689d1acf
Opcode Fuzzy Hash: 8a5818b49213768e6b37347c2644a940a36cfd915352b3779ede4b92b41b2f4d
Instruction Fuzzy Hash: 6901BBB5740344BFE751AFA5DC8DF6B7BACEB89711F008411FA05DB2A1CAB19810CB20

Function 0033CE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D41EA: _wcslen.LIBCMT ref: 002D41EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0033CF99
_wcslen.LIBCMT ref: 0033CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0033D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0033D075

Strings

,*:, xrefs: 0033CF0C
0, xrefs: 0033CF5A
<*:, xrefs: 0033CEF6

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: ,*:$0$<*:
API String ID: 1227352736-1882402618
Opcode ID: 574067dfefc0f3f66122f2f5f4e98c5fd6c65a90590941752e3f98d88f08fea0
Instruction ID: 89fa401c20508a3c0e07cba7cb8eab7ddffddb9c09df56a69f3b8f0c955eaf4f
Opcode Fuzzy Hash: 574067dfefc0f3f66122f2f5f4e98c5fd6c65a90590941752e3f98d88f08fea0
Instruction Fuzzy Hash: 5A51E1716243009BD72AAF28E8C5B6BB7E8EF46754F040A2DF995E3291DB70CD058B52

Function 0035AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0033DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 0033DDAC
Part of subcall function 0033DD87: Process32FirstW.KERNEL32(00000000,?), ref: 0033DDBA
Part of subcall function 0033DD87: CloseHandle.KERNEL32(00000000), ref: 0033DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0035ABCA
GetLastError.KERNEL32 ref: 0035ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0035AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 0035ACC5
GetLastError.KERNEL32(00000000), ref: 0035ACD0
CloseHandle.KERNEL32(00000000), ref: 0035AD21

Strings

SeDebugPrivilege, xrefs: 0035ABEC

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2fc35690c8dcf82302140d0a31fe78e3ae46d05ebccbd57ca012aed502a3e811
Instruction ID: 2ce10389085808ccc21dbc6ded55feeaa6c4135f8b6e58dc00b30a559dcfc475
Opcode Fuzzy Hash: 2fc35690c8dcf82302140d0a31fe78e3ae46d05ebccbd57ca012aed502a3e811
Instruction Fuzzy Hash: 9E61E074208641AFD712DF14C494F25BBE4AF44309F19858DE8668FBA3C7B5EC49CB92

Function 00364322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003643C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 003643D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003643F0
_wcslen.LIBCMT ref: 00364435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00364462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00364490

Strings

SysListView32, xrefs: 00364393

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: ed7df8eaf021e4f2f33f433a307891122ebaa3c35335e3d694b1fe783fee9fc4
Instruction ID: 30e5aa3434e6a943095cfca07fb33af05348d9c4ac08c93045f2ae9a61b03acd
Opcode Fuzzy Hash: ed7df8eaf021e4f2f33f433a307891122ebaa3c35335e3d694b1fe783fee9fc4
Instruction Fuzzy Hash: 1F41C071E00309ABDF239F64CC49BEA7BA9FF48350F114526F954E7291D7B49990CB90

Function 0033C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0033C6C4
IsMenu.USER32(00000000), ref: 0033C6E4
CreatePopupMenu.USER32 ref: 0033C71A
GetMenuItemCount.USER32(00C36410), ref: 0033C76B
InsertMenuItemW.USER32(00C36410,?,00000001,00000030), ref: 0033C793

Strings

2, xrefs: 0033C6FE
0, xrefs: 0033C66F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: aee9c90432d0ac97a5a67fad3dd25c8a14ac793e881b805c60e3b798902c5fd3
Instruction ID: de022811b4df269548b6641f0c69064eb491eac1bdad1421e6fcddd4de222d04
Opcode Fuzzy Hash: aee9c90432d0ac97a5a67fad3dd25c8a14ac793e881b805c60e3b798902c5fd3
Instruction Fuzzy Hash: 20519D70A102059FDF12CF68C8C9AAEBBF8AF49314F24911AE912BB291D7719945CF61

Function 002D19CD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002D19E1
ScreenToClient.USER32(00000000,?), ref: 002D19FE
GetAsyncKeyState.USER32(00000001), ref: 002D1A23
GetAsyncKeyState.USER32(00000002), ref: 002D1A3D

Strings

$'-, xrefs: 002D19F0, 002D1A07, 00313135
$'-, xrefs: 003131C3, 00313164, 0031318D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: $'-$$'-
API String ID: 4210589936-174597263
Opcode ID: 010f8744688c854b344253ded41371524229e52a1debeee873364e1883b26f46
Instruction ID: bdb96320230750bf0c6812f0ee5fa5802357ca0837faa7803a55e83e1fd809d2
Opcode Fuzzy Hash: 010f8744688c854b344253ded41371524229e52a1debeee873364e1883b26f46
Instruction Fuzzy Hash: 40415271A0414AFFDF1AAF64C844BFEB774FF09324F208226E429A6290C7705EA4CB51

Function 002D1B00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

BeginPaint.USER32(?,?,?), ref: 002D1B35
GetWindowRect.USER32(?,?), ref: 002D1B99
ScreenToClient.USER32(?,?), ref: 002D1BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002D1BC7
EndPaint.USER32(?,?,?,?,?), ref: 002D1C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00313287

Part of subcall function 002D1C2D: BeginPath.GDI32(00000000), ref: 002D1C4B

Strings

(:, xrefs: 002D1B0F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID: (:
API String ID: 3050599898-2137056132
Opcode ID: cf79aa1adb80e37563e36d4b86d983fe51489eb19b9fa0f411fa63a2aa3313fe
Instruction ID: 384b4f5df77cfef955d08069593651fa40a3d57f680ff454f6f984d2a0def598
Opcode Fuzzy Hash: cf79aa1adb80e37563e36d4b86d983fe51489eb19b9fa0f411fa63a2aa3313fe
Instruction Fuzzy Hash: 5341D070614300AFC712DF28DC84FB77BA8EF4A724F10062AF9958A2B1C7709D65DB62

Function 003686FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00368740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00368765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0036877D
GetSystemMetrics.USER32(00000004), ref: 003687A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0034C1F2,00000000), ref: 003687C6

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

GetSystemMetrics.USER32(00000004), ref: 003687B1

Strings

(:, xrefs: 00368709

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID: (:
API String ID: 2294984445-2137056132
Opcode ID: 0b4304eef0c86ecdd3bbe14430a990457e81f332b9c556f7be6a828d19cb86c7
Instruction ID: d968b1f48da077516fe32956622f59411c00d8fa9a8099ca37f0a9838fe0e75e
Opcode Fuzzy Hash: 0b4304eef0c86ecdd3bbe14430a990457e81f332b9c556f7be6a828d19cb86c7
Instruction Fuzzy Hash: 892171716102419FCB169F39CC48A6B3BA9FB49365F25872DF926D25E4DF708850CB20

Function 0033D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0033D1BE

Strings

stop, xrefs: 0033D18F
info, xrefs: 0033D15F
blank, xrefs: 0033D140
warning, xrefs: 0033D1A7
question, xrefs: 0033D177

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 507affe7df34b00529b19d283f453f7eae1b9a91521bcc8687339da0de181bce
Instruction ID: 6fa3b985f897294ea12c64a4cbca3f184759d43dc33fc29660c3ba34aead582e
Opcode Fuzzy Hash: 507affe7df34b00529b19d283f453f7eae1b9a91521bcc8687339da0de181bce
Instruction Fuzzy Hash: DD11B436A5830ABBEB076A54FCC2DBA77AC9F05760F21002AF900A62C1E7F5AA404564

Function 0033E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0033E759
gethostname.WSOCK32(?,00000100), ref: 0033E773
gethostbyname.WSOCK32(?), ref: 0033E780
inet_ntoa.WSOCK32(?), ref: 0033E7C2
_strcat.LIBCMT ref: 0033E7D0
WSACleanup.WSOCK32 ref: 0033E7F5

Strings

0.0.0.0, xrefs: 0033E79E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 49f0345c7deab604a52a5c3e090787104330154430966a2a59984d658113041e
Instruction ID: b92f31032fcbc28d35d9fc87f0f56678382d237070faacd223281c606c94bf13
Opcode Fuzzy Hash: 49f0345c7deab604a52a5c3e090787104330154430966a2a59984d658113041e
Instruction Fuzzy Hash: E611D631904119BFCB227B60DC8AEEE77ACDF01750F010175F615AA0D1EFB49A819A61

Function 0033F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0033F641
_wcslen.LIBCMT ref: 0033F652
_wcslen.LIBCMT ref: 0033F690
_wcslen.LIBCMT ref: 0033F6C6
_wcslen.LIBCMT ref: 0033F6F6
_wcslen.LIBCMT ref: 0033F706
_wcslen.LIBCMT ref: 0033F742
_wcslen.LIBCMT ref: 0033F771

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4ccb015f9135641c80461d51bab1f68cdab6a3ebda517c9181e85d1c73a1c0f8
Instruction ID: d2e596da9d558d249fd0110097a090d52513d2127bc0a944ecc89c8d76e35aa9
Opcode Fuzzy Hash: 4ccb015f9135641c80461d51bab1f68cdab6a3ebda517c9181e85d1c73a1c0f8
Instruction Fuzzy Hash: 7441B665C2011879CB11EBB8CC8AADFF77CAF05390F518572E619E3221FA74D261C7A6

Function 0036379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003637B7
GetDC.USER32(00000000), ref: 003637BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003637CA
ReleaseDC.USER32(00000000,00000000), ref: 003637D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00363812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00363823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00366504,?,?,000000FF,00000000,?,000000FF,?), ref: 0036385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 0036387D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a227e640bef6de90c218411b0c3cba9155b7847c29e3addc7d5c4898f42d51c9
Instruction ID: f16242903993cb99e79a2b4cfd2fac54af906dc1a627d0dca7dda665d90b33cd
Opcode Fuzzy Hash: a227e640bef6de90c218411b0c3cba9155b7847c29e3addc7d5c4898f42d51c9
Instruction Fuzzy Hash: 9A31AE72601214BFEB128F50CC89FEB3BADEF4A711F048065FE089B291C6B59C51C7A4

Function 00355A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00355A8B, 00355DE0
Not an Object type, xrefs: 00355A64

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: effbb48aaebe1286899adf9414075c60e030eed87d819f35c6b0781e5fc1ba48
Instruction ID: 304417ef8a5d8244f11d234cd8346b6e8119d31de63244530cf4754f2e1cb8e2
Opcode Fuzzy Hash: effbb48aaebe1286899adf9414075c60e030eed87d819f35c6b0781e5fc1ba48
Instruction Fuzzy Hash: 86D1AF71A0060A9FDF12CF68C895EAEB7B5FF48305F158069ED15AB2A0E770ED49CB50

Function 003118A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00311B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 0031194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00311B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 003119D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00311B7B,?,00311B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00311A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00311B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00311A7B

Part of subcall function 00303B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,002F6A79,?,0000015D,?,?,?,?,002F85B0,000000FF,00000000,?,?), ref: 00303BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00311B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00311AF7
__freea.LIBCMT ref: 00311B22
__freea.LIBCMT ref: 00311B2E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f6d1bc2a4e4fe6fde4fb833d34876aa8724eb60cde652d73a5a491de96466bd1
Instruction ID: ac825987d0894414fa1fcae00325f9977f1ef1e20f79b45a61b10b1d1937e819
Opcode Fuzzy Hash: f6d1bc2a4e4fe6fde4fb833d34876aa8724eb60cde652d73a5a491de96466bd1
Instruction Fuzzy Hash: A691D671F142169ADF2A8F64C891AEEBBB99F0D310F194519EA15EB180E735DDC0C7A0

Function 00354F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003550A5
VariantInit.OLEAUT32(?), ref: 003551A6
VariantClear.OLEAUT32(?), ref: 003551B0
VariantClear.OLEAUT32(?), ref: 0035520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00355035, 00355163, 0035521B
Incorrect Object type in FOR..IN loop, xrefs: 00355189

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a4f7bc18d34a201b2c27ddf92bbc07997ddf5e4a8be38b1ba9dc66b5bae914f2
Instruction ID: d1259b4835313ef5084bb097b6e3885953f9c62b40d5ca9171344b998e906e45
Opcode Fuzzy Hash: a4f7bc18d34a201b2c27ddf92bbc07997ddf5e4a8be38b1ba9dc66b5bae914f2
Instruction Fuzzy Hash: 9391B371A00619ABCF22CFA5CC54FAFBBB8EF45315F108519F905AB290D770A949CFA0

Function 003543A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003543C8
CharUpperBuffW.USER32(?,?), ref: 003544D7
_wcslen.LIBCMT ref: 003544E7
VariantClear.OLEAUT32(?), ref: 0035467C

Part of subcall function 0034169E: VariantInit.OLEAUT32(00000000), ref: 003416DE
Part of subcall function 0034169E: VariantCopy.OLEAUT32(?,?), ref: 003416E7
Part of subcall function 0034169E: VariantClear.OLEAUT32(?), ref: 003416F3

Strings

Incorrect Parameter format, xrefs: 00354403, 003545FE
AUTOIT.ERROR, xrefs: 003544DD, 003544E2

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 7b0485b6de5ace2c02dc1430ee7af4e076116c17efda2eecbf2dea7cf5956b61
Instruction ID: 825287ca1681a631ba85ff28370f7312100848ba183a62039111085666c4ba05
Opcode Fuzzy Hash: 7b0485b6de5ace2c02dc1430ee7af4e076116c17efda2eecbf2dea7cf5956b61
Instruction Fuzzy Hash: 31914774A083019FC705DF24C48496AB7E5BF89719F14892EF8899B361DB31ED4ACF92

Function 0035560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 003308FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330831,80070057,?,?,?,00330C4E), ref: 0033091B
Part of subcall function 003308FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330831,80070057,?,?), ref: 00330936
Part of subcall function 003308FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330831,80070057,?,?), ref: 00330944
Part of subcall function 003308FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330831,80070057,?), ref: 00330954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 003556AE
_wcslen.LIBCMT ref: 003557B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0035582C
CoTaskMemFree.OLE32(?), ref: 00355837

Strings

NULL Pointer assignment, xrefs: 00355880, 003558AF

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: f50b0de992d200372d69a32d9a0653c795d368b6b72f21110c424d754b47f4df
Instruction ID: 107638951fed62876b1688fc5de9d0a5bd29cffb235abbaf68e18efdac145268
Opcode Fuzzy Hash: f50b0de992d200372d69a32d9a0653c795d368b6b72f21110c424d754b47f4df
Instruction Fuzzy Hash: D3911771D00219EFDF12DFA4C890EEEB7B9AF08310F10456AE915AB251DB70AE58CF60

Function 00362B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00362C1F
GetMenuItemCount.USER32(00000000), ref: 00362C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00362C79
_wcslen.LIBCMT ref: 00362CAF
GetMenuItemID.USER32(?,?), ref: 00362CE9
GetSubMenu.USER32(?,?), ref: 00362CF7

Part of subcall function 00334393: GetWindowThreadProcessId.USER32(?,00000000), ref: 003343AD
Part of subcall function 00334393: GetCurrentThreadId.KERNEL32 ref: 003343B4
Part of subcall function 00334393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00332F00), ref: 003343BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00362D7F

Part of subcall function 0033F292: Sleep.KERNEL32 ref: 0033F30A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: bbf88c24d8217b729ae3c07f2657ca83aa16e6b43f7798f783ae9e56610f2575
Instruction ID: 019326346c5fc58824b832ded9b0a347daf3ecdd976b2abedf8f0fc60718d7b3
Opcode Fuzzy Hash: bbf88c24d8217b729ae3c07f2657ca83aa16e6b43f7798f783ae9e56610f2575
Instruction Fuzzy Hash: DF71AC75E00605AFCB02EF64C885AAEB7B5EF48310F12C469E826EB355DB74ED418F90

Function 0033B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0033B8C0
GetKeyboardState.USER32(?), ref: 0033B8D5
SetKeyboardState.USER32(?), ref: 0033B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 0033B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 0033B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 0033B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0033B9E7

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3732360b6e8495b6866d738a9637dd62e1bef46e66f2ad307d28e15dbc410e39
Instruction ID: 79533bd57520dd1fe2184551a1a2d72301492efc1727ca4d1092a5eef9194b32
Opcode Fuzzy Hash: 3732360b6e8495b6866d738a9637dd62e1bef46e66f2ad307d28e15dbc410e39
Instruction Fuzzy Hash: 6951C1A0A087D53EFB374634CC95BBAFEA95B06704F098489E3D5498D2C7D8ADC4D760

Function 0033B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0033B6E0
GetKeyboardState.USER32(?), ref: 0033B6F5
SetKeyboardState.USER32(?), ref: 0033B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0033B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0033B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0033B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0033B7FF

