Edit tour

Windows Analysis Report
lExtvSjBgq.exe

Overview

General Information

Sample name:	lExtvSjBgq.exe renamed because original name is a hash value
Original sample name:	959963e520fea06fa091046fbae311a892ffca7541c82816f7a67c508fc3c898.exe
Analysis ID:	1587677
MD5:	b517fef76c7787155698922a3cd4968c
SHA1:	2627e7881e2a55c273243a573238e2cf8079f11f
SHA256:	959963e520fea06fa091046fbae311a892ffca7541c82816f7a67c508fc3c898
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

lExtvSjBgq.exe (PID: 5076 cmdline: "C:\Users\user\Desktop\lExtvSjBgq.exe" MD5: B517FEF76C7787155698922A3CD4968C)

svchost.exe (PID: 3220 cmdline: "C:\Users\user\Desktop\lExtvSjBgq.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2887345795.0000000002D60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2887106496.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\lExtvSjBgq.exe", CommandLine: "C:\Users\user\Desktop\lExtvSjBgq.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\lExtvSjBgq.exe", ParentImage: C:\Users\user\Desktop\lExtvSjBgq.exe, ParentProcessId: 5076, ParentProcessName: lExtvSjBgq.exe, ProcessCommandLine: "C:\Users\user\Desktop\lExtvSjBgq.exe", ProcessId: 3220, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\lExtvSjBgq.exe", CommandLine: "C:\Users\user\Desktop\lExtvSjBgq.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\lExtvSjBgq.exe", ParentImage: C:\Users\user\Desktop\lExtvSjBgq.exe, ParentProcessId: 5076, ParentProcessName: lExtvSjBgq.exe, ProcessCommandLine: "C:\Users\user\Desktop\lExtvSjBgq.exe", ProcessId: 3220, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: lExtvSjBgq.exe	Virustotal: Detection: 69%			Perma Link
Source: lExtvSjBgq.exe	ReversingLabs: Detection: 73%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2887345795.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2887106496.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: lExtvSjBgq.exe

Joe Sandbox ML: detected

Source: lExtvSjBgq.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: lExtvSjBgq.exe, 00000000.00000003.2246193460.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, lExtvSjBgq.exe, 00000000.00000003.2245955817.0000000003730000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2544365535.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2887524963.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2887524963.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2546220424.0000000003200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: lExtvSjBgq.exe, 00000000.00000003.2246193460.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, lExtvSjBgq.exe, 00000000.00000003.2245955817.0000000003730000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2544365535.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2887524963.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2887524963.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2546220424.0000000003200000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0024445A
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024C6D1 FindFirstFileW,FindClose,	0_2_0024C6D1
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0024C75C
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0024EF95
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0024F0F2
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0024F3F3
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_002437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002437EF
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00243B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00243B12
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0024BCBC

Source: global traffic

TCP traffic: 192.168.2.6:55547 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_002522EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_002522EE

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00254164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00254164

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00254164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00254164

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00253F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00253F66

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_0024001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0024001C

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_0026CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0026CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2887345795.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2887106496.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: This is a third-party compiled AutoIt script.	0_2_001E3B3A
Source: lExtvSjBgq.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: lExtvSjBgq.exe, 00000000.00000000.2210442631.0000000000294000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5b802986-e
Source: lExtvSjBgq.exe, 00000000.00000000.2210442631.0000000000294000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b604f611-9
Source: lExtvSjBgq.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_380b4224-3
Source: lExtvSjBgq.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_49f3b514-7

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C643 NtClose,	2_2_0042C643
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B60 NtClose,LdrInitializeThunk,	2_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,	2_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474340 NtSetContextThread,	2_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474650 NtSuspendThread,	2_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BE0 NtQueryValueKey,	2_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BF0 NtAllocateVirtualMemory,	2_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B80 NtQueryInformationFile,	2_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BA0 NtEnumerateValueKey,	2_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AD0 NtReadFile,	2_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AF0 NtWriteFile,	2_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AB0 NtWaitForSingleObject,	2_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F60 NtCreateProcessEx,	2_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F30 NtCreateSection,	2_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FE0 NtCreateFile,	2_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F90 NtProtectVirtualMemory,	2_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FA0 NtQuerySection,	2_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FB0 NtResumeThread,	2_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E30 NtWriteVirtualMemory,	2_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EE0 NtQueueApcThread,	2_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E80 NtReadVirtualMemory,	2_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EA0 NtAdjustPrivilegesToken,	2_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D00 NtSetInformationFile,	2_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D10 NtMapViewOfSection,	2_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D30 NtUnmapViewOfSection,	2_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DD0 NtDelayExecution,	2_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DB0 NtEnumerateKey,	2_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C60 NtCreateKey,	2_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C70 NtFreeVirtualMemory,	2_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C00 NtQueryInformationProcess,	2_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CC0 NtQueryVirtualMemory,	2_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CF0 NtOpenProcess,	2_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CA0 NtQueryInformationToken,	2_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473010 NtOpenDirectoryObject,	2_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473090 NtSetValueKey,	2_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034739B0 NtGetContextThread,	2_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D70 NtOpenThread,	2_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D10 NtOpenProcessToken,	2_2_03473D10