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fdb2cfa243c2d718de31f6e75af51b601f5ab3e596448e82cb7b0f3e72f4c42a
Instruction ID: 1e13952ba523d99258d9b3c8b014b4ccef527ee4b3603db6443a86dc8362b3b5
Opcode Fuzzy Hash: fdb2cfa243c2d718de31f6e75af51b601f5ab3e596448e82cb7b0f3e72f4c42a
Instruction Fuzzy Hash: 1851E3A0A087D53EFB378324CC96B76FEA99F45344F088489E2D95A8D2D394ED84D760

Function 003057A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00305F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 003057E3
__fassign.LIBCMT ref: 0030585E
__fassign.LIBCMT ref: 00305879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0030589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00305F16,00000000,?,?,?,?,?,?,?,?,?,00305F16,?), ref: 003058BE
WriteFile.KERNEL32(?,?,00000001,00305F16,00000000,?,?,?,?,?,?,?,?,?,00305F16,?), ref: 003058F7

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1d26fc977a3e035fcd7a6e27c7258084c002ed06aff761308b5c8bf38946b505
Instruction ID: 77585977385b74c4790db6fb81f533ed46320e873e3a23935b136514dcb3dc99
Opcode Fuzzy Hash: 1d26fc977a3e035fcd7a6e27c7258084c002ed06aff761308b5c8bf38946b505
Instruction Fuzzy Hash: E351C171A01649DFCB12CFA8D891AEEBBF8EF09310F14411AE955E72D1D7709A41CF61

Function 002F3090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002F30BB
___except_validate_context_record.LIBVCRUNTIME ref: 002F30C3
_ValidateLocalCookies.LIBCMT ref: 002F3151
__IsNonwritableInCurrentImage.LIBCMT ref: 002F317C
_ValidateLocalCookies.LIBCMT ref: 002F31D1

Strings

csm, xrefs: 002F3166

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3427a56a26795352b02fa2db0bd5e050a2ce36da6c75870d967f14061269a6f2
Instruction ID: 3dbf2aa4d42676b0ac4a7c7c1a088af9708f9865276d85bded645e70d124afdb
Opcode Fuzzy Hash: 3427a56a26795352b02fa2db0bd5e050a2ce36da6c75870d967f14061269a6f2
Instruction Fuzzy Hash: 5441B334A1020D9BCF10DF68C881ABFFBA5AF453A4F148166EA186B352D731DB21CF90

Function 00351B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00353AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00353AD7
Part of subcall function 00353AAB: _wcslen.LIBCMT ref: 00353AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00351B6F
WSAGetLastError.WSOCK32 ref: 00351B7E
WSAGetLastError.WSOCK32 ref: 00351C26
closesocket.WSOCK32(00000000), ref: 00351C56

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: c9777c5e58ffd3104e7d095661b05a3fab830e5c859a7e6ff04a1733aea5742a
Instruction ID: b909e8dd4f26dc0edd543386de9bc2c62d6d7693970944a207f81abbba23d72f
Opcode Fuzzy Hash: c9777c5e58ffd3104e7d095661b05a3fab830e5c859a7e6ff04a1733aea5742a
Instruction Fuzzy Hash: F441D431600104AFDB129F64C844FA9BBEDEF45325F158159FC059B2A2D771ED85CBE1

Function 0033D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0033E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0033D7CD,?), ref: 0033E714

Part of subcall function 0033E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0033D7CD,?), ref: 0033E72D

lstrcmpiW.KERNEL32(?,?), ref: 0033D7F0
MoveFileW.KERNEL32(?,?), ref: 0033D82A
_wcslen.LIBCMT ref: 0033D8B0
_wcslen.LIBCMT ref: 0033D8C6
SHFileOperationW.SHELL32(?), ref: 0033D90C

Strings

\*.*, xrefs: 0033D89E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 27bba15dc644e01686b1b17c0f0afcf7accb696387a2f00701407ef0f1f1f29f
Instruction ID: a9168a14269f7e81f705f19868b21118d2ed65c5cac3b7bbc9a91dd6d8cff2c7
Opcode Fuzzy Hash: 27bba15dc644e01686b1b17c0f0afcf7accb696387a2f00701407ef0f1f1f29f
Instruction Fuzzy Hash: 424134719052189EDF13EBA4D9C5BDE77B9AF08380F1104E6E505EB141EB74B789CB50

Function 003442B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00344310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00344367
TranslateMessage.USER32(?), ref: 00344390
DispatchMessageW.USER32(?), ref: 0034439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003443AB

Strings

(:, xrefs: 0034437D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID: (:
API String ID: 2256411358-2137056132
Opcode ID: aed3ee7f0361d3b091b67aa1a4235509d229e2e2e1ab2541a3e07450e8193c08
Instruction ID: fb270d2e1f7b7ed1998f885e2b9b95e4fd3160284dc189a487cfcd771767eede
Opcode Fuzzy Hash: aed3ee7f0361d3b091b67aa1a4235509d229e2e2e1ab2541a3e07450e8193c08
Instruction Fuzzy Hash: F3319374A04345DEEB278F78D848BB77BECAB02704F054579E462CA5A0E7A4B465CB21

Function 00363899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 003638B8
GetWindowLongW.USER32(?,000000F0), ref: 003638EB
GetWindowLongW.USER32(?,000000F0), ref: 00363920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00363952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0036397C
GetWindowLongW.USER32(?,000000F0), ref: 0036398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003639A7

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 76659a6c2c38e240064e0aa2b77ab35c2c4cb327d2f1beb863d87cbd5057f7e9
Instruction ID: cec9b28543922dcab164ea2d6ed2f5169695b5f5a0dbf968704428f8b6202226
Opcode Fuzzy Hash: 76659a6c2c38e240064e0aa2b77ab35c2c4cb327d2f1beb863d87cbd5057f7e9
Instruction Fuzzy Hash: EA313730744251AFDB22CF48DC84F6637E8FB86710F169168F9418B2B5CBB0A948CF41

Function 0033808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003380D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003380F6
SysAllocString.OLEAUT32(00000000), ref: 003380F9
SysAllocString.OLEAUT32(?), ref: 00338117
SysFreeString.OLEAUT32(?), ref: 00338120
StringFromGUID2.OLE32(?,?,00000028), ref: 00338145
SysAllocString.OLEAUT32(?), ref: 00338153

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2d41bc4fed80c478474e11bffea831b1be11d13b43a5f4a66648cd7dd47a3001
Instruction ID: b5f7793b081540dd799a5601e85dc20d81a52d1ce540ce2502bb92fc42c96399
Opcode Fuzzy Hash: 2d41bc4fed80c478474e11bffea831b1be11d13b43a5f4a66648cd7dd47a3001
Instruction Fuzzy Hash: 2E218672A01219AF9F12DFA9CCC4CBB73ACEB09364B058425F905DB290DA74DD468760

Function 00338164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003381A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003381CF
SysAllocString.OLEAUT32(00000000), ref: 003381D2
SysAllocString.OLEAUT32 ref: 003381F3
SysFreeString.OLEAUT32 ref: 003381FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00338216
SysAllocString.OLEAUT32(?), ref: 00338224

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dba6df31826da40816c065c07578b9f8efb781409b4beb1e112103c513c709bd
Instruction ID: f4ca966969fd8146feb47bd9961281f092dca83538987deb59fe8ec61a1ecbd0
Opcode Fuzzy Hash: dba6df31826da40816c065c07578b9f8efb781409b4beb1e112103c513c709bd
Instruction Fuzzy Hash: 9B217471A00208BFDB529BA9DCC9DAB77ECEB09360B058525F905CB1A1DEB4ED41CB64

Function 00340E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00340E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00340ED5

Strings

nul, xrefs: 00340F0E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ca68296e735bb8c5bb3857a61fbe8cb72da73127d2f25f1284a9a79b6646e4c9
Instruction ID: 71700dbb4642e1b9d300a1794135f8496507ad3c1a22d566cd96f1f94ef1a4b0
Opcode Fuzzy Hash: ca68296e735bb8c5bb3857a61fbe8cb72da73127d2f25f1284a9a79b6646e4c9
Instruction Fuzzy Hash: 68217170704309ABDB368F25DC04A9A77E8BF55724F204A29FEA5EB2D0D770E854CB50

Function 00340F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00340F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00340FA8

Strings

nul, xrefs: 00340FE0

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a888e2a87716363086466f2551cc36bae279ae60258e183ab8ec230de1de410b
Instruction ID: 2ac7e296ca19f22cf5036ecf7712ced0a4ed5367e1dacca82a8a6057999bf0d2
Opcode Fuzzy Hash: a888e2a87716363086466f2551cc36bae279ae60258e183ab8ec230de1de410b
Instruction Fuzzy Hash: 7B21A171A00745DBDB328F69CC04A9A77E8BF55720F204B29F9A1EB2D0D7B1A894DB50

Function 00364B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002D78B1
Part of subcall function 002D7873: GetStockObject.GDI32(00000011), ref: 002D78C5
Part of subcall function 002D7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D78CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00364BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00364BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00364BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00364BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00364BE3

Strings

Msctls_Progress32, xrefs: 00364B81

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 6bac8f5131c87c632c47305c0b710d965db8e173fc36554055b896d4a774763b
Instruction ID: 3ec9d3f2650d3edf0bfbdeb666c09c570e259f6addbcccc2b780c3e678d93b59
Opcode Fuzzy Hash: 6bac8f5131c87c632c47305c0b710d965db8e173fc36554055b896d4a774763b
Instruction Fuzzy Hash: 0911B6B155021DBEEF128FA5CC85EE77F5DEF09758F018111F648A6090CA75DC21DBA4

Function 0030DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0030DB23: _free.LIBCMT ref: 0030DB4C

_free.LIBCMT ref: 0030DBAD

Part of subcall function 00302D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0030DB51,003A1DC4,00000000,003A1DC4,00000000,?,0030DB78,003A1DC4,00000007,003A1DC4,?,0030DF75,003A1DC4), ref: 00302D4E
Part of subcall function 00302D38: GetLastError.KERNEL32(003A1DC4,?,0030DB51,003A1DC4,00000000,003A1DC4,00000000,?,0030DB78,003A1DC4,00000007,003A1DC4,?,0030DF75,003A1DC4,003A1DC4), ref: 00302D60

_free.LIBCMT ref: 0030DBB8
_free.LIBCMT ref: 0030DBC3
_free.LIBCMT ref: 0030DC17
_free.LIBCMT ref: 0030DC22
_free.LIBCMT ref: 0030DC2D
_free.LIBCMT ref: 0030DC38

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: ace15c349ad2bb4ad47ec40b4de7bc2eaede346d5cccfe971c5bd06c4364be04
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: EB111F72542B04AAD522BBB0CC1BFDB77DC9F14700F414C19B2A9AE1D2DA79B9049790

Function 00336078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 0033608D
_memcmp.LIBVCRUNTIME ref: 003360AB
_memcmp.LIBVCRUNTIME ref: 003360BE
_memcmp.LIBVCRUNTIME ref: 003360D6
_memcmp.LIBVCRUNTIME ref: 003360EE

Strings

j`3, xrefs: 0033609B

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _memcmp
String ID: j`3
API String ID: 2931989736-1613536597
Opcode ID: 4b56f099536cba65bbe49d1c743a9f856cfe6f5d5f9872170a22d3e510ac460e
Instruction ID: 71916091a5d4e1c04e7589bbdbd53bfb55a2f3f8bafc726f2abb6d942c2249b1
Opcode Fuzzy Hash: 4b56f099536cba65bbe49d1c743a9f856cfe6f5d5f9872170a22d3e510ac460e
Instruction Fuzzy Hash: D00152A1608709BF962A66219CC3FBBB35D9E50798F01C025FE0D9A641E765EE20C6A1

Function 0033E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0033E328
LoadStringW.USER32(00000000), ref: 0033E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0033E345
LoadStringW.USER32(00000000), ref: 0033E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0033E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0033E36D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 8a04ad2b912ecd3e2393287858bc4b7c5aa38440d261872e058e1924f1449256
Instruction ID: 934de4a1d729e3dc463c70ba302051dc393d809cac5df16afda4aaf9a2d71e52
Opcode Fuzzy Hash: 8a04ad2b912ecd3e2393287858bc4b7c5aa38440d261872e058e1924f1449256
Instruction Fuzzy Hash: 7A0136F6E002087FE75297A4DD89EE7776CD708300F418595F746E6041E6B49E848B75

Function 00341312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00341322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00341334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00341342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00341350
CloseHandle.KERNEL32(00000000), ref: 0034135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 0034136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00341376

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 37ca5dbd717b2be5497cf03a9ee4aef69848d5578dac2bcee1ef0e7efd3fc5cc
Instruction ID: 51186bde7a608465ededf62181010317f26a48e32ac072df385310db66a97644
Opcode Fuzzy Hash: 37ca5dbd717b2be5497cf03a9ee4aef69848d5578dac2bcee1ef0e7efd3fc5cc
Instruction Fuzzy Hash: 7FF0EC32642A52BBD7931F54EE49BD6BB7DFF05702F505521F101958B087B4A4B1CF90

Function 003526BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0035281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0035283E
WSAGetLastError.WSOCK32 ref: 0035284F
htons.WSOCK32(?,?,?,?,?), ref: 00352938
inet_ntoa.WSOCK32(?), ref: 003528E9

Part of subcall function 0033433E: _strlen.LIBCMT ref: 00334348

Part of subcall function 00353C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0034F669), ref: 00353C9D

_strlen.LIBCMT ref: 00352992

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 20d1b4bb8325b7837a86506e84c689fc80efa10a0bf6f34f9a05644d2c43a78b
Instruction ID: 0c92d93dd94c065ff254d06abf7dd18d16d90fdf5de3a5ffd42ee6ed273af5d4
Opcode Fuzzy Hash: 20d1b4bb8325b7837a86506e84c689fc80efa10a0bf6f34f9a05644d2c43a78b
Instruction Fuzzy Hash: 38B1F131604300AFD322DF24C895E2BBBE5AF89318F65855DF8564B3A2DB31ED49CB91

Function 00300527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0030042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00300446
__allrem.LIBCMT ref: 0030045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0030047B
__allrem.LIBCMT ref: 00300492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003004B0

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: dc4adbf5398ce54187d0bcb77f39f3fc469c302caf0087b0bcf040ce4dcb8d17
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: E5811C75602B059BD72B9F6DCCA1BAFB3A8AF44320F15453AF511DB6C1E770D9008B54

Function 00306571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002F8649,002F8649,?,?,?,003067C2,00000001,00000001,8BE85006), ref: 003065CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003067C2,00000001,00000001,8BE85006,?,?,?), ref: 00306651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0030674B
__freea.LIBCMT ref: 00306758

Part of subcall function 00303B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,002F6A79,?,0000015D,?,?,?,?,002F85B0,000000FF,00000000,?,?), ref: 00303BC5

__freea.LIBCMT ref: 00306761
__freea.LIBCMT ref: 00306786

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 930c78438b472787ea93bcbeb1593d78536932b0dc0aa2066cfbae736e5e6d4a
Instruction ID: ef276e0714daa9ba3f10d26f27da30bd3b75381665397e8d0f8ed78d8d3b47a0
Opcode Fuzzy Hash: 930c78438b472787ea93bcbeb1593d78536932b0dc0aa2066cfbae736e5e6d4a
Instruction Fuzzy Hash: 74512772601206AFEB268F64CCA2EBB77A9EF40B14F154669FC04DA1C4EB75DC60C660

Function 0035C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 0035D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035C10E,?,?), ref: 0035D415
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D451
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D4C8
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035C785
RegCloseKey.ADVAPI32(00000000), ref: 0035C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0035C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0035C853
RegCloseKey.ADVAPI32(?), ref: 0035C85F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d5d8a0f4fb527d51907df87f459e2c8fcfd9de11d1ad318fcb1d51fde6a66feb
Instruction ID: 34665a25d27f12d5fb29724dcfc129f2b66688c257a3a52cc459696be4797e2f
Opcode Fuzzy Hash: d5d8a0f4fb527d51907df87f459e2c8fcfd9de11d1ad318fcb1d51fde6a66feb
Instruction Fuzzy Hash: 78818E30618341AFC716DF24C895E2ABBE5BF88308F15855DF4594B2A2DB31ED49CF91

Function 0033009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 003300A9
SysAllocString.OLEAUT32(00000000), ref: 00330150
VariantCopy.OLEAUT32(00330354,00000000), ref: 00330179
VariantClear.OLEAUT32(00330354), ref: 0033019D
VariantCopy.OLEAUT32(00330354,00000000), ref: 003301A1
VariantClear.OLEAUT32(?), ref: 003301AB

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: d6e106ed30ad20555b61cd30821504ced64f8b5399cfcfd923301bb8c16f624e
Instruction ID: 8ef2ad06365b0faa209fe736d196fdbda8cbfc2e81a1c76c88ed63c24b9a2480
Opcode Fuzzy Hash: d6e106ed30ad20555b61cd30821504ced64f8b5399cfcfd923301bb8c16f624e
Instruction Fuzzy Hash: EE512D35650310E7CF6AAF64D8E9B2AB3A9EF45310F248447F905DF296DB709C50CB52

Function 00349B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 002D41EA: _wcslen.LIBCMT ref: 002D41EF

Part of subcall function 002D8577: _wcslen.LIBCMT ref: 002D858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00349F2A
_wcslen.LIBCMT ref: 00349F4B
_wcslen.LIBCMT ref: 00349F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00349FCA

Strings

X, xrefs: 00349E57

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 9c3afabf997dfbba2fe07c6f61ed6fad671feff189e64daf80d936f7a3f1570b
Instruction ID: 3763832b463a1bb43b63cb6aefb140287224399b9cf9035a5079da0d9cce4c2e
Opcode Fuzzy Hash: 9c3afabf997dfbba2fe07c6f61ed6fad671feff189e64daf80d936f7a3f1570b
Instruction Fuzzy Hash: 94E18E316183019FC725EF24C885B6AB7E4AF84314F15856EF8899B3A2DB31ED15CF92

Function 00346ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00346F21
CoInitialize.OLE32(00000000), ref: 0034707E
CoCreateInstance.OLE32(00370CC4,00000000,00000001,00370B34,?), ref: 00347095
CoUninitialize.OLE32 ref: 00347319

Strings

.lnk, xrefs: 00346EFF, 00346F69, 00347025

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d8a6311bff71445614916017b654d137ad7c9e59cb6182fdee2d6b4b9c0257d8
Instruction ID: 6e4f2dda8881ac2f29ab9bf3c3178d8c8cdf378d100b191b99e23475ed7cbf53
Opcode Fuzzy Hash: d8a6311bff71445614916017b654d137ad7c9e59cb6182fdee2d6b4b9c0257d8
Instruction Fuzzy Hash: B8D15771618241AFC305EF24C891D6BB7E8FF98704F40496EF5858B2A2DB71ED49CB92

Function 00341196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003411B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 003411EE
EnterCriticalSection.KERNEL32(?), ref: 0034120A
LeaveCriticalSection.KERNEL32(?), ref: 00341283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0034129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 003412C8

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 16d0a4a652417f98399466730dbc25b2ba402ac8074bf89d8b0a8700d779153f
Instruction ID: 990fff22ff858e0a583ea5b5f7780ade57b386a718a0c91468643f5082886964
Opcode Fuzzy Hash: 16d0a4a652417f98399466730dbc25b2ba402ac8074bf89d8b0a8700d779153f
Instruction Fuzzy Hash: EA415E71A10208EFDF059F54DCC5AAAB7B8FF04350F1484A5EE049E296DB70EE61DBA4

Function 00368C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0032FBEF,00000000,?,?,00000000,?,003139E2,00000004,00000000,00000000), ref: 00368CA7
EnableWindow.USER32(?,00000000), ref: 00368CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00368D2C
ShowWindow.USER32(?,00000004), ref: 00368D40
EnableWindow.USER32(?,00000001), ref: 00368D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00368D8A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 52ee84f0f458e4f64b1309862dee317845a5ab5ecbcaa1be680ca96aefebf357
Instruction ID: bf31914e8f8767192301a73c946e0381a0521583958285b127bdb2435813b130
Opcode Fuzzy Hash: 52ee84f0f458e4f64b1309862dee317845a5ab5ecbcaa1be680ca96aefebf357
Instruction Fuzzy Hash: 6641BB30601244AFDB27DF24C889FA67BF5FB4E704F158269E9084F1B6CB715855CB60

Function 00352D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00352D45

Part of subcall function 0034EF33: GetWindowRect.USER32(?,?), ref: 0034EF4B

GetDesktopWindow.USER32 ref: 00352D6F
GetWindowRect.USER32(00000000), ref: 00352D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00352DB2
GetCursorPos.USER32(?), ref: 00352DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00352E3C

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 64981504b57e481aef5ad15c37bf9ab2ab972c413e6031ecf402dcdf9558294c
Instruction ID: 3d9b582685e9f8198c2fa4a6e02626efdcf92a2bc8a62c5c724325a7b2069584
Opcode Fuzzy Hash: 64981504b57e481aef5ad15c37bf9ab2ab972c413e6031ecf402dcdf9558294c
Instruction Fuzzy Hash: DA31F072A05315AFC722DF14C845F9BB7E9FB85314F00091AF895AB1A1DB71E908CB92

Function 003355E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003355F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00335616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0033564E
_wcslen.LIBCMT ref: 0033566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00335674
_wcsstr.LIBVCRUNTIME ref: 0033567E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 0539015c327da8f07170adf91b4e764c12432aa0b32286a63792bba125809e7e
Instruction ID: 765610bd3a03d9d9d3d48b2e92f4a32344058cb9b8200d06acb5cf39e784071e
Opcode Fuzzy Hash: 0539015c327da8f07170adf91b4e764c12432aa0b32286a63792bba125809e7e
Instruction Fuzzy Hash: 1E213872604604BBEB175B35DC8AE7BBBACDF45750F158039F90ACA091EBA1DC518AA0

Function 00346263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 002D5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D55D1,?,?,00314B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 002D5871

_wcslen.LIBCMT ref: 003462C0
CoInitialize.OLE32(00000000), ref: 003463DA
CoCreateInstance.OLE32(00370CC4,00000000,00000001,00370B34,?), ref: 003463F3
CoUninitialize.OLE32 ref: 00346411

Strings

.lnk, xrefs: 003462BB, 00346306, 003463CA

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 18822846756788c2c708f76dcfc42931072dcaedb81d56e39b39c393cee6cc35
Instruction ID: 39ce7928bc7af14b93b9613b8e6a0bcccdcae2aa89b7def19e187b4e3b037524
Opcode Fuzzy Hash: 18822846756788c2c708f76dcfc42931072dcaedb81d56e39b39c393cee6cc35
Instruction Fuzzy Hash: 04D13275A082019FCB15DF24C485A2ABBF5EF8A714F15889DF8899B361CB31EC45CF92

Function 002F36F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002F36E9,002F3355), ref: 002F3700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002F370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002F3727
SetLastError.KERNEL32(00000000,?,002F36E9,002F3355), ref: 002F3779

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6016afd8ea12766280df0a7c9a3de9640e2fe3d7a88a4bbc142eb751995e2d54
Instruction ID: 6771bb9e78a7f749efd084c36ff976f5d9683e1a998f85b4f08e1e0df483b5f8
Opcode Fuzzy Hash: 6016afd8ea12766280df0a7c9a3de9640e2fe3d7a88a4bbc142eb751995e2d54
Instruction Fuzzy Hash: 59012DB667931A2EA626BB756DC6577EA98EB047F1F30023AF310802F0EF924D315540

Function 003030E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,002F4D53,00000000,?,?,002F68E2,?,?,00000000), ref: 003030EB
_free.LIBCMT ref: 0030311E
_free.LIBCMT ref: 00303146
SetLastError.KERNEL32(00000000,?,00000000), ref: 00303153
SetLastError.KERNEL32(00000000,?,00000000), ref: 0030315F
_abort.LIBCMT ref: 00303165

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 03b3189d85427bc1221c8ef03b41970dfce724d807c6b4abd72d91a2ae34bc42
Instruction ID: 12f87af0c6cc30c247248cbba786269dc5c1b88b6d66fa862d25e2cb5e34d570
Opcode Fuzzy Hash: 03b3189d85427bc1221c8ef03b41970dfce724d807c6b4abd72d91a2ae34bc42
Instruction Fuzzy Hash: DAF02836A0760067C2173739AC2FE6F266E9FC9770F320414FA24D63E2EF618E024261

Function 00369480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002D1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D1F87
Part of subcall function 002D1F2D: SelectObject.GDI32(?,00000000), ref: 002D1F96
Part of subcall function 002D1F2D: BeginPath.GDI32(?), ref: 002D1FAD
Part of subcall function 002D1F2D: SelectObject.GDI32(?,00000000), ref: 002D1FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 003694AA
LineTo.GDI32(?,00000003,00000000), ref: 003694BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 003694CC
LineTo.GDI32(?,00000000,00000003), ref: 003694DC
EndPath.GDI32(?), ref: 003694EC
StrokePath.GDI32(?), ref: 003694FC

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: bb0b99b1899db28cd75d0804b948365d06668b6892d57453298a6fdfeaac7edc
Instruction ID: 760d1ae3c2e5a2cb43361204ce1cb9c2ff78159fc1d31ade93e097b91fb1fbde
Opcode Fuzzy Hash: bb0b99b1899db28cd75d0804b948365d06668b6892d57453298a6fdfeaac7edc
Instruction Fuzzy Hash: 05111B7250010DBFDF039F94DC88EAA7F6DEB09360F00C012FA194A161C7B19D65DBA0

Function 00335B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00335B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00335B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00335B94
ReleaseDC.USER32(00000000,00000000), ref: 00335B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00335BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00335BC5

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 2e8c356090ac37c047113d7a168f316a2e8d92920921b3ebfa8f63402ff6725c
Instruction ID: 43dbd8d6e3b7c5cd64b29a6b2a8e97d9d595cabdb3d7e930af84e3de84dfdb5d
Opcode Fuzzy Hash: 2e8c356090ac37c047113d7a168f316a2e8d92920921b3ebfa8f63402ff6725c
Instruction Fuzzy Hash: 4B014475E00718BBEB119BA59C49E4EBF7CEB48751F008065FA05AB280D6B09C10CB91

Function 002D327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D32AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 002D32B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D32C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D32CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 002D32D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 002D32DD

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b9083e78f4d292f48c58d4a53521f2dbd7b8d1fc0fdf843afb511f11058a2a20
Instruction ID: d743f7f636a7a5c724c08b1caf0d21076c70c0d7b6120100438c832debcaa4bf
Opcode Fuzzy Hash: b9083e78f4d292f48c58d4a53521f2dbd7b8d1fc0fdf843afb511f11058a2a20
Instruction Fuzzy Hash: B3016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BD15C4B941C7F5A864CBE5

Function 0033F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0033F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0033F45D
GetWindowThreadProcessId.USER32(?,?), ref: 0033F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033F48C

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5065763a788a7780b1acf245cc64beba137e4a3a0fdb3283014c115084a3ca21
Instruction ID: e8d4b1b80801d6410aa9004b4d01cac7442cf16798a385ea9c6e6f4e6004ee35
Opcode Fuzzy Hash: 5065763a788a7780b1acf245cc64beba137e4a3a0fdb3283014c115084a3ca21
Instruction Fuzzy Hash: 98F01732B41198BBE7225B629C0EEEB7A7CEBCBB11F004058F601911909AE46A01C6B6

Function 003134D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 003134EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00313506
GetWindowDC.USER32(?), ref: 00313512
GetPixel.GDI32(00000000,?,?), ref: 00313521
ReleaseDC.USER32(?,00000000), ref: 00313533
GetSysColor.USER32(00000005), ref: 0031354D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: e3f98a89c31acb9966d6d72e958d601d1f053ddaca8fae0053011c7311320d30
Instruction ID: 81904d3fe420020ca8722f02166aa1d043e56cf9cf41db5b0e0df274cec44546
Opcode Fuzzy Hash: e3f98a89c31acb9966d6d72e958d601d1f053ddaca8fae0053011c7311320d30
Instruction Fuzzy Hash: 2801AD31A00104EFDB525FA5DC08FEA7BBAFF09720F514120FA1AA21A0CBB11E91AF11

Function 003321C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003321CC
UnloadUserProfile.USERENV(?,?), ref: 003321D8
CloseHandle.KERNEL32(?), ref: 003321E1
CloseHandle.KERNEL32(?), ref: 003321E9
GetProcessHeap.KERNEL32(00000000,?), ref: 003321F2
HeapFree.KERNEL32(00000000), ref: 003321F9

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 516124c5ff315009e2daf8b2d9e32f90d096a802ce376872779da66e82347e21
Instruction ID: 71167504763f55b5df773725f3d74afd320366cd72cd9d5f20056cd9335741f1
Opcode Fuzzy Hash: 516124c5ff315009e2daf8b2d9e32f90d096a802ce376872779da66e82347e21
Instruction Fuzzy Hash: ADE0E576604145BBDB421FA2EC0C90ABF3DFF4A322F108220F22582170CBB29430DB51

Function 0035B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0035B903

Part of subcall function 002D41EA: _wcslen.LIBCMT ref: 002D41EF

GetProcessId.KERNEL32(00000000), ref: 0035B998
CloseHandle.KERNEL32(00000000), ref: 0035B9C7

Strings

<, xrefs: 0035B8CB
@, xrefs: 0035B8D2

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 7cd656ef9d96f8e1834ea876f2b15e0be7c8030858931d7c1b7d3b7c69d117e0
Instruction ID: 29093e5a007a619f212d1487800f1b8ad5f56871e5faf56ddc0b081ab96ad2e9
Opcode Fuzzy Hash: 7cd656ef9d96f8e1834ea876f2b15e0be7c8030858931d7c1b7d3b7c69d117e0
Instruction Fuzzy Hash: 6F716774A10219DFCB12EF54C495A9EBBF4BF08300F15849AE956AB362CB70ED59CF90

Function 00337B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00337B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00337BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00337BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00337C36

Strings

DllGetClassObject, xrefs: 00337BA9

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 14068d66131cd30068e8e147400d061445c1a4b227aa65dd9ea2bc190671e570
Instruction ID: eb874ff71e999e1c9b2745f105b2211b57a3475e212839644e4f4f57c6a0f174
Opcode Fuzzy Hash: 14068d66131cd30068e8e147400d061445c1a4b227aa65dd9ea2bc190671e570
Instruction Fuzzy Hash: AA41A0B1604204EFDF27DF64C8C4A9A7BB9EF44310F1490A9E9069F246DBB4DD44CBA0

Function 00364818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003648D1
IsMenu.USER32(?), ref: 003648E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0036492E
DrawMenuBar.USER32 ref: 00364941

Strings

0, xrefs: 00364825

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 47459fe88f7b5569f9cc5bb2ddb07baaa5418985e353d4b57324cc5796dbad47
Instruction ID: db9329eb8f44134243dc9711473e610d10823fa763ee9b2c6256cb5e872df25a
Opcode Fuzzy Hash: 47459fe88f7b5569f9cc5bb2ddb07baaa5418985e353d4b57324cc5796dbad47
Instruction Fuzzy Hash: 4F414775A00209EFDB11CF65E884AAABBF9FF06324F058129E946A7350C730ED54CF60

Function 0033272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 003345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00334620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003327B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003327C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 003327F6

Part of subcall function 002D8577: _wcslen.LIBCMT ref: 002D858A

Strings

ListBox, xrefs: 00332772
ComboBox, xrefs: 0033273D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: f8a9ca8d60f33742f9cbb2cfd3f2a9102ec3bf9145e8c47b295601a8a9c59611
Instruction ID: 683090dc20bb5370fb6615bbe1ad4f3063de29d2c56c3cdab7194172110bbbd6
Opcode Fuzzy Hash: f8a9ca8d60f33742f9cbb2cfd3f2a9102ec3bf9145e8c47b295601a8a9c59611
Instruction Fuzzy Hash: D1210771E00104BEDB17AB64DC86CFFB778DF45360F11812AF411972E1DB745D099A60

Function 003639B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00363A29
LoadLibraryW.KERNEL32(?), ref: 00363A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00363A45
DestroyWindow.USER32(?), ref: 00363A4D

Strings

SysAnimate32, xrefs: 00363A04

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 596e0b44f8d76cb99e6d41abdba4e37c0249a2d0fd06555459bcd342cf6ebee1
Instruction ID: 78da914bec621c71d49f39f8b5a6dce12a878d14665ec22f647b7e6372348145
Opcode Fuzzy Hash: 596e0b44f8d76cb99e6d41abdba4e37c0249a2d0fd06555459bcd342cf6ebee1
Instruction Fuzzy Hash: 0921AE71600205ABEF128FA4DC80FBB77FDEF45364F119218FA9196194C7B1CD50AB60

Function 00369A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

GetCursorPos.USER32(?), ref: 00369A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00369A72
GetCursorPos.USER32(?), ref: 00369ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00369AF0

Strings

(:, xrefs: 00369A30

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: (:
API String ID: 2864067406-2137056132
Opcode ID: 693afc7efd09151e59f3e5eeaab764ab857796485894692a64465e46547e8a51
Instruction ID: 9dc1f992a55fe1f7c646c76a03468ded3bae8d417dc27fa28369eecdef7f2230
Opcode Fuzzy Hash: 693afc7efd09151e59f3e5eeaab764ab857796485894692a64465e46547e8a51
Instruction Fuzzy Hash: 6521BF34600018EFCF268F98C848FEB7BBDEB0A710F41805AF9054B261D3709D64DB50