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_0024A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0024A1EF

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00238310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00238310

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_002451BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_002451BD

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001EE6A0	0_2_001EE6A0
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0020D975	0_2_0020D975
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001EFCE0	0_2_001EFCE0
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_002021C5	0_2_002021C5
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_002162D2	0_2_002162D2
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_002603DA	0_2_002603DA
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0021242E	0_2_0021242E
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_002025FA	0_2_002025FA
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0023E616	0_2_0023E616
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001F66E1	0_2_001F66E1
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0021878F	0_2_0021878F
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001F8808	0_2_001F8808
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00216844	0_2_00216844
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00260857	0_2_00260857
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00248889	0_2_00248889
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0020CB21	0_2_0020CB21
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00216DB6	0_2_00216DB6
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001F6F9E	0_2_001F6F9E
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001F3030	0_2_001F3030
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00203187	0_2_00203187
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0020F1D9	0_2_0020F1D9
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001E1287	0_2_001E1287
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00201484	0_2_00201484
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001F5520	0_2_001F5520
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00207696	0_2_00207696
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001F5760	0_2_001F5760
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00201978	0_2_00201978
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00219AB5	0_2_00219AB5
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0020BDA6	0_2_0020BDA6
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00201D90	0_2_00201D90
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00267DDB	0_2_00267DDB
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001EDF00	0_2_001EDF00
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001F3FE0	0_2_001F3FE0
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00F5DE48	0_2_00F5DE48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004030D0	2_2_004030D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010E0	2_2_004010E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E083	2_2_0040E083
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004100A3	2_2_004100A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1C7	2_2_0040E1C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1D3	2_2_0040E1D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401240	2_2_00401240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401B47	2_2_00401B47
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401B50	2_2_00401B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EC63	2_2_0042EC63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402430	2_2_00402430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE7B	2_2_0040FE7B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE83	2_2_0040FE83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167B3	2_2_004167B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035003E6	2_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C02C0	2_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430100	2_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F81CC	2_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F41A2	2_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035001AA	2_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464750	2_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C6E0	2_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03500591	2_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F2446	2_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4420	2_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EE4F6	2_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F6BD7	2_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350A9A6	2_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344A840	2_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E8F0	2_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034268B8	2_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03482F28	2_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460F30	2_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E2F30	2_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432FC8	2_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344CFE0	2_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BEFA0	2_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440E59	2_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEE26	2_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEEDB	2_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452E90	2_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FCE93	2_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344AD00	2_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DCD1F	2_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343ADE0	2_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03458DBF	2_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440C00	2_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430CF2	2_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0CB5	2_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347516C	2_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B16B	2_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344B1B0	2_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF0CC	2_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F70E9	2_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF0E0	2_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF7B0	2_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485630	2_2_03485630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7571	2_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035095C3	2_2_035095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DD5B0	2_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431460	2_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF43F	2_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFB76	2_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B5BF0	2_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347DBF9	2_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FB80	2_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFA49	2_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7A46	2_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B3A6C	2_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EDAC6	2_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DDAAC	2_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485AA0	2_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E1AA3	2_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449950	2_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B950	2_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D5910	2_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD800	2_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034438E0	2_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFF09	2_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD2	2_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD5	2_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441F92	2_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFFB1	2_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449EB0	2_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443D40	2_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F1D5A	2_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7D73	2_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FDC0	2_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B9C32	2_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFCF2	2_2_034FFCF2

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: String function: 001E7DE1 appears 35 times
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: String function: 00208900 appears 42 times
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: String function: 00200AE3 appears 70 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 111 times

Source: lExtvSjBgq.exe, 00000000.00000003.2243905819.00000000039FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs lExtvSjBgq.exe
Source: lExtvSjBgq.exe, 00000000.00000003.2244635034.0000000003853000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs lExtvSjBgq.exe

Source: lExtvSjBgq.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_0024A06A GetLastError,FormatMessageW,

0_2_0024A06A

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_002381CB AdjustTokenPrivileges,CloseHandle,		0_2_002381CB
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_002387E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002387E1

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_0024B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0024B333

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_0025EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0025EE0D

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_002583BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_002583BB

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_001E4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001E4E89

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

File created: C:\Users\user\AppData\Local\Temp\aut2FF9.tmp

Jump to behavior

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Command line argument: r

0_2_001E47D0

Source: lExtvSjBgq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lExtvSjBgq.exe	Virustotal: Detection: 69%
Source: lExtvSjBgq.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\lExtvSjBgq.exe "C:\Users\user\Desktop\lExtvSjBgq.exe"
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\lExtvSjBgq.exe"
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\lExtvSjBgq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: lExtvSjBgq.exe