Function 002D1AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 002D1AF4
GetClientRect.USER32(?,?), ref: 003131F9
GetCursorPos.USER32(?), ref: 00313203
ScreenToClient.USER32(?,?), ref: 0031320E

Strings

(:, xrefs: 002D1AB2

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID: (:
API String ID: 4127811313-2137056132
Opcode ID: cb4ed17247d99e676c8a19562fd8702228450ba2f8abf8b3458ecba55415dbcd
Instruction ID: aa97acbda1a4002b6a542bd64c0eb204927f3260a342652ef649fb13ab7469d0
Opcode Fuzzy Hash: cb4ed17247d99e676c8a19562fd8702228450ba2f8abf8b3458ecba55415dbcd
Instruction Fuzzy Hash: C7113A31A11019FBCB05EFA8C9459EE77B8EB05344F504456F902E2640C771BEA1CBA1

Function 002F50DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002F508E,?,?,002F502E,?,003998D8,0000000C,002F5185,?,00000002), ref: 002F50FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002F5110
FreeLibrary.KERNEL32(00000000,?,?,?,002F508E,?,?,002F502E,?,003998D8,0000000C,002F5185,?,00000002,00000000), ref: 002F5133

Strings

mscoree.dll, xrefs: 002F50F6
CorExitProcess, xrefs: 002F5108

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6c142a287740f5494973a97448ed589a69f7f98d621b042b852f1986bb96728d
Instruction ID: e1126e0b3d027beb882e2e6fb87b9219e884a88613d6d0137a2e172241e5c0c8
Opcode Fuzzy Hash: 6c142a287740f5494973a97448ed589a69f7f98d621b042b852f1986bb96728d
Instruction Fuzzy Hash: 77F0C831A1021CBBDB125F98DC49BAEBFB8EF04752F004064F90AA6160DBB55D50CA90

Function 002D663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002D668B,?,?,002D62FA,?,00000001,?,?,00000000), ref: 002D664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002D665C
FreeLibrary.KERNEL32(00000000,?,?,002D668B,?,?,002D62FA,?,00000001,?,?,00000000), ref: 002D666E

Strings

kernel32.dll, xrefs: 002D6642
Wow64DisableWow64FsRedirection, xrefs: 002D6656

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 238a9b2c86119c1e5350c865016ac3088a7e355df710725be94c98277a925b02
Instruction ID: d6b384ec78ac7b7fa448365291e82e085b2195af97cde133d9eb18c825811dc7
Opcode Fuzzy Hash: 238a9b2c86119c1e5350c865016ac3088a7e355df710725be94c98277a925b02
Instruction Fuzzy Hash: 6AE08635B115231792531B25AC0CA5A652C9F93B16F094116F801D2304DBD4CC0180E4

Function 002D6607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00315657,?,?,002D62FA,?,00000001,?,?,00000000), ref: 002D6610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002D6622
FreeLibrary.KERNEL32(00000000,?,?,00315657,?,?,002D62FA,?,00000001,?,?,00000000), ref: 002D6635

Strings

Wow64RevertWow64FsRedirection, xrefs: 002D661C
kernel32.dll, xrefs: 002D6609

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 06139ab15434cb8b0c085873b535e4f2db0691660b8fad04e23db047c55bdcc7
Instruction ID: 0a5dca56cf75e085b4557de301e2001ae3d9a3e8d0022ac8a18ac19cc75f6cf7
Opcode Fuzzy Hash: 06139ab15434cb8b0c085873b535e4f2db0691660b8fad04e23db047c55bdcc7
Instruction Fuzzy Hash: EFD01235B225325746632B256C1CDCE6A1C9E93B1130D4016F852A6218CFE4CD1185D8

Function 00343306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003435C4
DeleteFileW.KERNEL32(?), ref: 00343646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0034365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0034366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0034367F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6759549166160fb8fa790717662195296e1eff36321e55174c561ea3f02da6f7
Instruction ID: 5fc61c10471bbae28712a6969f1a1ae2fec320c7df685a03f990254b1c0584a3
Opcode Fuzzy Hash: 6759549166160fb8fa790717662195296e1eff36321e55174c561ea3f02da6f7
Instruction Fuzzy Hash: 3AB1517190011DABDF12DBA4CC85EDEB7BDEF09354F0040A6F609EB241DB34AA548F61

Function 0035ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0035AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0035AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0035AEC8
CloseHandle.KERNEL32(?), ref: 0035B09D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: fd983f7ccb9e6a5d704eea89c31d0f634d1e7a31e5e164bd140d39687db8f203
Instruction ID: 3554fc852ad20e7ea4f8158678c7f6afc0744fa4a50aeb1d6a9bbb06755676d8
Opcode Fuzzy Hash: fd983f7ccb9e6a5d704eea89c31d0f634d1e7a31e5e164bd140d39687db8f203
Instruction Fuzzy Hash: B2A1AE71A04301AFE721DF24C886F2AB7E5AF44710F55881DF9999B3D2DBB1EC548B82

Function 0035C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 0035D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035C10E,?,?), ref: 0035D415
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D451
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D4C8
Part of subcall function 0035D3F8: _wcslen.LIBCMT ref: 0035D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0035C5C3
RegCloseKey.ADVAPI32(?,?), ref: 0035C606
RegCloseKey.ADVAPI32(00000000), ref: 0035C613

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 58b00231e20a86a4c4c3c3038fefa34a84004dc9c6e8ac66f1bcc340b8ac0492
Instruction ID: fcff6c597557ac8d66306f7361127421ad197973e3ec3fdbd0f2e0ac2f835a30
Opcode Fuzzy Hash: 58b00231e20a86a4c4c3c3038fefa34a84004dc9c6e8ac66f1bcc340b8ac0492
Instruction Fuzzy Hash: 8461BF31218341AFC715DF54C890E2ABBE9FF84308F15999DF4998B2A2DB31ED49CB91

Function 0033ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0033E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0033D7CD,?), ref: 0033E714

Part of subcall function 0033E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0033D7CD,?), ref: 0033E72D

Part of subcall function 0033EAB0: GetFileAttributesW.KERNEL32(?,0033D840), ref: 0033EAB1

lstrcmpiW.KERNEL32(?,?), ref: 0033ED8A
MoveFileW.KERNEL32(?,?), ref: 0033EDC3
_wcslen.LIBCMT ref: 0033EF02
_wcslen.LIBCMT ref: 0033EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0033EF67

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 63afbe621e7dacd6b4006c5898a86fa2837b3297223fee12be68c43c4f425c4b
Instruction ID: 2ae48a0815abe099cb9857ba8becaff646664f1bc872ef6839c9894af2688ed5
Opcode Fuzzy Hash: 63afbe621e7dacd6b4006c5898a86fa2837b3297223fee12be68c43c4f425c4b
Instruction Fuzzy Hash: D45141B25083859FC726EB94D8919DBB3ECAF84340F40492EF685D3191EF71A6888B56

Function 00339517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00339534
VariantClear.OLEAUT32 ref: 003395A5
VariantClear.OLEAUT32 ref: 00339604
VariantClear.OLEAUT32(?), ref: 00339677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003396A2

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 025acc6b184aa5803c2d0c1cb3dd6f82d5c30b728d6dd3a3ab49f359494d6f53
Instruction ID: 1225a59a8d64c4ae14107d89e2968fd9123c7b84b8b53e403cb8c3f905e8b811
Opcode Fuzzy Hash: 025acc6b184aa5803c2d0c1cb3dd6f82d5c30b728d6dd3a3ab49f359494d6f53
Instruction Fuzzy Hash: 165136B5A01219EFCB15CF69C884AAAB7F8FF89310F15855AF909DB310E770E911CB90

Function 00349540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003495F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 0034961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00349677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0034969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003496A4

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f8947d047e5c7b48aec8678d2c63054c616686c3581c4d0f9ad65380b049f0dd
Instruction ID: 85d4e6e8d2f9767a02c11fa5711cdf133697f2045973057d62c4884326c754d5
Opcode Fuzzy Hash: f8947d047e5c7b48aec8678d2c63054c616686c3581c4d0f9ad65380b049f0dd
Instruction Fuzzy Hash: 05512935A00219AFCF06DF65C891AAABBF5FF48314F058059E949AB362CB35ED51CF90

Function 00359941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 0035999D
GetProcAddress.KERNEL32(00000000,?), ref: 00359A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00359A49
GetProcAddress.KERNEL32(00000000,?), ref: 00359A8F
FreeLibrary.KERNEL32(00000000), ref: 00359AAF

Part of subcall function 002EF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00341A02,?,75B8E610), ref: 002EF9F1
Part of subcall function 002EF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00330354,00000000,00000000,?,?,00341A02,?,75B8E610,?,00330354), ref: 002EFA18

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 61f6837d67f55bd4defdcc7c36e7fe796d70d4727dfa8c14e682e55857c7e356
Instruction ID: 3217f8dce4a1060e1310641fb28287dc046a5a5239c5a8984ae08822398d0224
Opcode Fuzzy Hash: 61f6837d67f55bd4defdcc7c36e7fe796d70d4727dfa8c14e682e55857c7e356
Instruction Fuzzy Hash: 2D516C35A04245DFCB02DF68C494DADBBB5FF09314B19819AE80A9B722D731ED86CF91

Function 003675AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 0036766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00367682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 003676AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0034B5BE,00000000,00000000), ref: 003676D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 003676FF

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: c09e855b62758d1298ec4f993b00a596e450476d3267232b01d196cc28577fe6
Instruction ID: 3a9d5df3e7ea0c1806a2bdf4d93c1edf35cfe6ba5678fd39808d117d3d5a18fa
Opcode Fuzzy Hash: c09e855b62758d1298ec4f993b00a596e450476d3267232b01d196cc28577fe6
Instruction Fuzzy Hash: 8C411535A08504AFD727CF2CCC48FA67BA9EB09364F968224F859A72E4D370ED51CA50

Function 003023C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00302433
_free.LIBCMT ref: 00302453

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 88ef5110b6fcac645006659bf72ad74e72f469ec85a31224bfab8a223414bfb4
Instruction ID: 30d3363e78b66aad975737e5e3bdf3758b21beda1da6f7691f1474bd5df8e64a
Opcode Fuzzy Hash: 88ef5110b6fcac645006659bf72ad74e72f469ec85a31224bfab8a223414bfb4
Instruction Fuzzy Hash: 2741D132A012049FCB22DF79C895A6FB3E6EF89314F1645A9E615EB391D731AD01CB80

Function 0033224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00332262
PostMessageW.USER32(00000001,00000201,00000001), ref: 0033230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00332316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00332327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 0033232F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b27901a90fda25cf86fdb37af672009a346e0153bedadcfea1fc82fcdc8ce4c6
Instruction ID: 4d1acc7b1f7fb9ca60d3539ea41561dcd80c58867355fe6fce52ff97fd29e943
Opcode Fuzzy Hash: b27901a90fda25cf86fdb37af672009a346e0153bedadcfea1fc82fcdc8ce4c6
Instruction Fuzzy Hash: 1E31D471A00219EFDB15CFA8CD89ADF7BB5EB04315F108625F926EB2D0C7B09954DB90

Function 0034D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0034CC63,00000000), ref: 0034D97D
InternetReadFile.WININET(?,00000000,?,?), ref: 0034D9B4
GetLastError.KERNEL32(?,00000000,?,?,?,0034CC63,00000000), ref: 0034D9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,0034CC63,00000000), ref: 0034DA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,0034CC63,00000000), ref: 0034DA37

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3e4a3549aafa985b2377b61a8e1992d69e0e2d89a78b463477f8f4ef4ae3d89d
Instruction ID: 912a9b78d8b053c3e2e0e80b34e10bd499b1a80c3b3fa2327d83544ce681b3e8
Opcode Fuzzy Hash: 3e4a3549aafa985b2377b61a8e1992d69e0e2d89a78b463477f8f4ef4ae3d89d
Instruction Fuzzy Hash: 10314C71A04209EFDB22DFA5D884AAFB7FCEB04754F10842EE546DA650D770BE409B60

Function 003661A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 003661E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 0036623C
_wcslen.LIBCMT ref: 0036624E
_wcslen.LIBCMT ref: 00366259
SendMessageW.USER32(?,00001002,00000000,?), ref: 003662B5

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 8299f7e449dd2d9472d8ba8150b4387e0a560feb5c884799b963ec5981935b7e
Instruction ID: 4321dbf1dc26b94e5fe367ded9d81cc6afbebd4e1e28dd346529933e8ea93b48
Opcode Fuzzy Hash: 8299f7e449dd2d9472d8ba8150b4387e0a560feb5c884799b963ec5981935b7e
Instruction Fuzzy Hash: 9B21A5359002189BDB129F54CC85AEEB7BCEF15754F10C226FA25EA184D7708985CF90

Function 0035138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003513AE
GetForegroundWindow.USER32 ref: 003513C5
GetDC.USER32(00000000), ref: 00351401
GetPixel.GDI32(00000000,?,00000003), ref: 0035140D
ReleaseDC.USER32(00000000,00000003), ref: 00351445

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0265c99c3280b8cd74df805c95302cbaaebf62dfd679549242158d6a44889a62
Instruction ID: 1483e8f7e2e520320808e99eef4f6fe0dbad03e5d590291a48e3e5b2faa7d3c7
Opcode Fuzzy Hash: 0265c99c3280b8cd74df805c95302cbaaebf62dfd679549242158d6a44889a62
Instruction Fuzzy Hash: 45216F35B00214AFD705EF65C898AAEB7E9EF88301F058429F84A9B761CA70AC04CB90

Function 0030D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0030D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0030D169

Part of subcall function 00303B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,002F6A79,?,0000015D,?,?,?,?,002F85B0,000000FF,00000000,?,?), ref: 00303BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0030D18F
_free.LIBCMT ref: 0030D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0030D1B1

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 19dd954f408d8c9a65f0f12d7ceb211af3dc069ab92295c108f6a73209df6f69
Instruction ID: 8e9ea2d1e78c7e124a54e3fcaf726a822cd18a32e51dab0786c9878e2a391d83
Opcode Fuzzy Hash: 19dd954f408d8c9a65f0f12d7ceb211af3dc069ab92295c108f6a73209df6f69
Instruction Fuzzy Hash: C201D476B036157FB36726FA5C9CC7B7AADDEC2B613150129FC05C6280DEA08C0181B0

Function 0030316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,002FF64E,002F545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00303170
_free.LIBCMT ref: 003031A5
_free.LIBCMT ref: 003031CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 003031D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 003031E2

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c4a59d4af219931bf6f87c0fb597082d2a6483520e34ceb91c4255244c319de3
Instruction ID: f8720018df0fc37d457b4de78fb6a27ade15ba14fa6ba9df523ad70cda4efe14
Opcode Fuzzy Hash: c4a59d4af219931bf6f87c0fb597082d2a6483520e34ceb91c4255244c319de3
Instruction Fuzzy Hash: BA01F476747A007BD6173734ACAAE2B266DAFCA371B220425F925D62D1EE728E014224

Function 003308FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330831,80070057,?,?,?,00330C4E), ref: 0033091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330831,80070057,?,?), ref: 00330936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330831,80070057,?,?), ref: 00330944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330831,80070057,?), ref: 00330954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330831,80070057,?,?), ref: 00330960

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8b38e9f9f6f791af5573488c641e0e40b289482b0428f3d5aa42c2e26ff5a892
Instruction ID: 864b9b070ca0f25afb4a613c64dc5de2630cfc277653f8388c2831a3083db516
Opcode Fuzzy Hash: 8b38e9f9f6f791af5573488c641e0e40b289482b0428f3d5aa42c2e26ff5a892
Instruction Fuzzy Hash: 20018F76B00218AFEB164F55DC88B9E7AADEB84761F154124F905E3222D7B1DD409BA0

Function 0033F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0033F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 0033F2BC
Sleep.KERNEL32(00000000), ref: 0033F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 0033F2CE
Sleep.KERNEL32 ref: 0033F30A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0f5ee0eb60f4c73232e7e50d8d86a214ac80f41a6a1b28af6fc5dbd39a4bf75e
Instruction ID: ba22f4833e8ab107eb59a0d49ed01508be382b5042ab1f6c6d35d998d3cb25c3
Opcode Fuzzy Hash: 0f5ee0eb60f4c73232e7e50d8d86a214ac80f41a6a1b28af6fc5dbd39a4bf75e
Instruction Fuzzy Hash: 4701AD74D00219DFCF02AFA5D888AEEBB7CFB09310F410466E542F2250CBB09554C7A1

Function 00331A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00331A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,003314E7,?,?,?), ref: 00331A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003314E7,?,?,?), ref: 00331A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003314E7,?,?,?), ref: 00331A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00331A99

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6b6107fa6fd495747b95f74527e549288b523649f5c84261a93b6c6a5ae4d53c
Instruction ID: 17ecefe50b0787e07fe5f6a6864dd7bccab2c5de42a6264066cf551a0ffd0922
Opcode Fuzzy Hash: 6b6107fa6fd495747b95f74527e549288b523649f5c84261a93b6c6a5ae4d53c
Instruction Fuzzy Hash: D7018CB9A01205BFDB124FA5DC88E6A3B6EEF893A5F224414F845C7260DAB1DC408A60