Static file information: File size 1212416 > 1048576

Source: lExtvSjBgq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: lExtvSjBgq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: lExtvSjBgq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: lExtvSjBgq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: lExtvSjBgq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: lExtvSjBgq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: lExtvSjBgq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: lExtvSjBgq.exe, 00000000.00000003.2246193460.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, lExtvSjBgq.exe, 00000000.00000003.2245955817.0000000003730000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2544365535.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2887524963.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2887524963.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2546220424.0000000003200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: lExtvSjBgq.exe, 00000000.00000003.2246193460.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, lExtvSjBgq.exe, 00000000.00000003.2245955817.0000000003730000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2544365535.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2887524963.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2887524963.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2546220424.0000000003200000.00000004.00000020.00020000.00000000.sdmp

Source: lExtvSjBgq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lExtvSjBgq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lExtvSjBgq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lExtvSjBgq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lExtvSjBgq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_001E4B37 LoadLibraryA,GetProcAddress,

0_2_001E4B37

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001EC4FE push A3001EBAh; retn 001Eh	0_2_001EC50D
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00208945 push ecx; ret	0_2_00208958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041183B push edi; iretd	2_2_0041183C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041222A push cs; retf	2_2_0041222F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004122B0 push ecx; retf	2_2_004122BD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004122BF pushfd ; iretd	2_2_004122C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403350 push eax; ret	2_2_00403352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401552 pushfd ; ret	2_2_00401566
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408562 push edi; iretd	2_2_00408563
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408572 push esi; ret	2_2_00408573
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00423D1E push ebx; retf	2_2_00423D1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004165F1 push eax; iretd	2_2_00416603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004015BB pushfd ; ret	2_2_00401566
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408600 push ebp; iretd	2_2_00408601
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040175C pushfd ; ret	2_2_00401778
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418F7A push ecx; iretd	2_2_00418F81
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00424FC3 push edi; iretd	2_2_00424FCE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340225F pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034027FA pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx	2_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340283D push eax; iretd	2_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340135E push eax; iretd	2_2_03401369

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_001E48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001E48D7
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00265376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00265376

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00203187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00203187

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

API/Special instruction interceptor: Address: F5DA6C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: lExtvSjBgq.exe, 00000000.00000002.2247244572.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, lExtvSjBgq.exe, 00000000.00000003.2211667313.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, lExtvSjBgq.exe, 00000000.00000003.2211528453.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: FIDDLER.EXE9P

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102343

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	API coverage: 5.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 5700

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0024445A
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024C6D1 FindFirstFileW,FindClose,	0_2_0024C6D1
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0024C75C
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0024EF95
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0024F0F2
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0024F3F3
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_002437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002437EF
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00243B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00243B12
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0024BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0024BCBC

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_001E49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001E49A0

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	API call chain: ExitProcess graph end node			graph_0-100891
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	API call chain: ExitProcess graph end node			graph_0-100957

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417743 LdrLoadDll,

2_2_00417743

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00253F09 BlockInput,

0_2_00253F09

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_001E3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001E3B3A

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00215A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00215A7C

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_001E4B37 LoadLibraryA,GetProcAddress,

0_2_001E4B37

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00F5C638 mov eax, dword ptr fs:[00000030h]	0_2_00F5C638
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00F5DCD8 mov eax, dword ptr fs:[00000030h]	0_2_00F5DCD8
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00F5DD38 mov eax, dword ptr fs:[00000030h]	0_2_00F5DD38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]	2_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]	2_2_0350634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]	2_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]	2_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]	2_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]	2_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]	2_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]	2_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]	2_2_0350625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]	2_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]	2_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]	2_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]	2_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]	2_2_035062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]	2_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]	2_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]	2_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]	2_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]	2_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]	2_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]	2_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]	2_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]	2_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]	2_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]	2_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]	2_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]	2_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]	2_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]	2_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]	2_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]	2_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]	2_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]	2_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]	2_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]	2_2_034280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]	2_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]	2_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]	2_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]	2_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]	2_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]	2_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]	2_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]	2_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]	2_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]	2_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]	2_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]	2_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]	2_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]	2_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]	2_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]	2_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]	2_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]	2_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]	2_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]	2_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]	2_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]	2_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]	2_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]	2_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]	2_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]	2_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]	2_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]	2_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]	2_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]	2_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]	2_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]	2_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]	2_2_0346A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]	2_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]	2_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]	2_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]	2_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]	2_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]	2_2_03428B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]	2_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]	2_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]	2_2_03504B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]	2_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]	2_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]	2_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]	2_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]	2_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]	2_2_0346CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]	2_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]	2_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]	2_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]	2_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]	2_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]	2_2_03504940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]	2_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]	2_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]	2_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]	2_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]	2_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]	2_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]	2_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]	2_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov ecx, dword ptr fs:[00000030h]	2_2_03452835

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_002380A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_002380A9

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0020A124 SetUnhandledExceptionFilter,		0_2_0020A124
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_0020A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0020A155

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 865008

Jump to behavior

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_002387B1 LogonUserW,

0_2_002387B1

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_001E3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001E3B3A

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_001E48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_001E48D7

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00244C27 mouse_event,

0_2_00244C27

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\lExtvSjBgq.exe"

Jump to behavior

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00237CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00237CAF

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_0023874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0023874B

Source: lExtvSjBgq.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: lExtvSjBgq.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_0020862B cpuid

0_2_0020862B

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00214E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00214E87

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00221E06 GetUserNameW,

0_2_00221E06

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_00213F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00213F3A

Source: C:\Users\user\Desktop\lExtvSjBgq.exe

Code function: 0_2_001E49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001E49A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2887345795.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2887106496.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: lExtvSjBgq.exe	Binary or memory string: WIN_81
Source: lExtvSjBgq.exe	Binary or memory string: WIN_XP
Source: lExtvSjBgq.exe	Binary or memory string: WIN_XPe
Source: lExtvSjBgq.exe	Binary or memory string: WIN_VISTA
Source: lExtvSjBgq.exe	Binary or memory string: WIN_7
Source: lExtvSjBgq.exe	Binary or memory string: WIN_8
Source: lExtvSjBgq.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2887345795.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2887106496.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00256283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00256283
Source: C:\Users\user\Desktop\lExtvSjBgq.exe	Code function: 0_2_00256747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00256747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	115 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	25 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lExtvSjBgq.exe	69%	Virustotal		Browse
lExtvSjBgq.exe	74%	ReversingLabs	Win32.Backdoor.FormBook
lExtvSjBgq.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587677
Start date and time:	2025-01-10 16:53:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lExtvSjBgq.exe renamed because original name is a hash value
Original Sample Name:	959963e520fea06fa091046fbae311a892ffca7541c82816f7a67c508fc3c898.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 52 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Axvn7Hegxc.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	13.107.246.45
	raq4ttncJF.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	WF2DL1l7E8.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Play_VM-NowTingrammAudiowav011.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	launcher.exe.bin.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	13.107.246.45
	FGTFTj8GLM.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	30562134305434372.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\lExtvSjBgq.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.9951505360507635
Encrypted:	true
SSDEEP:	6144:2vYe5MT2krPUg/5C+uHFnw8iJZ+QsOqYzggNy:djxC+uFw8iWJO9zggNy
MD5:	9576396C501D6FCFAAB5626C0D5F15D2
SHA1:	EDD099BCA49249161B9FFEF0535F442C346D3FCF
SHA-256:	0C24F007B6E9026B19E29EF286C489C4FD12A32CB250E0C512EE7EB5B6A54F46
SHA-512:	D94D58264D4DC560627F4478096CE05490E698ED00DB5950B7A438744713A98E5D6F6E14B29E9F6557AD656B91C2729F39BAA702A23B9A68ABBF0A71F3E2A3EE
Malicious:	false
Reputation:	low
Preview:	...3BVP0@6QW.IH.APAGYI8.UVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6.W7ZGW.OP.N.h.X..{g)?#.4D>0E;$h3 >/(-iZ<u$/]a?>..y.wZ5--~L]KcYI8YUVZJ@_..$Q.jW=.u0&.[...92.@..lP#.K.u(7..($1tX>.VZ3AVP0Df.W7.HIPQKX.YI8YUVZ3.VR1O7ZW7.MHPAPAGYI8.AVZ3QVP042QW7.IH@APAEYI>YUVZ3AVV0D6QW7ZI8TAPCGYI8YUTZs.VP D6AW7ZIXPA@AGYI8YEVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP.0S)#7ZI..EPAWYI8.QVZ#AVP0D6QW7ZIHPApAG9I8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8Y

C:\Users\user\AppData\Local\Temp\hepatoduodenostomy

Download File

Process:	C:\Users\user\Desktop\lExtvSjBgq.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.9951505360507635
Encrypted:	true
SSDEEP:	6144:2vYe5MT2krPUg/5C+uHFnw8iJZ+QsOqYzggNy:djxC+uFw8iWJO9zggNy
MD5:	9576396C501D6FCFAAB5626C0D5F15D2
SHA1:	EDD099BCA49249161B9FFEF0535F442C346D3FCF
SHA-256:	0C24F007B6E9026B19E29EF286C489C4FD12A32CB250E0C512EE7EB5B6A54F46
SHA-512:	D94D58264D4DC560627F4478096CE05490E698ED00DB5950B7A438744713A98E5D6F6E14B29E9F6557AD656B91C2729F39BAA702A23B9A68ABBF0A71F3E2A3EE
Malicious:	false
Reputation:	low
Preview:	...3BVP0@6QW.IH.APAGYI8.UVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6.W7ZGW.OP.N.h.X..{g)?#.4D>0E;$h3 >/(-iZ<u$/]a?>..y.wZ5--~L]KcYI8YUVZJ@_..$Q.jW=.u0&.[...92.@..lP#.K.u(7..($1tX>.VZ3AVP0Df.W7.HIPQKX.YI8YUVZ3.VR1O7ZW7.MHPAPAGYI8.AVZ3QVP042QW7.IH@APAEYI>YUVZ3AVV0D6QW7ZI8TAPCGYI8YUTZs.VP D6AW7ZIXPA@AGYI8YEVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP.0S)#7ZI..EPAWYI8.QVZ#AVP0D6QW7ZIHPApAG9I8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8YUVZ3AVP0D6QW7ZIHPAPAGYI8Y