Function 00331900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00331916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00331922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00331931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00331938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0033194E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 50c32203d97d3e725f40565bd36e80398368814d09f91b76b803765c5d50ab33
Instruction ID: ec6a00f6d51b77f7d0330c5cde06442669fbd51a5f5e9e2abd38d2dba9f5b5ed
Opcode Fuzzy Hash: 50c32203d97d3e725f40565bd36e80398368814d09f91b76b803765c5d50ab33
Instruction Fuzzy Hash: 8AF06D75600306BBDB220FA5DC9DF563BADEF897A0F118414FA45D72A0CBB1DC108AA0

Function 00331960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00331976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00331982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00331991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00331998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003319AE

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f8584553f4faffe310dc3c2e0fc80aae1d37d0b4e00f93d3e4b2364ea7d3352b
Instruction ID: 95b8b280f76ff709bed706a323bfda3bbdd0a474756a28b24dff11a6d5f57c92
Opcode Fuzzy Hash: f8584553f4faffe310dc3c2e0fc80aae1d37d0b4e00f93d3e4b2364ea7d3352b
Instruction Fuzzy Hash: C9F06D75600301BBDB234FA5EC9DF573BADEF897A0F118414FA45C72A0CBB1E8108AA0

Function 00340CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00340B24,?,00343D41,?,00000001,00313AF4,?), ref: 00340CCB
CloseHandle.KERNEL32(?,?,?,?,00340B24,?,00343D41,?,00000001,00313AF4,?), ref: 00340CD8
CloseHandle.KERNEL32(?,?,?,?,00340B24,?,00343D41,?,00000001,00313AF4,?), ref: 00340CE5
CloseHandle.KERNEL32(?,?,?,?,00340B24,?,00343D41,?,00000001,00313AF4,?), ref: 00340CF2
CloseHandle.KERNEL32(?,?,?,?,00340B24,?,00343D41,?,00000001,00313AF4,?), ref: 00340CFF
CloseHandle.KERNEL32(?,?,?,?,00340B24,?,00343D41,?,00000001,00313AF4,?), ref: 00340D0C

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a593e58807d1b35c3dc0c545e78b9cb765887303cb52f9bcd6f37be29d5b3f91
Instruction ID: c492943dfddc9d9448e4ee375c18a82c7b50433760927c92602234e692646e4a
Opcode Fuzzy Hash: a593e58807d1b35c3dc0c545e78b9cb765887303cb52f9bcd6f37be29d5b3f91
Instruction Fuzzy Hash: D301EE71900B05CFCB32AFA6D980812FBF9BF503153128A3ED2A256931C7B0B848CF80

Function 003365AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 003365BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 003365D6
MessageBeep.USER32(00000000), ref: 003365EE
KillTimer.USER32(?,0000040A), ref: 0033660A
EndDialog.USER32(?,00000001), ref: 00336624

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9832372c0de395c488522c43e260d394ad58769c271e1204da18a4585b9e007c
Instruction ID: 46a549be08bb34a8b6e74b9c0bd56c23a32dac8cf93c482ba09f075748388005
Opcode Fuzzy Hash: 9832372c0de395c488522c43e260d394ad58769c271e1204da18a4585b9e007c
Instruction Fuzzy Hash: EA018130A00704BFEB325F20DD8FB967BBCFB04705F418669E187A14E1DBF4AA548A94

Function 0030DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0030DAD2

Part of subcall function 00302D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0030DB51,003A1DC4,00000000,003A1DC4,00000000,?,0030DB78,003A1DC4,00000007,003A1DC4,?,0030DF75,003A1DC4), ref: 00302D4E
Part of subcall function 00302D38: GetLastError.KERNEL32(003A1DC4,?,0030DB51,003A1DC4,00000000,003A1DC4,00000000,?,0030DB78,003A1DC4,00000007,003A1DC4,?,0030DF75,003A1DC4,003A1DC4), ref: 00302D60

_free.LIBCMT ref: 0030DAE4
_free.LIBCMT ref: 0030DAF6
_free.LIBCMT ref: 0030DB08
_free.LIBCMT ref: 0030DB1A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 701f09d8eda75e42b4ec4873329d33b248c5915e02948c3a7be94d93c98471a7
Instruction ID: 09100eb012a5956717a42f2377ce1a9180e23d2ef170d72b75f12b53c3acd119
Opcode Fuzzy Hash: 701f09d8eda75e42b4ec4873329d33b248c5915e02948c3a7be94d93c98471a7
Instruction Fuzzy Hash: 96F0363254A204ABC667FB98F9A6D1B77DDEE047107960C06F019DB581CB31FC808794

Function 00302610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0030262E

Part of subcall function 00302D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0030DB51,003A1DC4,00000000,003A1DC4,00000000,?,0030DB78,003A1DC4,00000007,003A1DC4,?,0030DF75,003A1DC4), ref: 00302D4E
Part of subcall function 00302D38: GetLastError.KERNEL32(003A1DC4,?,0030DB51,003A1DC4,00000000,003A1DC4,00000000,?,0030DB78,003A1DC4,00000007,003A1DC4,?,0030DF75,003A1DC4,003A1DC4), ref: 00302D60

_free.LIBCMT ref: 00302640
_free.LIBCMT ref: 00302653
_free.LIBCMT ref: 00302664
_free.LIBCMT ref: 00302675

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6769260a608324ffa9275eb0b02342bcf87421193b56306229cd37261b5bfea1
Instruction ID: 2a801fe83190eb84f3ef9c772eb9e9c411d2e8ae19cd6a03b4def548f74233f3
Opcode Fuzzy Hash: 6769260a608324ffa9275eb0b02342bcf87421193b56306229cd37261b5bfea1
Instruction Fuzzy Hash: BBF0DA748161209FCA53BF68ED16D4A3B6CBB2A751B450A0BF4249A2F5C7320D11BF99

Function 003012B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00301469
__freea.LIBCMT ref: 00301487

Part of subcall function 003018A7: _free.LIBCMT ref: 003018BF

Strings

am/pm, xrefs: 003014EA
a/p, xrefs: 0030154E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: f37601ef3ea8af19a2f357e5d2aaf9c273ba0bc92a757d60c98988a8c0258241
Instruction ID: 24dcdde55f8a30c5734e7b36b8fa77f3e57fae98d1f8ff455604aa40221dfbc6
Opcode Fuzzy Hash: f37601ef3ea8af19a2f357e5d2aaf9c273ba0bc92a757d60c98988a8c0258241
Instruction Fuzzy Hash: 6CD1147591220ACBCB278F68C8757FAB7B5FF05700F2A415AE9029B6D0D7768D40CB91

Function 00355231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

Part of subcall function 003441FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,003552EE,?,?,00000035,?), ref: 00344229
Part of subcall function 003441FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,003552EE,?,?,00000035,?), ref: 00344239

GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 00355419
VariantInit.OLEAUT32(?), ref: 0035550E
VariantClear.OLEAUT32(?), ref: 003555CD

Strings

bn3, xrefs: 003554ED, 003555E4

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorLastVariant$ClearFormatInitMessage
String ID: bn3
API String ID: 2854431205-4038910307
Opcode ID: d0aea828102b0e471235a03898b9a4ccd0386bd41eae96f9dc7c18e670aa0406
Instruction ID: bf67f172f9fc55443dcc4d94bc27c92a14838fb4e9483e4161eeef22e594775d
Opcode Fuzzy Hash: d0aea828102b0e471235a03898b9a4ccd0386bd41eae96f9dc7c18e670aa0406
Instruction Fuzzy Hash: 5FD14C74900249DFCB06DF95C4A1EEDBBB8FF08314F54805EE416AB2A1DB71A98ACF50

Function 002DCF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002DD253

Strings

t5:, xrefs: 002DCFCF
t5:, xrefs: 002DD23A
t5:, xrefs: 002DCFC8

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5:$t5:$t5:
API String ID: 1385522511-3524386529
Opcode ID: 0d63a033f2dc019d3e8427ace457c4fc2cc65d0062aabbd52b7ae7f6ac0a1eef
Instruction ID: e17872fc3089a31f446870de60d3f7756d920d267819b2b09c3109069fa1ba2c
Opcode Fuzzy Hash: 0d63a033f2dc019d3e8427ace457c4fc2cc65d0062aabbd52b7ae7f6ac0a1eef
Instruction Fuzzy Hash: DE915C75A20606DFCB14CF58C4806AABBF1FF99300F24856AE9459B341D771EEA2CF90

Function 003561A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 0035623D
_wcslen.LIBCMT ref: 00356249

Strings

CALLARGARRAY, xrefs: 00356243, 00356248
bn3, xrefs: 003561B1, 003562E1

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY$bn3
API String ID: 157775604-2551057389
Opcode ID: a469a0e0225bbd7d520f3b5723044f27667081a5390c105d9fc9c63f9c80d6f4
Instruction ID: 8623827daa1276622874a4c56457fc467d6a6ac5be7832000b8fc89df54f2198
Opcode Fuzzy Hash: a469a0e0225bbd7d520f3b5723044f27667081a5390c105d9fc9c63f9c80d6f4
Instruction Fuzzy Hash: 8941C071E002099FCB01DFA5C882DBEBBB5FF58361F514429E806AB262D7709D86CF90

Function 00333063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0033BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00332B1D,?,?,00000034,00000800,?,00000034), ref: 0033BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003330AD

Part of subcall function 0033BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00332B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 0033BDBF

Part of subcall function 0033BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 0033BD1C
Part of subcall function 0033BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00332AE1,00000034,?,?,00001004,00000000,00000000), ref: 0033BD2C
Part of subcall function 0033BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00332AE1,00000034,?,?,00001004,00000000,00000000), ref: 0033BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0033311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00333167

Strings

@, xrefs: 0033317F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 53c975b65f548627ef1cecb8c0b0792c3e1dfa2b09d4af2698af2f04ffc0bd08
Instruction ID: dc65855f0b49ab3886f200afb4863ff28f845b5469f794b0623af7647f53fd6c
Opcode Fuzzy Hash: 53c975b65f548627ef1cecb8c0b0792c3e1dfa2b09d4af2698af2f04ffc0bd08
Instruction Fuzzy Hash: 59412C72E00218BEDB11DFA4CD85ADEBBB8EF45700F008095FA45BB180DA706F85CB61

Function 00301A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\342536\Breakdown.com,00000104), ref: 00301AD9
_free.LIBCMT ref: 00301BA4
_free.LIBCMT ref: 00301BAE

Strings

C:\Users\user\AppData\Local\Temp\342536\Breakdown.com, xrefs: 00301AD0, 00301AD7, 00301B06, 00301B3E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\342536\Breakdown.com
API String ID: 2506810119-975877869
Opcode ID: 8645329ea785a1abf127c5e9d8c5e9bb726b46e510530eca6380be795deedfb7
Instruction ID: 23eaab5615c933a93ba18e96ab9407b1583127714837413c3949109c3237416c
Opcode Fuzzy Hash: 8645329ea785a1abf127c5e9d8c5e9bb726b46e510530eca6380be795deedfb7
Instruction Fuzzy Hash: 6F314F71A02218AFCB22DF99DC95D9FBBFCEF85710B1541A6F8049B291E7B04E40DB90

Function 0033CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0033CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 0033CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003A29C0,00C36410), ref: 0033CC40

Strings

0, xrefs: 0033CB8A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6a2523a6efe274b761c10484c971ec5db42f9fccd9e77a856a90ef7f47a1950a
Instruction ID: 98ddd529fe5539ea6baa555188281df1ddb4860ea010212fbf5834b9f15d0a02
Opcode Fuzzy Hash: 6a2523a6efe274b761c10484c971ec5db42f9fccd9e77a856a90ef7f47a1950a
Instruction Fuzzy Hash: C941CF312143029FD722DF24D8C4B2ABBE8AF85714F045A1DF9A9A7291CB30E905CB62

Function 00364EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0036DCD0,00000000,?,?,?,?), ref: 00364F48
GetWindowLongW.USER32 ref: 00364F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00364F75

Strings

SysTreeView32, xrefs: 00364F1A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c63ac7a635b3305cda5913c2272eeb11c7e3f015fbe2c250788e1697a9b0e8a0
Instruction ID: ca03d8ea83feaf28c9b2afe864f2624589a74f7c05e4ad7e79e77c0e490718ba
Opcode Fuzzy Hash: c63ac7a635b3305cda5913c2272eeb11c7e3f015fbe2c250788e1697a9b0e8a0
Instruction Fuzzy Hash: E731BE31A10205AFDB228F38CC45BEA77A9EF09334F218715F979A62E4D770EC609B50

Function 00353AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00353DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00353AD4,?,?), ref: 00353DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00353AD7
_wcslen.LIBCMT ref: 00353AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00353B63

Strings

255.255.255.255, xrefs: 00353AF2, 00353AF7

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c9b2e8a0fcb805d83992cdea46e08acc27ea5f81ced9ae8e52bdf67eb81f5810
Instruction ID: 859411ea84bb34c919c897e94bee9d4c1f70dd6dbab94b2483a8ec139c0674dd
Opcode Fuzzy Hash: c9b2e8a0fcb805d83992cdea46e08acc27ea5f81ced9ae8e52bdf67eb81f5810
Instruction Fuzzy Hash: A331F3396002019FCB12CF68C485EAAB7F1EF14395F258159EC168B3A2C771EE49CB60

Function 00364954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003649DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003649F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00364A14

Strings

SysMonthCal32, xrefs: 003649A7

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 0d84410e93a15d109f1958a708cda93c8bd4f7a4b199265ece573453164752db
Instruction ID: 6db7d15a04da7e34fb0e4a8d354dfa786996f1c9cdc731ba287c926f9e18995e
Opcode Fuzzy Hash: 0d84410e93a15d109f1958a708cda93c8bd4f7a4b199265ece573453164752db
Instruction Fuzzy Hash: BE21D132A50219BBDF128F94CC42FEB3BA9EF48714F114214FA156B1D0D6B5EC51DB90

Function 003650F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003651A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003651B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003651B8

Strings

msctls_updown32, xrefs: 00365122

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 52bb487a97d4532f2534ad7c29bd545b4129417f95fc663d0e81fd8d897afc79
Instruction ID: b577d6b9a2979490a57cc0f47c0628e26bc952f04efebc399e8985b003e42cee
Opcode Fuzzy Hash: 52bb487a97d4532f2534ad7c29bd545b4129417f95fc663d0e81fd8d897afc79
Instruction Fuzzy Hash: 572160B5600609AFDB12DF18DC81DB737ADEB5A364F154159F9019B365CB70EC11CAA0

Function 00364253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003642DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003642EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00364312

Strings

Listbox, xrefs: 003642AB

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8c1cc55dff2fa3a45edbfb27451567588d17cb0323ede90f190de1e373f11c22
Instruction ID: ad2a91e0c0bd05e26ad5b5c459e77f7c328993cac8b51337f778611229e8c156
Opcode Fuzzy Hash: 8c1cc55dff2fa3a45edbfb27451567588d17cb0323ede90f190de1e373f11c22
Instruction Fuzzy Hash: F7219232A10218BBEF128F94DC85FBB3B6EEF89754F21C514F9009B190C671DC519BA0

Function 00345439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0034544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003454A1
SetErrorMode.KERNEL32(00000000,?,?,0036DCD0), ref: 00345515

Strings

%lu, xrefs: 003454B4

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 2072a46f8cf7e14e27e459a29f0a9e5ca650e962e1a607f3ee23ac1551049e6c
Instruction ID: a1765691e0b1c9dfc3d78653d44d7ca7d0ada0badd555b8eb8c31ee80e7fbbdc
Opcode Fuzzy Hash: 2072a46f8cf7e14e27e459a29f0a9e5ca650e962e1a607f3ee23ac1551049e6c
Instruction Fuzzy Hash: 60314B71A00109AFDB11DF54C885EAA77F8EF09308F1580A5E409DF362DBB1EE45CB61

Function 00368305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00368339
EnumChildWindows.USER32(?,0036802F,00000000), ref: 003683B0

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

Strings

(:, xrefs: 00368317
(:, xrefs: 0036834A

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: (:$(:
API String ID: 3814560230-442745269
Opcode ID: a99da7dccedea8ed30f7b6975f05f25b7a4a6995eb7dc07ac7b00b86811f0535
Instruction ID: 192625d49f23c93a09db9be095bcaaaa1275d2463fac7966a7b535ff5ac492fd
Opcode Fuzzy Hash: a99da7dccedea8ed30f7b6975f05f25b7a4a6995eb7dc07ac7b00b86811f0535
Instruction Fuzzy Hash: 6B211978200605DFC7268F28D850A97B7E9FB5A720F21471DE865973A4DB70A820CF60

Function 00364C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00364CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00364D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00364D0F

Strings

msctls_trackbar32, xrefs: 00364CC4

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8203d856af84347b16fc0ce9b69ff4f584d3e69583ccda3d3297262dd0c38f29
Instruction ID: 850934149f8edc971b53dca4b7ee66f6f2ec1b4b0db33df4577f7763f959bc7c
Opcode Fuzzy Hash: 8203d856af84347b16fc0ce9b69ff4f584d3e69583ccda3d3297262dd0c38f29
Instruction Fuzzy Hash: 36112971A40248BEEF225F69CC06FEB3BACEF85B64F124514FA51E61A1D671DC50DB20

Function 0033389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D8577: _wcslen.LIBCMT ref: 002D858A

Part of subcall function 003336F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00333712
Part of subcall function 003336F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00333723
Part of subcall function 003336F4: GetCurrentThreadId.KERNEL32 ref: 0033372A
Part of subcall function 003336F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00333731

GetFocus.USER32 ref: 003338C4

Part of subcall function 0033373B: GetParent.USER32(00000000), ref: 00333746

GetClassNameW.USER32(?,?,00000100), ref: 0033390F
EnumChildWindows.USER32(?,00333987), ref: 00333937

Strings

%s%d, xrefs: 0033394B

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 23789819c3ed9cb0a724024cb240252f4d6dd294214a23a097049923f8af70a8
Instruction ID: ae35903370886c4617cf442251a910618f20ed5e028db5e4e63c09e328863219
Opcode Fuzzy Hash: 23789819c3ed9cb0a724024cb240252f4d6dd294214a23a097049923f8af70a8
Instruction Fuzzy Hash: EB1193B1B00205ABCF12BF749CC6BED77699F94304F04C065F9099B292DBB099458B20

Function 002D59FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 002D5A34
DestroyWindow.USER32(?,002D37B8,?,?,?,?,?,002D3709,?,?), ref: 002D5A91

Strings

<):, xrefs: 00314F34
<):, xrefs: 002D5A09

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: <):$<):
API String ID: 2587070983-3119941189
Opcode ID: 834eb15e41a922ae22b5b11994c884ae3e625c3bf7ce3d0e010834e033f0fe60
Instruction ID: 2d086478cc1d33dac4aa605c846adf0097f69f183fc5d5b640dfd014a9399f10
Opcode Fuzzy Hash: 834eb15e41a922ae22b5b11994c884ae3e625c3bf7ce3d0e010834e033f0fe60
Instruction Fuzzy Hash: 90210E34626921CFDB1ADF19E894B6733E8AB46B11F05415EF4029B760CBB49C64CB01

Function 00366321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00366360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0036638D
DrawMenuBar.USER32(?), ref: 0036639C

Strings

0, xrefs: 0036632E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 3e68908e22d9c3552c02a7a9b01948c1561813a0def7dde55f0581fd497ce931
Instruction ID: 3a01ebaf45904cfc281901695d43ac44c314ea54d57cb437a4d3a0b0b69a8ace
Opcode Fuzzy Hash: 3e68908e22d9c3552c02a7a9b01948c1561813a0def7dde55f0581fd497ce931
Instruction Fuzzy Hash: F6018435510218EFDB129F11DC84FAEBBB8FF45391F10C0A9E54ADA161DB708995EF21

Function 0036823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,003A28E0,0036AD55,000000FC,?,00000000,00000000,?), ref: 0036823F
GetFocus.USER32 ref: 00368247

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

Part of subcall function 002D2234: GetWindowLongW.USER32(?,000000EB), ref: 002D2242

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 003682B4

Strings

(:, xrefs: 00368254

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: (:
API String ID: 3601265619-2137056132
Opcode ID: 83d3774c24e494d030f84a1175912331b131c2b76065cfb58c7559c094c08ba1
Instruction ID: 717971417c9d3a59f1b016dd0d9723f78af91d7c4e81158a684c2bf29e057631
Opcode Fuzzy Hash: 83d3774c24e494d030f84a1175912331b131c2b76065cfb58c7559c094c08ba1
Instruction Fuzzy Hash: DD015E31602900CFC3269F6CD858A6A33BAEB8E324F15866DE416973A4CB316C1BCB50

Function 00368526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32(?), ref: 00368576
CreateAcceleratorTableW.USER32(00000000,?,?,?,0034BE96,00000000,00000000,?,00000001,00000002), ref: 0036858C
GetForegroundWindow.USER32(?,0034BE96,00000000,00000000,?,00000001,00000002), ref: 00368595

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

Strings

(:, xrefs: 00368532

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
String ID: (:
API String ID: 986409557-2137056132
Opcode ID: a2e5b52870f471abe53335415353c24fd43ca5dc1b2c304af36551b73da2c273
Instruction ID: 0f7d9829d5faca1e9d2646c4426dc30e8a6c89d5482baad5b0cca57167e13191
Opcode Fuzzy Hash: a2e5b52870f471abe53335415353c24fd43ca5dc1b2c304af36551b73da2c273
Instruction Fuzzy Hash: DF014030601304CFCB269F69DC88A6737B9FB1A721F11861DF61287AB0DB70A9A4CF51

Function 00368BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003A4038,003A407C), ref: 00368C1A
CloseHandle.KERNEL32 ref: 00368C2C

Strings

8@:, xrefs: 00368BD6
|@:, xrefs: 00368BE5

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: 8@:$|@:
API String ID: 3712363035-2800198122
Opcode ID: 0db8c3ca823984d6eb54337fcdd4f984df816b7c44224a2e0ac8f5dbd9ff1d69
Instruction ID: 04b0c17a9ca9a6ba0afa4a5afd6ae324d43573c737ddf69a2f9ee89711f24093
Opcode Fuzzy Hash: 0db8c3ca823984d6eb54337fcdd4f984df816b7c44224a2e0ac8f5dbd9ff1d69
Instruction Fuzzy Hash: 5AF05EB6641304BAE312AB61AC45F77BE5CEB4A390F114021FB08D61A1E6F55C1496B9

Function 0032E778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0032E797
FreeLibrary.KERNEL32 ref: 0032E7BD

Strings

GetSystemWow64DirectoryW, xrefs: 0032E791
X64, xrefs: 0032E680

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: fc683595d1b0cb999ebd2f6aed29cac34a7d174482d8adf7415af65a90640b54
Instruction ID: 1e0e4fb600aa10f11d03eba073d78cace6b5c712035e74b2aec2a514f8750db4
Opcode Fuzzy Hash: fc683595d1b0cb999ebd2f6aed29cac34a7d174482d8adf7415af65a90640b54
Instruction Fuzzy Hash: B2E06171D115309FDFB357206C45EA9321C6F22700F160554FC03F6140EBF5CD848654

Function 0033096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f501ba0a52332d1cfde6b775ec2ff35d2292cb89dda80c5e605bd801ccb12285
Instruction ID: 5e94b06ababe51b95deb4104a278401ef727fec6e6bc625aa87bcae93ba6de8d
Opcode Fuzzy Hash: f501ba0a52332d1cfde6b775ec2ff35d2292cb89dda80c5e605bd801ccb12285
Instruction Fuzzy Hash: C1C13A75A0020AEFDB19CF94C8A4AAEB7B9FF48704F118598E505EF251D771EE81CB90

Function 003041F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0030427E
__alldvrm.LIBCMT ref: 0030447F
__alldvrm.LIBCMT ref: 003044A1

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: 9275453a972882932cbd4972cdf5744860abed11599e4e7d4da7c9cf86b80aef
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: 79A199B6A023869FDB27CF19C8A17AEBBE4EF15310F2541ADE6958B2C1C3349E51C750

Function 00330D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00370BD4,?), ref: 00330EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00370BD4,?), ref: 00330EF8
CLSIDFromProgID.OLE32(?,?,00000000,0036DCE0,000000FF,?,00000000,00000800,00000000,?,00370BD4,?), ref: 00330F1D
_memcmp.LIBVCRUNTIME ref: 00330F3E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: db27009694b2fe4d1f4cfcb47dcf4d84d005fc20de5ac3518bc9ca2d682b45ed
Instruction ID: c34f0a31747e154aeda937ab4dfa0f6815d074b579d79e95972eb41eb7bd3235
Opcode Fuzzy Hash: db27009694b2fe4d1f4cfcb47dcf4d84d005fc20de5ac3518bc9ca2d682b45ed
Instruction Fuzzy Hash: B3813875A00109EFCB05DF94C898EEEB7B9FF89315F204598F506AB250DB71AE06CB60

Function 0035B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0035B10C
Process32FirstW.KERNEL32(00000000,?), ref: 0035B11A

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Process32NextW.KERNEL32(00000000,?), ref: 0035B1FC
CloseHandle.KERNEL32(00000000), ref: 0035B20B

Part of subcall function 002EE36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00314D73,?), ref: 002EE395

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: bfb0c877f7e591cfa0dbd1bb8d46121ef01b613af2d4768f14d5c738e70af49e
Instruction ID: eae8806f0f9236da1241935b02b60eb3b514ce5819ca32954aa6f002eb6f05c9
Opcode Fuzzy Hash: bfb0c877f7e591cfa0dbd1bb8d46121ef01b613af2d4768f14d5c738e70af49e
Instruction Fuzzy Hash: 1B514971908300AFC751EF24C886A5BBBE8FF88754F41491EF985972A1EB70D914CF92

Function 00311711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00311840

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4ab14d993bebcd90158d20f70fb0de8a00d05d66ea1d7d5dd46941b310984028
Instruction ID: ec7c8e5bd117203e483d4af55818612eb9fe269fed329c206bf194a0f9b20c0e
Opcode Fuzzy Hash: 4ab14d993bebcd90158d20f70fb0de8a00d05d66ea1d7d5dd46941b310984028
Instruction Fuzzy Hash: 3E417C31A10104ABDB2B7FBD8C41BFE7AA8EF49770F154235F728DA2D1DA7548805661

Function 00352533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 0035255A
WSAGetLastError.WSOCK32 ref: 00352568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003525E7
WSAGetLastError.WSOCK32 ref: 003525F1

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 5e196a833428d0fc8e38847faa027b8954020c38b58cd8a39eb571ceea0b4ffd
Instruction ID: 7f5aefed3a75b626dde1860175ef9d6d96c7142b9e68e5c8c56996ca4b9437aa
Opcode Fuzzy Hash: 5e196a833428d0fc8e38847faa027b8954020c38b58cd8a39eb571ceea0b4ffd
Instruction Fuzzy Hash: 4041E434A40200AFE721AF24C886F2A77E5AF45718F94C459F91A8F3D2D7B2ED51CB91

Function 00366CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00366D1A
ScreenToClient.USER32(?,?), ref: 00366D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00366DBA

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8b444015a43dc99b69425a5e262df12421e35fa9949ca165eae844a1b9bee634
Instruction ID: 1501b9a4487641422982807ad97a27d89c0284d6bfd5d530633e890b4a499edd
Opcode Fuzzy Hash: 8b444015a43dc99b69425a5e262df12421e35fa9949ca165eae844a1b9bee634
Instruction Fuzzy Hash: 3A518F34A00209EFCF22DF68D9819AE7BB6FF843A0F118159F9159B294D771ED91CB50

Function 0030B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85d1cc7e6b803c395ff119725f46d46d9c9d0b002ff446c0d4353dfe686cda3
Instruction ID: 19cf675d7392a2ab6715126b47104b858d6fbb60d4f77e72255f2a381f029be9
Opcode Fuzzy Hash: b85d1cc7e6b803c395ff119725f46d46d9c9d0b002ff446c0d4353dfe686cda3
Instruction Fuzzy Hash: 3C412471A01748AFD726AF38CC51BAAFBADEF88710F10852AF111DB2E1D77199118B80

Function 0034611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003461C8
GetLastError.KERNEL32(?,00000000), ref: 003461EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00346213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0034623F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7d2b8f7199b7192c4d43d74252b0a88c529e0e5fd1183371e32f499e14024e0d
Instruction ID: ca0866ffe4bdbc64ec2344137ef51cf48f1360cd7a20fff432821f05060530ff
Opcode Fuzzy Hash: 7d2b8f7199b7192c4d43d74252b0a88c529e0e5fd1183371e32f499e14024e0d
Instruction Fuzzy Hash: 23414A35600611DFCB12EF15C595A5ABBF6EF89310B198489E94A9F362CB70FC01CF91

Function 0033B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0033B473
SetKeyboardState.USER32(00000080), ref: 0033B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0033B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0033B54F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ab7123b6f4971abdd58af8dc6e51e67ba733f2a8ece1d0468699b0ba5a4429c3
Instruction ID: 3a054529d6f850ea0734ef82140a309f6303118d63283b87a457a4c7c4b8e5a4
Opcode Fuzzy Hash: ab7123b6f4971abdd58af8dc6e51e67ba733f2a8ece1d0468699b0ba5a4429c3
Instruction Fuzzy Hash: D8315C70A406086EFF33CF26DC857FAFBB9AF49310F04821AF6965A1D2C77489858755

Function 0033B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 0033B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 0033B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 0033B63B
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 0033B68D

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b813041d2fb1a9229767f2096b20607f61ce8e5b6ef6ecfe32477f8933cde89b
Instruction ID: 2e9eed19d5392f33bde71e77a44532f8f4c7bbc4c575e8e75dd23224d5e88406
Opcode Fuzzy Hash: b813041d2fb1a9229767f2096b20607f61ce8e5b6ef6ecfe32477f8933cde89b
Instruction Fuzzy Hash: 54310E30E406085EFF338B65C8467FEFBAAAF85310F44822AE685561D2C7748A958B51

Function 003680AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 003680D4
GetWindowRect.USER32(?,?), ref: 0036814A
PtInRect.USER32(?,?,?), ref: 0036815A
MessageBeep.USER32(00000000), ref: 003681C6

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 09715cee22d033d00c4b494a10aa3b48ed51cb88a2326e4c19a4bd779e026a7f
Instruction ID: bec8a9e8a6f69da9374a6243786076d6119891649bc109a8f57458422ae3d725
Opcode Fuzzy Hash: 09715cee22d033d00c4b494a10aa3b48ed51cb88a2326e4c19a4bd779e026a7f
Instruction Fuzzy Hash: 6641AD30A00215DFCB13CF58C885AAABBF9BF4B710F1582A8E9559B265CB74A947CB50

Function 00362176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00362187

Part of subcall function 00334393: GetWindowThreadProcessId.USER32(?,00000000), ref: 003343AD
Part of subcall function 00334393: GetCurrentThreadId.KERNEL32 ref: 003343B4
Part of subcall function 00334393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00332F00), ref: 003343BB

GetCaretPos.USER32(?), ref: 0036219B
ClientToScreen.USER32(00000000,?), ref: 003621E8
GetForegroundWindow.USER32 ref: 003621EE

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 5e37b2cc754ff02d9621c7798adc7442c4e6bcf02e2a0bbbf6b910c6e7555d21
Instruction ID: c81a3a8b9fec88f3d01bc737d8ae90a68b6f0dab7c4d62d794b46bf591e4a549
Opcode Fuzzy Hash: 5e37b2cc754ff02d9621c7798adc7442c4e6bcf02e2a0bbbf6b910c6e7555d21
Instruction Fuzzy Hash: C3313071E14509AFCB05EFA5C8818AEB7FCEF49304B51846AE415EB311DA71EE45CFA0

Function 0033E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 002D41EA: _wcslen.LIBCMT ref: 002D41EF

_wcslen.LIBCMT ref: 0033E8E2
_wcslen.LIBCMT ref: 0033E8F9
_wcslen.LIBCMT ref: 0033E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0033E92F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 31249f533aed7a0301cefcf873a0a07694126177ca568e0703b7a4b23b3bc621
Instruction ID: fdd2028feaa379edf98f23418dcb6208330fd06c661470aa7e75f5ea60dd549d
Opcode Fuzzy Hash: 31249f533aed7a0301cefcf873a0a07694126177ca568e0703b7a4b23b3bc621
Instruction Fuzzy Hash: FF21BF71D00218AFCB11AFA4D9C2BAEF7B8AF45350F1540A5E904AB281D7749E518BA1

Function 0033DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0036DC30), ref: 0033DBA6
GetLastError.KERNEL32 ref: 0033DBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 0033DBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0036DC30), ref: 0033DC21

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 159a012f6dbf8a7d5dd14ed45ad1ee585ce30ae64b1fb2980837ac88ea4872d2
Instruction ID: fddf316a025a89879c9845469ff60a9a89f4ed3998dbe1d36c13cc5fae53acb0
Opcode Fuzzy Hash: 159a012f6dbf8a7d5dd14ed45ad1ee585ce30ae64b1fb2980837ac88ea4872d2
Instruction Fuzzy Hash: F621B2705183059F8702DF28D8C08ABB7E8EE5A364F114A1EF499C72A1DB71DD4ACF42

Function 0036321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 003632A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003632C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003632CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003632DC