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1936848879650235
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lExtvSjBgq.exe
File size:	1'212'416 bytes
MD5:	b517fef76c7787155698922a3cd4968c
SHA1:	2627e7881e2a55c273243a573238e2cf8079f11f
SHA256:	959963e520fea06fa091046fbae311a892ffca7541c82816f7a67c508fc3c898
SHA512:	ddb0d88c876fd433c11c9bd6611606b0933e508ac7158eac441dd293616740796a75f2b8ba5488bf7ed30ff0387a3c44ce5a16665272502fede770e7e9b99931
SSDEEP:	24576:Su6J33O0c+JY5UZ+XC0kGso6FayLXzEH3mm4d/5iWY:Uu0c++OCvkGs9FayTzEXOHY
TLSH:	6B45CF2273DDC360CB769173BF6AB7016EBF38614630B95B2F880D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67597A3D [Wed Dec 11 11:40:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE0B8E04B6Ah
jmp 00007FE0B8DF7934h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE0B8DF7ABAh
cmp edi, eax
jc 00007FE0B8DF7E1Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FE0B8DF7AB9h
rep movsb
jmp 00007FE0B8DF7DCCh
cmp ecx, 00000080h
jc 00007FE0B8DF7C84h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE0B8DF7AC0h
bt dword ptr [004BE324h], 01h
jc 00007FE0B8DF7F90h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FE0B8DF7C5Dh
test edi, 00000003h
jne 00007FE0B8DF7C6Eh
test esi, 00000003h
jne 00007FE0B8DF7C4Dh
bt edi, 02h
jnc 00007FE0B8DF7ABFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE0B8DF7AC3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE0B8DF7B15h
bt esi, 03h
jnc 00007FE0B8DF7B68h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5f6a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x127000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5f6a8	0x5f800	f5a25d7d937ef75d9bfc4d9fe4392ce1	False	0.9307100785340314	data	7.9009284485710145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x127000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x5696d	data			1.0003270655174261
RT_GROUP_ICON	0x126128	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1261a0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1261b4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1261c8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1261dc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1262b8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:55:13.446333885 CET	55547	53	192.168.2.6	162.159.36.2
Jan 10, 2025 16:55:13.451126099 CET	53	55547	162.159.36.2	192.168.2.6
Jan 10, 2025 16:55:13.451199055 CET	55547	53	192.168.2.6	162.159.36.2
Jan 10, 2025 16:55:13.455990076 CET	53	55547	162.159.36.2	192.168.2.6
Jan 10, 2025 16:55:13.940434933 CET	55547	53	192.168.2.6	162.159.36.2
Jan 10, 2025 16:55:13.945458889 CET	53	55547	162.159.36.2	192.168.2.6
Jan 10, 2025 16:55:13.945521116 CET	55547	53	192.168.2.6	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:55:13.445760965 CET	53	62538	162.159.36.2	192.168.2.6
Jan 10, 2025 16:55:14.605043888 CET	53	58901	1.1.1.1	192.168.2.6

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:54:28.616362095 CET	1.1.1.1	192.168.2.6	0x7d7e	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:54:28.616362095 CET	1.1.1.1	192.168.2.6	0x7d7e	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:54:29
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\lExtvSjBgq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lExtvSjBgq.exe"
Imagebase:	0x1e0000
File size:	1'212'416 bytes
MD5 hash:	B517FEF76C7787155698922A3CD4968C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:54:32
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lExtvSjBgq.exe"
Imagebase:	0xc80000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2887345795.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2887106496.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	9.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 001E3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001E3B68
IsDebuggerPresent.KERNEL32 ref: 001E3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,002A52F8,002A52E0,?,?), ref: 001E3BEB

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

Part of subcall function 001F092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001E3C14,002A52F8,?,?,?), ref: 001F096E

SetCurrentDirectoryW.KERNEL32(?), ref: 001E3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00297770,00000010), ref: 0021D281
SetCurrentDirectoryW.KERNEL32(?,002A52F8,?,?,?), ref: 0021D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00294260,002A52F8,?,?,?), ref: 0021D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0021D346

Part of subcall function 001E3A46: GetSysColorBrush.USER32(0000000F), ref: 001E3A50
Part of subcall function 001E3A46: LoadCursorW.USER32(00000000,00007F00), ref: 001E3A5F
Part of subcall function 001E3A46: LoadIconW.USER32(00000063), ref: 001E3A76
Part of subcall function 001E3A46: LoadIconW.USER32(000000A4), ref: 001E3A88
Part of subcall function 001E3A46: LoadIconW.USER32(000000A2), ref: 001E3A9A
Part of subcall function 001E3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001E3AC0
Part of subcall function 001E3A46: RegisterClassExW.USER32(?), ref: 001E3B16

Part of subcall function 001E39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001E3A03
Part of subcall function 001E39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001E3A24
Part of subcall function 001E39D5: ShowWindow.USER32(00000000,?,?), ref: 001E3A38
Part of subcall function 001E39D5: ShowWindow.USER32(00000000,?,?), ref: 001E3A41

Part of subcall function 001E434A: _memset.LIBCMT ref: 001E4370
Part of subcall function 001E434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001E4415

Strings

%', xrefs: 001E3C44
This is a third-party compiled AutoIt script., xrefs: 0021D279
runas, xrefs: 0021D33A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%'
API String ID: 529118366-223049118
Opcode ID: 477b8c20b5f5bb518bffad775d93f7e9da412b9546be77cda8c7774003aec86c
Instruction ID: cfee7181b89121b33d17eb26ca51665a73e8bb19acfa1e8006a1e6a8e1a54cc9
Opcode Fuzzy Hash: 477b8c20b5f5bb518bffad775d93f7e9da412b9546be77cda8c7774003aec86c
Instruction Fuzzy Hash: 1051E831D18989AFDF01EBB5EC0DAEE7B78AB66700F104066F921A3192DF709655CB21

Function 001E49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001E49CD

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

GetCurrentProcess.KERNEL32(?,0026FAEC,00000000,00000000,?), ref: 001E4A9A
IsWow64Process.KERNEL32(00000000), ref: 001E4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 001E4AE7
FreeLibrary.KERNEL32(00000000), ref: 001E4AF2
GetSystemInfo.KERNEL32(00000000), ref: 001E4B23
GetSystemInfo.KERNEL32(00000000), ref: 001E4B2F

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 9b3150aa74d4118fe881493e1573bed71b4760cd58d09377a97fb8db33d3760c
Instruction ID: 9f9dc2bec37419d43eebbef544ec4fc69cef9ba11a31514f885418c9539707ed
Opcode Fuzzy Hash: 9b3150aa74d4118fe881493e1573bed71b4760cd58d09377a97fb8db33d3760c
Instruction Fuzzy Hash: 3191F335989BC1DFCB31CB6995501AEFFF5AF3A310B4849ADD0CB83A41D320A948C769

Function 001E4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001E4D8E,?,?,00000000,00000000), ref: 001E4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001E4D8E,?,?,00000000,00000000), ref: 001E4EB0
LoadResource.KERNEL32(?,00000000,?,?,001E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,001E4E2F), ref: 0021D937
SizeofResource.KERNEL32(?,00000000,?,?,001E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,001E4E2F), ref: 0021D94C
LockResource.KERNEL32(001E4D8E,?,?,001E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,001E4E2F,00000000), ref: 0021D95F

Strings

SCRIPT, xrefs: 001E4EA6

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 560b723a89fabb126785abe425a08035c1693bb7432f1b9b60414752d756c35c
Instruction ID: b0635a2ba34c3eb168261371e500f1912b610a0b4908061fe98b3dcd7aebd389
Opcode Fuzzy Hash: 560b723a89fabb126785abe425a08035c1693bb7432f1b9b60414752d756c35c
Instruction Fuzzy Hash: B2115E75240741BFDB258B66FD48F6B7BBAFBC5B11F108268F805C6250DBA1EC008A60

Function 001EFCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%', xrefs: 001EFCF3
pb*, xrefs: 002249B9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb*$%'
API String ID: 3964851224-478041922
Opcode ID: 8d1e26624c4e0a6b071bbd0151bffa5cd90483650e797db0836317a0398e1759
Instruction ID: 924d0ed76dbe6a0ce5c8a1d099d77a8bd1363a43c618ddb6c96f5cf3ddfec86c
Opcode Fuzzy Hash: 8d1e26624c4e0a6b071bbd0151bffa5cd90483650e797db0836317a0398e1759
Instruction Fuzzy Hash: 1A929870A08751DFD725DF24C480B2ABBE1BF89304F15892DE98A8B362D771EC55CB92

Function 001EE6A0 Relevance: 6.1, Strings: 4, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd*, xrefs: 001EEAC1
p), xrefs: 00223AF5, 00223B2E, 00223DAA
Variable must be of type 'Object'., xrefs: 00223E62
Dd*, xrefs: 001EEABA

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID: Dd*$Dd*$Variable must be of type 'Object'.$p)
API String ID: 0-3893636707
Opcode ID: ef9274b1a604f0999ba43042363e0ebdc8e21b9e60957c9caff9041982da6766
Instruction ID: a48692aa23a917725600aad12764c4af286d733a7a05f7f781861794348d5029
Opcode Fuzzy Hash: ef9274b1a604f0999ba43042363e0ebdc8e21b9e60957c9caff9041982da6766
Instruction Fuzzy Hash: DEA2BE74A00A55DFCB28CF95C484AAEB7F2FF59314F298069E805AB351D775ED82CB80

Function 001E47D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 001E4834

Part of subcall function 0020336C: __lock.LIBCMT ref: 00203372
Part of subcall function 0020336C: DecodePointer.KERNEL32(00000001,?,001E4849,00237C74), ref: 0020337E
Part of subcall function 0020336C: EncodePointer.KERNEL32(?,?,001E4849,00237C74), ref: 00203389