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 0d4a9af7662f7f5b104ceeafb49b7c4b403b7cb724c583f91fedc0f453dd5e60
Instruction ID: 224403aa0dd0eab5b4d35579a8523207b44e141c8f451981a818335d5585c044
Opcode Fuzzy Hash: 0d4a9af7662f7f5b104ceeafb49b7c4b403b7cb724c583f91fedc0f453dd5e60
Instruction Fuzzy Hash: 4921C431709111AFD7169F24C855FAABB99EF85314F24C658F8268B2D2C771ED41CBD0

Function 0033825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003396E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00338271,?,000000FF,?,003390BB,00000000,?,0000001C,?,?), ref: 003396F3
Part of subcall function 003396E4: lstrcpyW.KERNEL32(00000000,?,?,00338271,?,000000FF,?,003390BB,00000000,?,0000001C,?,?,00000000), ref: 00339719
Part of subcall function 003396E4: lstrcmpiW.KERNEL32(00000000,?,00338271,?,000000FF,?,003390BB,00000000,?,0000001C,?,?), ref: 0033974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,003390BB,00000000,?,0000001C,?,?,00000000), ref: 0033828A
lstrcpyW.KERNEL32(00000000,?,?,003390BB,00000000,?,0000001C,?,?,00000000), ref: 003382B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,003390BB,00000000,?,0000001C,?,?,00000000), ref: 003382EB

Strings

cdecl, xrefs: 003382E2

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d9ff84ac79ca45d0fb034be685433cb10355d1cd0b5ba39b35743624c681bc96
Instruction ID: a59db8145d1c3c3ebe325f0a5a6c7a07d453c9a112255ee4944552f852e54abe
Opcode Fuzzy Hash: d9ff84ac79ca45d0fb034be685433cb10355d1cd0b5ba39b35743624c681bc96
Instruction Fuzzy Hash: C711D37A200345ABCB169F38D885E7A77A9FF49760F50802AF946CB2A0EF719811C790

Function 003660FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 0036615A
_wcslen.LIBCMT ref: 0036616C
_wcslen.LIBCMT ref: 00366177
SendMessageW.USER32(?,00001002,00000000,?), ref: 003662B5

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 9a73fbf3f39f5a84ca40b1239047fb5eaa5201be8e14cbad8198f2ef0631f451
Instruction ID: c3783ec43effda88a1879c33f880c8e44e0f538fb0880f228a9eb1f639fcfda8
Opcode Fuzzy Hash: 9a73fbf3f39f5a84ca40b1239047fb5eaa5201be8e14cbad8198f2ef0631f451
Instruction Fuzzy Hash: BE11D635600208A6DB12DF648C85AEF777CEB12794F20C13BFA11D5185E7B4C940CBA0

Function 00302079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d3d60133af2d3f1588602e07f5b7c8bbb52ee83e62c2413a51a3aa50d5429d
Instruction ID: 16a6c3f0c4d7606f12e9dd7d8f5928aaef6c4572b579ec71086b81ef968e1c67
Opcode Fuzzy Hash: f8d3d60133af2d3f1588602e07f5b7c8bbb52ee83e62c2413a51a3aa50d5429d
Instruction Fuzzy Hash: C601A2B26073167EFA2326786CE8F27670DDF423B8B354325F921A51D1DEA08C409260

Function 00332374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00332394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003323A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003323BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003323D7

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 73541bbc8424ca94855ccdb4ace883e4db8a8f847702feec3768f409fa233190
Instruction ID: 18b4b0bf2950749c17a8eee69233c72cd5933d94cc67c582be258d98423c01a4
Opcode Fuzzy Hash: 73541bbc8424ca94855ccdb4ace883e4db8a8f847702feec3768f409fa233190
Instruction Fuzzy Hash: 1111093A900228FFEB119BA5CD85F9EBB78FB08750F210091EA01B7290D6716E10DB94

Function 0033EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0033EB14
MessageBoxW.USER32(?,?,?,?), ref: 0033EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0033EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0033EB64

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: c5433cbb0ae5843353afe950166d71ea3b2ec44f9c4d2f9e2780fb2e5be5b316
Instruction ID: 4b9bac913c2ed5f43a15b49114201d93e8ffe07f91671486a589a10af739a8f5
Opcode Fuzzy Hash: c5433cbb0ae5843353afe950166d71ea3b2ec44f9c4d2f9e2780fb2e5be5b316
Instruction Fuzzy Hash: AD11C876A04258BBCB139BAD9C45A9B7FADAB47310F158255F815E32D0D6B4C9048760

Function 002FD53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,002FD369,00000000,00000004,00000000), ref: 002FD588
GetLastError.KERNEL32 ref: 002FD594
__dosmaperr.LIBCMT ref: 002FD59B
ResumeThread.KERNEL32(00000000), ref: 002FD5B9

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 02762803f9f28e32e590a321f61c295ef668309c005fecb46b55df17a20ebfe0
Instruction ID: bcebc7dd443531cf2803fcdef1b26ec9d1e2649f6c7924c4bd2f67fe875de9c5
Opcode Fuzzy Hash: 02762803f9f28e32e590a321f61c295ef668309c005fecb46b55df17a20ebfe0
Instruction Fuzzy Hash: 9B01DB7652011C7BDB116F65DC05BBABB5EEF417B4F104235F625861D0CBB04820CAA1

Function 002D7873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002D78B1
GetStockObject.GDI32(00000011), ref: 002D78C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 002D78CF

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 72af128eda9931d9dc6aae925df8d1559a315ff69a64606c17aa0e47cdc7add1
Instruction ID: 08f2e6c1262b6e3ca4bf94f8a6f05ae3c1863daa766ba51c1ece18447728f91b
Opcode Fuzzy Hash: 72af128eda9931d9dc6aae925df8d1559a315ff69a64606c17aa0e47cdc7add1
Instruction Fuzzy Hash: CD11AD72A15109BFDF025F94DC58EEA7B6DFF08364F044116FA0092220E7B69C60FBA1

Function 003033E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,0030338D,00000364,00000000,00000000,00000000,?,003035FE,00000006,FlsSetValue), ref: 00303418
GetLastError.KERNEL32(?,0030338D,00000364,00000000,00000000,00000000,?,003035FE,00000006,FlsSetValue,00373260,FlsSetValue,00000000,00000364,?,003031B9), ref: 00303424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0030338D,00000364,00000000,00000000,00000000,?,003035FE,00000006,FlsSetValue,00373260,FlsSetValue,00000000), ref: 00303432

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 35c409f6d2892857c96dcd439c16f054bb457dbcc1c7a37f32122c9947138243
Instruction ID: 03d8ac2cdda4a1c8b470a483df5f9ba261f5719ed65506813f3178c956c60385
Opcode Fuzzy Hash: 35c409f6d2892857c96dcd439c16f054bb457dbcc1c7a37f32122c9947138243
Instruction Fuzzy Hash: 9301A732B122229BCB234B7B9C549577BACBF05B61B624620F906DB6C1DB61DE01C6E4

Function 0033BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0033B69A,?,00008000), ref: 0033BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0033B69A,?,00008000), ref: 0033BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0033B69A,?,00008000), ref: 0033BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0033B69A,?,00008000), ref: 0033BAED

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7219422d7778e95c6505e3af72d85fa876785f84152ff5577549836a7eab847d
Instruction ID: e6fd20b9e343644b6ebdd19b8a93a44aa4427f707c393aa02c63b540c547fed2
Opcode Fuzzy Hash: 7219422d7778e95c6505e3af72d85fa876785f84152ff5577549836a7eab847d
Instruction Fuzzy Hash: 40113931D00A2DEBCF029FA5E9896EEFB78BF09711F114195DA41B2150CBB096508BA5

Function 0036886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0036888E
ScreenToClient.USER32(?,?), ref: 003688A6
ScreenToClient.USER32(?,?), ref: 003688CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003688E5

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 7a49679bf4717abd1c3d7b8e5168624c5b3dc844b18cd26286b5245b31534c68
Instruction ID: 3357fabb76f33b75ab0934ecd730c31d94bbf8f23b6ce98fb7d61abee4ded07a
Opcode Fuzzy Hash: 7a49679bf4717abd1c3d7b8e5168624c5b3dc844b18cd26286b5245b31534c68
Instruction Fuzzy Hash: 0D1143B9D00209AFDB41CF98C8849EEBBB9FF08310F508156E915E3220D775AA54CF51

Function 003336F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00333712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00333723
GetCurrentThreadId.KERNEL32 ref: 0033372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00333731

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: a1081458071982ad081ab6b4b9d37b469e73a1c63a532d5d7402fe7e37f0ad9c
Instruction ID: 037d10c9ee16ac7bbfeafaf5d19be46e6f145bc2e3e71ad166f3e1aba5daa99c
Opcode Fuzzy Hash: a1081458071982ad081ab6b4b9d37b469e73a1c63a532d5d7402fe7e37f0ad9c
Instruction Fuzzy Hash: FDE092B1A012247BDB221BA29C8DEEB7F6CDF42BA1F408015F105D2090DAE4C940C6B2

Function 003692BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002D1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D1F87
Part of subcall function 002D1F2D: SelectObject.GDI32(?,00000000), ref: 002D1F96
Part of subcall function 002D1F2D: BeginPath.GDI32(?), ref: 002D1FAD
Part of subcall function 002D1F2D: SelectObject.GDI32(?,00000000), ref: 002D1FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 003692E3
LineTo.GDI32(?,?,?), ref: 003692F0
EndPath.GDI32(?), ref: 00369300
StrokePath.GDI32(?), ref: 0036930E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0389dbdd53139ae63e8de6da386a0d0531348135ee1f6cd362c95144a43edd37
Instruction ID: e3614b9f9754eb2be46f7a32573280c593b5ed2732a279f8f33a74388c4bc845
Opcode Fuzzy Hash: 0389dbdd53139ae63e8de6da386a0d0531348135ee1f6cd362c95144a43edd37
Instruction Fuzzy Hash: 3FF05832106258BADB136F54AC0EFCE3F6DAF0A720F14C001FA11611E2C7B595229FE9

Function 002D21A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002D21BC
SetTextColor.GDI32(?,?), ref: 002D21C6
SetBkMode.GDI32(?,00000001), ref: 002D21D9
GetStockObject.GDI32(00000005), ref: 002D21E1

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: ecc2bc9d6aa736478f3acc9be9dac0a8b0aa7976de5ad738c91d9e3aeef63c21
Instruction ID: 8798f805bae3e939052c5e2af2680b51aca9ab4f8919c1fa1aadd2f2ec110375
Opcode Fuzzy Hash: ecc2bc9d6aa736478f3acc9be9dac0a8b0aa7976de5ad738c91d9e3aeef63c21
Instruction Fuzzy Hash: 4FE06531740240AADB225F75AC097E83F15AB17335F04C219F7BA540E0C7F186949B10

Function 0032EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0032EC36
GetDC.USER32(00000000), ref: 0032EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0032EC60
ReleaseDC.USER32(?), ref: 0032EC81

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4f8eb0ec11becc426d95dc469c00957c473a39e18e3de0d6c769b09dbdc61e1d
Instruction ID: 0eab0cf7d5fc666a5a6d1ab8a7fa75a66908e2dbefa579aff860f583711d8681
Opcode Fuzzy Hash: 4f8eb0ec11becc426d95dc469c00957c473a39e18e3de0d6c769b09dbdc61e1d
Instruction Fuzzy Hash: D5E01A74D00204DFCF42AFA0D908A5DBBB9EB08310F50C409E80AE3250C7B859519F11

Function 0032EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0032EC4A
GetDC.USER32(00000000), ref: 0032EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0032EC60
ReleaseDC.USER32(?), ref: 0032EC81

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4a4a9618094ee3da1e62b7b75615f9ab627c860f8902494de27444a10b26acb0
Instruction ID: 9951a6be7c8388d26c3a9abd59c6152092c89acb5fc72b223a585c577b8af65a
Opcode Fuzzy Hash: 4a4a9618094ee3da1e62b7b75615f9ab627c860f8902494de27444a10b26acb0
Instruction Fuzzy Hash: A5E012B4E00204EFCF42AFA0C808A5DBBB9AB08310F50C409E80AE3290CBB869219F10

Function 00323616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

@COM_EVENTOBJ, xrefs: 00323AD6
bn3, xrefs: 00323631, 003238EA, 00323903, 00323B3F, 00323B58

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: LoadString
String ID: @COM_EVENTOBJ$bn3
API String ID: 2948472770-2425150338
Opcode ID: 566dc6e32ed6ae94f2da9dd5b482d931c7f820dc5f29f50a4bf1246598a320f6
Instruction ID: acda0da669598c7214978ce34cfab2d250e023a75d90abd6608705013a000c1c
Opcode Fuzzy Hash: 566dc6e32ed6ae94f2da9dd5b482d931c7f820dc5f29f50a4bf1246598a320f6
Instruction Fuzzy Hash: 11F1BF70A083148FDB26DF14D881B6AB7E0BF84704F15882DF58A9B261D775EE59CF82

Function 003585DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 002F05B2: EnterCriticalSection.KERNEL32(003A170C,?,00000000,?,002DD22A,003A3570,00000001,00000000,?,?,0034F023,?,?,00000000,00000001,?), ref: 002F05BD
Part of subcall function 002F05B2: LeaveCriticalSection.KERNEL32(003A170C,?,002DD22A,003A3570,00000001,00000000,?,?,0034F023,?,?,00000000,00000001,?,00000001,003A2430), ref: 002F05FA

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 002F0413: __onexit.LIBCMT ref: 002F0419

__Init_thread_footer.LIBCMT ref: 00358658

Part of subcall function 002F0568: EnterCriticalSection.KERNEL32(003A170C,00000000,?,002DD258,003A3570,003127C9,00000001,00000000,?,?,0034F023,?,?,00000000,00000001,?), ref: 002F0572
Part of subcall function 002F0568: LeaveCriticalSection.KERNEL32(003A170C,?,002DD258,003A3570,003127C9,00000001,00000000,?,?,0034F023,?,?,00000000,00000001,?,00000001), ref: 002F05A5

Strings

Variable must be of type 'Object'., xrefs: 00358697
bn3, xrefs: 003585E5, 0035887F

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: Variable must be of type 'Object'.$bn3
API String ID: 535116098-3269971147
Opcode ID: bb8989fd0af99d10b9d8803809aec04b21abf7955865af27b732c6daae825153
Instruction ID: 42e350210264d69550a5f08c21e3f37f0c93f97e9b14acbe46a84917b17f50c9
Opcode Fuzzy Hash: bb8989fd0af99d10b9d8803809aec04b21abf7955865af27b732c6daae825153
Instruction Fuzzy Hash: 4E916B74A00208EFCB06EF94D891DADB7B5FF49301F518059F916AB3A2DB71AE49CB50

Function 003457CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 002D41EA: _wcslen.LIBCMT ref: 002D41EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00345919

Strings

*, xrefs: 00345855
LPT, xrefs: 00345840

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 063f8a29adab7d9ed57fa54d5c40f10fdc671c800e624b8281ca6df328f3b92e
Instruction ID: ffafae2d33e4860dd691d6053dfb2c7a71cc3425b42b3e7c30cb8391fbef37b5
Opcode Fuzzy Hash: 063f8a29adab7d9ed57fa54d5c40f10fdc671c800e624b8281ca6df328f3b92e
Instruction Fuzzy Hash: AC915A75E00604DFCB16DF54C494EAABBF5AF44318F198099E84A9F362CB71EE85CB90

Function 00335703 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 003358AF

Strings

Container, xrefs: 0033581E
0$:, xrefs: 00335952

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ContainedObject
String ID: 0$:$Container
API String ID: 3565006973-1007911182
Opcode ID: 84465a3faaeb32c01ef81a82c509642f572ed883c08162feaec4b0e81fd707df
Instruction ID: 0b04f03bbc721c4aa384f70c8b79aeb557a8587b8097edadd7761165e874e9ec
Opcode Fuzzy Hash: 84465a3faaeb32c01ef81a82c509642f572ed883c08162feaec4b0e81fd707df
Instruction Fuzzy Hash: 37813770600601EFDB15DF68C885B6ABBF9FF48710F10856EF94A8F6A1DBB0A845CB50

Function 002FE5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002FE67D

Strings

pow, xrefs: 002FE655, 002FE672

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2012e2d0bfd45fed0eeadf466563f06ba0988cdacf2e10a2ccb98cd452267192
Instruction ID: f4e91b69a5f4cd2a66b4c5e0eb5f8890ce44bec90225d402450fedea0ba89675
Opcode Fuzzy Hash: 2012e2d0bfd45fed0eeadf466563f06ba0988cdacf2e10a2ccb98cd452267192
Instruction Fuzzy Hash: AF519C71D2A10A96CF177B14CD2137AABACAF10780F214D24F0D5852F9DF358DE19A46