Part of subcall function 001E48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 001E4915
Part of subcall function 001E48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001E492A

Part of subcall function 001E3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001E3B68
Part of subcall function 001E3B3A: IsDebuggerPresent.KERNEL32 ref: 001E3B7A
Part of subcall function 001E3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,002A52F8,002A52E0,?,?), ref: 001E3BEB
Part of subcall function 001E3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 001E3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001E4874

Strings

r, xrefs: 001E47D6

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID: r
API String ID: 1438897964-3729450569
Opcode ID: c081755a2db22b8323fd98f6715ee4ec437f547225ce51669cb3d3f7bff54d95
Instruction ID: 7b8f30c450f5ad87e2210ee72d01525b54d5c14e6cda92a2347f444075e58ecf
Opcode Fuzzy Hash: c081755a2db22b8323fd98f6715ee4ec437f547225ce51669cb3d3f7bff54d95
Instruction Fuzzy Hash: 6A118C719087959BC710DF6AE84990EFBE8EB9A750F10891AF444832B2DFB09544CB92

Function 0024445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0021E398), ref: 0024446A
FindFirstFileW.KERNELBASE(?,?), ref: 0024447B
FindClose.KERNEL32(00000000), ref: 0024448B

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: e3387d76a5da298e21159a968fd73d4404587bd7a82888e8e6fd177bdcdec99c
Instruction ID: 90db343f9406c855de5ca3615a04da766514f8eddb624ffe25b2e81329e574e0
Opcode Fuzzy Hash: e3387d76a5da298e21159a968fd73d4404587bd7a82888e8e6fd177bdcdec99c
Instruction Fuzzy Hash: 12E0D8364205416746147F38FC0D5E97B5CAE05335F104716F835C11D0E7F4591099D5

Function 001F09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001F0A5B
timeGetTime.WINMM ref: 001F0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001F0E53
Sleep.KERNEL32(0000000A), ref: 001F0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 001F0EFA
DestroyWindow.USER32 ref: 001F0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001F0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00224E83
TranslateMessage.USER32(?), ref: 00225C60
DispatchMessageW.USER32(?), ref: 00225C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00225C82

Strings

@GUI_CTRLHANDLE, xrefs: 00224FE4
@TRAY_ID, xrefs: 0022578F
pb*, xrefs: 00224F59
@COM_EVENTOBJ, xrefs: 002254F0
@GUI_WINHANDLE, xrefs: 00224F8F
pb*, xrefs: 002257B4
pb*, xrefs: 00225003
pb*, xrefs: 00224FAE
@GUI_CTRLID, xrefs: 00224F3A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb*$pb*$pb*$pb*
API String ID: 4212290369-1934048305
Opcode ID: 951a8b72a9b43f0519353cbc848ea73a4ce2b0965b6effdf8a8b0941cac4f2dc
Instruction ID: 6cca58bed73bbe1ec4c233d84887ce610c1c427ea377a82474e010a3f0dc9bd9
Opcode Fuzzy Hash: 951a8b72a9b43f0519353cbc848ea73a4ce2b0965b6effdf8a8b0941cac4f2dc
Instruction Fuzzy Hash: FAB21370618B51EFD729DF64D884BAEB7E4BF84304F14891DF549972A2CB70E894CB42

Function 00249155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00248F5F: __time64.LIBCMT ref: 00248F69

Part of subcall function 001E4EE5: _fseek.LIBCMT ref: 001E4EFD

__wsplitpath.LIBCMT ref: 00249234

Part of subcall function 002040FB: __wsplitpath_helper.LIBCMT ref: 0020413B

_wcscpy.LIBCMT ref: 00249247
_wcscat.LIBCMT ref: 0024925A
__wsplitpath.LIBCMT ref: 0024927F
_wcscat.LIBCMT ref: 00249295
_wcscat.LIBCMT ref: 002492A8

Part of subcall function 00248FA5: _memmove.LIBCMT ref: 00248FDE
Part of subcall function 00248FA5: _memmove.LIBCMT ref: 00248FED

_wcscmp.LIBCMT ref: 002491EF

Part of subcall function 00249734: _wcscmp.LIBCMT ref: 00249824
Part of subcall function 00249734: _wcscmp.LIBCMT ref: 00249837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00249452
_wcsncpy.LIBCMT ref: 002494C5
DeleteFileW.KERNEL32(?,?), ref: 002494FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00249511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00249522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00249534

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: a19cc223a5f9f0f6c094aeb9fe5608f37a0d09497cfe08de9e8e3b37f400165b
Instruction ID: 4a0fdf0534c816b0fb79fa35fa9e709a68fc92db18ce0983e7102144abe6e7d8
Opcode Fuzzy Hash: a19cc223a5f9f0f6c094aeb9fe5608f37a0d09497cfe08de9e8e3b37f400165b
Instruction Fuzzy Hash: 74C159B1D10219ABDF25DFA5CC85ADFBBBDEF55300F0040AAF609E6141EB709A948F61

Function 001E708B Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002A52F8,?,001E37AE,?), ref: 001E4724

Part of subcall function 0020050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,001E7165), ref: 0020052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001E71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0021E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0021E909
RegCloseKey.ADVAPI32(?), ref: 0021E947
_wcscat.LIBCMT ref: 0021E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 001E719E
PM, xrefs: 001E70DB
Include, xrefs: 0021E8BF, 0021E900
\Include\, xrefs: 001E7165
\, xrefs: 0021E9C3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$PM$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2267167273
Opcode ID: 2f0acf5c79dfcc6597f2d2e12f66b5640183da9dde76225b8f3d423ba0b8b844
Instruction ID: 49dba0a3e25af460d42614f8aaf875158ef9211b9554d3151b30bd3b935102a5
Opcode Fuzzy Hash: 2f0acf5c79dfcc6597f2d2e12f66b5640183da9dde76225b8f3d423ba0b8b844
Instruction Fuzzy Hash: 2471BD710183029FD704EF65EC89AAFBBE8FFAA310F44052EF855871A1DB719958CB52

Function 001E301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001E3074
RegisterClassExW.USER32(00000030), ref: 001E309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001E30AF
InitCommonControlsEx.COMCTL32(?), ref: 001E30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001E30DC
LoadIconW.USER32(000000A9), ref: 001E30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001E3101

Strings

+, xrefs: 001E305D
0, xrefs: 001E3056
TaskbarCreated, xrefs: 001E30A4
AutoIt v3 GUI, xrefs: 001E3090

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 18c2bbb1e51c54e49f3a9061b827c4e4a53c563454a6fbd2516ca1b9eb5bbacc
Instruction ID: e7515061dbea8f94a6be369c11c34211d8c0fa22d24ee296b7aaa21ea17a73aa
Opcode Fuzzy Hash: 18c2bbb1e51c54e49f3a9061b827c4e4a53c563454a6fbd2516ca1b9eb5bbacc
Instruction Fuzzy Hash: 8F313871851319EFDB418FA4F989ADABBF0FF0A321F10812AE580E62A0D7B90585CF50

Function 001E3A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001E3A50
LoadCursorW.USER32(00000000,00007F00), ref: 001E3A5F
LoadIconW.USER32(00000063), ref: 001E3A76
LoadIconW.USER32(000000A4), ref: 001E3A88
LoadIconW.USER32(000000A2), ref: 001E3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001E3AC0
RegisterClassExW.USER32(?), ref: 001E3B16

Part of subcall function 001E3041: GetSysColorBrush.USER32(0000000F), ref: 001E3074
Part of subcall function 001E3041: RegisterClassExW.USER32(00000030), ref: 001E309E
Part of subcall function 001E3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001E30AF
Part of subcall function 001E3041: InitCommonControlsEx.COMCTL32(?), ref: 001E30CC
Part of subcall function 001E3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001E30DC
Part of subcall function 001E3041: LoadIconW.USER32(000000A9), ref: 001E30F2
Part of subcall function 001E3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001E3101

Strings

#, xrefs: 001E3AFB
0, xrefs: 001E3AF4
r, xrefs: 001E3AA1
AutoIt v3, xrefs: 001E3B05

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3$r
API String ID: 423443420-4200877358
Opcode ID: 0b9f4d2ff72674fb2590499569703f49a90bad70f22314daf9145e2e17cbe9e7
Instruction ID: 8e7086e728bce40d54e6f58982c40329fff064621c69bb430973a527f37497b9
Opcode Fuzzy Hash: 0b9f4d2ff72674fb2590499569703f49a90bad70f22314daf9145e2e17cbe9e7
Instruction Fuzzy Hash: EF212071900718ABEB11DFA4FD4DB9EBBB0EB09711F10412AE900AA2A1DBB55A509B84

Function 001E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001E3074
RegisterClassExW.USER32(00000030), ref: 001E309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001E30AF
InitCommonControlsEx.COMCTL32(?), ref: 001E30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001E30DC
LoadIconW.USER32(000000A9), ref: 001E30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001E3101

Strings

+, xrefs: 001E305D
0, xrefs: 001E3056
TaskbarCreated, xrefs: 001E30A4
AutoIt v3 GUI, xrefs: 001E3090

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 25bab11a1dab7b834ba2655fa28b44873062ac8c0f18566b21f685fb68b56b3f
Instruction ID: 9a698452799146744a2fc5b411ef4cca92acd1f7a6b07e751fba64e9c21430f9
Opcode Fuzzy Hash: 25bab11a1dab7b834ba2655fa28b44873062ac8c0f18566b21f685fb68b56b3f
Instruction Fuzzy Hash: ED21C7B1951618AFDF40DFA4FD8DB9EBBF4FB09700F10812AF910A62A0DBB545848F91

Function 001E3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 001E36D2
KillTimer.USER32(?,00000001), ref: 001E36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001E371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001E372A
CreatePopupMenu.USER32 ref: 001E373E
PostQuitMessage