Function 002EA8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 002EA916

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e8fd6421969fef494228b6d5816808690b35053c93615e06cec293147c1408ec
Instruction ID: 936d310607959e71be53eb250dbb1c6880dd4c502819135c9a154c0ba39c2dbd
Opcode Fuzzy Hash: e8fd6421969fef494228b6d5816808690b35053c93615e06cec293147c1408ec
Instruction Fuzzy Hash: 23518630506397CFCF22EF2AE041ABA7BA4EF15310FA54055F8819B2C1DB34AD92CB61

Function 002EF6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 002EF6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 002EF6F4

Strings

@, xrefs: 002EF6E8

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 64294e5ea881aff5756cc2b83f5168f6a96ed2eea67ad3dee93b028de27fcda6
Instruction ID: 087549d166f869d210ef2ce6a543e7bb5eb7e6a4e750680fb5ae82f707f9e70c
Opcode Fuzzy Hash: 64294e5ea881aff5756cc2b83f5168f6a96ed2eea67ad3dee93b028de27fcda6
Instruction Fuzzy Hash: 41514B714187449BD320AF10DC86BABB7ECFB85300F81485EF1D941291DB708979CB66

Function 0034DB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0034DB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0034DB7F

Strings

|, xrefs: 0034DB50

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1f7eacbc6a0d6a986eddbd92fafb6192f5ef58d72c2176bd14a48ea35ab8b66d
Instruction ID: 0f4d1cfef0b4086a711407ec07816ad70a7848c7c64fe3a60f3c7d9642542176
Opcode Fuzzy Hash: 1f7eacbc6a0d6a986eddbd92fafb6192f5ef58d72c2176bd14a48ea35ab8b66d
Instruction Fuzzy Hash: F4313E71911119ABCF16DFA4CC85EEEBFB9FF04304F100026F915AA266EB719916DF50

Function 00364008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 003640BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003640F8

Strings

static, xrefs: 00364058

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 85b9b1f36361cbde71c41ed62299b4ff345f4b1872aaa317b9397082e9a89722
Instruction ID: 63f8b6fe794998a01a2a0d17bbedd1e992f09ee83d7970624fd9ee7ba53b75c5
Opcode Fuzzy Hash: 85b9b1f36361cbde71c41ed62299b4ff345f4b1872aaa317b9397082e9a89722
Instruction Fuzzy Hash: 12319E71510614AADB22DF68CC80AFB77ADFF48720F01C619F9A587190DA75AC91DB60

Function 00364FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 003650BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003650D2

Strings

', xrefs: 0036502C

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: fa79232457a648fc8d507677e6936f54c411c69c17f1b2a17a10961db47d18d2
Instruction ID: 3fcc0a257c35ae8bab3b197401890c18e76501b47d9106d5274df63ff5ee0165
Opcode Fuzzy Hash: fa79232457a648fc8d507677e6936f54c411c69c17f1b2a17a10961db47d18d2
Instruction Fuzzy Hash: 9B311874A0160A9FDB15CF69C880BDA7BB9FF49300F10806AE904AB355D771E945CF90

Function 002D20B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

Part of subcall function 002D2234: GetWindowLongW.USER32(?,000000EB), ref: 002D2242

GetParent.USER32(?), ref: 00313440
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 003134CA

Strings

(:, xrefs: 002D20B9

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: (:
API String ID: 2181805148-2137056132
Opcode ID: ca664e2fc2bff1e0f23ee0e22b37cb4aa5c8764064d38afd73a8bf161072a751
Instruction ID: 7166f6328dc972de840ae24d2004a3b87ab74a34662186e59271b9e2f5c7b3b0
Opcode Fuzzy Hash: ca664e2fc2bff1e0f23ee0e22b37cb4aa5c8764064d38afd73a8bf161072a751
Instruction Fuzzy Hash: 8A21A530601154EFCB2B9F69C8499E53B66EF1A360F154245F619473E2C7318E69DA10

Function 003641AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 002D7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002D78B1
Part of subcall function 002D7873: GetStockObject.GDI32(00000011), ref: 002D78C5
Part of subcall function 002D7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D78CF

GetWindowRect.USER32(00000000,?), ref: 00364216
GetSysColor.USER32(00000012), ref: 00364230

Strings

static, xrefs: 003641F3

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 0005e246edb60855ca568636eafd3acc34ebf4eb885ac2276fd579fe033a28f1
Instruction ID: 02b4162f204ec6665bb519561af7ab0e15790c64772a48fb156dc84e17249cfc
Opcode Fuzzy Hash: 0005e246edb60855ca568636eafd3acc34ebf4eb885ac2276fd579fe033a28f1
Instruction Fuzzy Hash: 861126B2A10209AFDB02DFA8CC45AEA7BA8EB08714F118924F955E3250E774E8509B60

Function 0034D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0034D7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0034D7EB

Strings

<local>, xrefs: 0034D7AB

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 04a149c620648c6b198e2eb6a7f432d33369e3f2af61297fe3a9647ea89d3102
Instruction ID: 055d741101556f2241f1b450858f664649e7c878a220753349863946d61418a9
Opcode Fuzzy Hash: 04a149c620648c6b198e2eb6a7f432d33369e3f2af61297fe3a9647ea89d3102
Instruction Fuzzy Hash: DD114871601232BADB364F628C49EF7BEDCEF127A8F00422AF5198B080D274A840D6F0

Function 003375ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

CharUpperBuffW.USER32(?,?,?), ref: 0033761D
_wcslen.LIBCMT ref: 00337629

Strings

STOP, xrefs: 00337623, 00337628

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b9533b08071aadd9306dc069f86c0d5cc5bc98fb2bb3ef21b33f36c2014f2ce9
Instruction ID: b0c74927a5a873b345cbff83d07bfd5ae1491ee8bcda42bae7647343eab9c409
Opcode Fuzzy Hash: b9533b08071aadd9306dc069f86c0d5cc5bc98fb2bb3ef21b33f36c2014f2ce9
Instruction Fuzzy Hash: 47010872A149278BCB329EBDCCE28BF73B5AB50350F510525F42292290EB30DC10C650

Function 0033262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 003345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00334620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00332699

Strings

ListBox, xrefs: 00332663
ComboBox, xrefs: 00332638

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4f82bb6a0cbc313d6372a91944cb191c05dae1d6391bb1b36f9c56fd885bff62
Instruction ID: 509ebcdd99d4836a640eff2ec975f2c7432f1fe8d1a5f0c135ad2c2f7382ba42
Opcode Fuzzy Hash: 4f82bb6a0cbc313d6372a91944cb191c05dae1d6391bb1b36f9c56fd885bff62
Instruction Fuzzy Hash: D601D475A11214EBCF06EBA4CC92CFF7768EF86350F11061AF872973C5EA715818CA60

Function 00332525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 003345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00334620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00332593

Strings

ListBox, xrefs: 0033255D
ComboBox, xrefs: 00332532

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e6a88d7d7ba3788c8682c298c01f7f4640884cc06c4769558344758b73ab7a20
Instruction ID: bfaaa69e749e338d8aad44456791a1b9bcc10a1579eefe24f0c507c887f0dd71
Opcode Fuzzy Hash: e6a88d7d7ba3788c8682c298c01f7f4640884cc06c4769558344758b73ab7a20
Instruction Fuzzy Hash: 8201A775A51104ABDF07E790C9A2DFF77A9DF56740F51011AB802A7281DB509F0896B1

Function 003325A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 003345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00334620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00332615

Strings

ListBox, xrefs: 003325E1
ComboBox, xrefs: 003325B6

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: dda0210a3f45c06f85c985e6f2e377a257ddcd4a44f10fe22004d3675b419c56
Instruction ID: 5e691786a9ec51416dada68f4c26b4b798ca5ab94657717ca81506f353736e0e
Opcode Fuzzy Hash: dda0210a3f45c06f85c985e6f2e377a257ddcd4a44f10fe22004d3675b419c56
Instruction Fuzzy Hash: B701D675E44204A7DF07E7A0C992EFF77AC9F05740F510126B802A3281DBA59E18D6B1

Function 003326B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB329: _wcslen.LIBCMT ref: 002DB333

Part of subcall function 003345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00334620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00332720

Strings

ListBox, xrefs: 003326ED
ComboBox, xrefs: 003326C2

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a9ef30cf27be1df826defee07057cdf4a51125a36731cd5d98ed3d2bf5baa9e0
Instruction ID: 08c804bc8adcf92553d1d539f3b4e0a84ae1ba446dc51b49120a333cfd2ff132
Opcode Fuzzy Hash: a9ef30cf27be1df826defee07057cdf4a51125a36731cd5d98ed3d2bf5baa9e0
Instruction Fuzzy Hash: BAF0A475E51214A6DB07A7A48C92FFF776CAF05750F500A16F462A72C2DB6168088660

Function 00369AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 00369B6D

Part of subcall function 002D2234: GetWindowLongW.USER32(?,000000EB), ref: 002D2242

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00369B53

Strings

(:, xrefs: 00369B06

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: (:
API String ID: 982171247-2137056132
Opcode ID: 18aa81948df6c318ca7fede0bb8a3401f2ffd52738bcdc54509cb3b84d283314
Instruction ID: c6bd23a515dd11c80111417f1d9b1a123fbea8302c63e85c15168075e64c6779
Opcode Fuzzy Hash: 18aa81948df6c318ca7fede0bb8a3401f2ffd52738bcdc54509cb3b84d283314
Instruction Fuzzy Hash: 6001DF30200214AFCB279F14EC48F663B6EFF86364F10852AF9421B6E0C7726825DB61

Function 00303A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

Strings

2<0, xrefs: 00303A64
j37, xrefs: 00303A88

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID:
String ID: 2<0$j37
API String ID: 0-1456448245
Opcode ID: 0e1a1a6926103c49e295c9e24cbf6f991c2211c46c39725b311d652cf439320e
Instruction ID: 3efd0c090035e79ff70d08d2f4a6e582258b204b4f5302cbbadcbc216cf5ee1f
Opcode Fuzzy Hash: 0e1a1a6926103c49e295c9e24cbf6f991c2211c46c39725b311d652cf439320e
Instruction Fuzzy Hash: FBF09029614149AADB159B91C851ABA73BCDB04700F10406ABC89C76D0EA758F90D365

Function 00368432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 002D249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002D24B0

GetWindowLongW.USER32(?,000000F0), ref: 00368471
GetWindowLongW.USER32(?,000000EC), ref: 0036847F

Strings

(:, xrefs: 0036843E

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: LongWindow
String ID: (:
API String ID: 1378638983-2137056132
Opcode ID: dafea6ed327a4c224d9d9830720b9e239d9856517280af880fda302ca15fc3be
Instruction ID: 0d78938b15df74202462da00a5a56e420770257c4cdc218fa0bd978a02688558
Opcode Fuzzy Hash: dafea6ed327a4c224d9d9830720b9e239d9856517280af880fda302ca15fc3be
Instruction Fuzzy Hash: F6F037352012059FC706DF69DC4496A77A9EB9A720B11862DF926877B0CF309820DB10

Function 00331461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0033146F

Strings

Error allocating memory., xrefs: 00331468
AutoIt, xrefs: 00331463

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: c14a5e3173626956932c817f506e139a49ad9dce19ca0f0cd4785b35219aabc1
Instruction ID: 64c9f89fa7949fd82f4f2c61a0144a7cdae7f43f324849b9057d18b81fe76042
Opcode Fuzzy Hash: c14a5e3173626956932c817f506e139a49ad9dce19ca0f0cd4785b35219aabc1
Instruction Fuzzy Hash: C4E0D83275431C36D7112794AC47FD5B6C48F04B91F11842AF74C545C38EE22460469D

Function 002F10B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002EFAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002F10E2,?,?,?,002D100A), ref: 002EFAD9

IsDebuggerPresent.KERNEL32(?,?,?,002D100A), ref: 002F10E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002D100A), ref: 002F10F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002F10F0

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 70a5e8b1cc444d358a3c0aefc7b536007509d3355f143d55d7773ce780b2e18b
Instruction ID: ab1c7cd3f8c21edb710057338d432e6d5d71941b2ef7e8e4b49c19bd920d0281
Opcode Fuzzy Hash: 70a5e8b1cc444d358a3c0aefc7b536007509d3355f143d55d7773ce780b2e18b
Instruction Fuzzy Hash: 99E06D70610751CBD3319F29D904753BBE8AB00745F40CD2DE989C2651DBB4D494CBA1

Function 002EF114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002EF151

Strings

`5:, xrefs: 002EF131
h5:, xrefs: 002EF146

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Init_thread_footer
String ID: `5:$h5:
API String ID: 1385522511-2757041239
Opcode ID: 15863bccb79c5e79b444b71d6185b4ff09ccfdfb6a8fd446f5f4d206f83647b1
Instruction ID: 9b90a3dde4387b09747a8247eb8e72db02fe658e468339e1a40d645d68e193ef
Opcode Fuzzy Hash: 15863bccb79c5e79b444b71d6185b4ff09ccfdfb6a8fd446f5f4d206f83647b1
Instruction Fuzzy Hash: FFE02035CE455CCBC546D71CD9419947394F707320FD40174F1054F291D7281A52DE14

Function 003439D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 003439F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00343A05

Strings

aut, xrefs: 003439F9

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 8dbe84eec28eb88a0f3e758dda2caaf4a16b4e37553139a76a8344befa4e6ce6
Instruction ID: ace5e4eca02ea96f3a0aba8795b46be95b6560e63904b87a53e7af59a11a42f0
Opcode Fuzzy Hash: 8dbe84eec28eb88a0f3e758dda2caaf4a16b4e37553139a76a8344befa4e6ce6
Instruction Fuzzy Hash: A1D05E72A0032867DA20A764DC0EFCB7A6CDB48710F0006A1FA55920E1DBF0DA85CBE0

Function 00362DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00362DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00362DDB

Part of subcall function 0033F292: Sleep.KERNEL32 ref: 0033F30A

Strings

Shell_TrayWnd, xrefs: 00362DC1

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 267fa18777efbaa5bb7d318164743be3776193db2ea9260da8420fbebf0ad22b
Instruction ID: 561afb046faafbe7231ae283b91144c839005de975e78961ef91c110d1c4c0cf
Opcode Fuzzy Hash: 267fa18777efbaa5bb7d318164743be3776193db2ea9260da8420fbebf0ad22b
Instruction Fuzzy Hash: FFD01239B95311BBEA65B770EC4FFE77B589F54B10F508825F34AAE1D0C9E06800C654

Function 00362DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00362E08
PostMessageW.USER32(00000000), ref: 00362E0F

Part of subcall function 0033F292: Sleep.KERNEL32 ref: 0033F30A

Strings

Shell_TrayWnd, xrefs: 00362E01

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7e73ed673685e7277ac0afdd68a9deba5c89b15703fb1d42a1a4dccadc569036
Instruction ID: 570ff7d0759b347c6dee22d20323c96d47799efb45410299ae30433e9837a8f9
Opcode Fuzzy Hash: 7e73ed673685e7277ac0afdd68a9deba5c89b15703fb1d42a1a4dccadc569036
Instruction Fuzzy Hash: 64D0C935B95311AAEA66A770AC4BFD76A589B55B10F908825F346AA1D0C9E068008658

Function 0030C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0030C213
GetLastError.KERNEL32 ref: 0030C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0030C27C

Memory Dump Source

Source File: 0000000C.00000002.1724187159.00000000002D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000C.00000002.1724077128.00000000002D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.000000000036D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724252267.0000000000393000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724304889.000000000039D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1724324748.00000000003A5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d0000_Breakdown.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: bc82d325733a1b4dcd9fd39dedf89495905c51fd4311de0252338c8d146e3c4a
Instruction ID: 18e0d4ea530f2559329137dc50429c2f28c591b703456eaebe22dc8abedb179f
Opcode Fuzzy Hash: bc82d325733a1b4dcd9fd39dedf89495905c51fd4311de0252338c8d146e3c4a
Instruction Fuzzy Hash: B141F630612205AFDF238FE5C864BBABBADEF15310F265669F8559B5E1DB308C00CB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SensorExpo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\342536\Breakdown.com

C:\Users\user\AppData\Local\Temp\342536\X

C:\Users\user\AppData\Local\Temp\Attack

C:\Users\user\AppData\Local\Temp\Basically

C:\Users\user\AppData\Local\Temp\Basket

C:\Users\user\AppData\Local\Temp\Decor

C:\Users\user\AppData\Local\Temp\Did

C:\Users\user\AppData\Local\Temp\Eau

C:\Users\user\AppData\Local\Temp\Horses

C:\Users\user\AppData\Local\Temp\Lace

C:\Users\user\AppData\Local\Temp\Loud

C:\Users\user\AppData\Local\Temp\Measuring

C:\Users\user\AppData\Local\Temp\Montgomery

C:\Users\user\AppData\Local\Temp\Nd

C:\Users\user\AppData\Local\Temp\Older

Windows Analysis Report
SensorExpo.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre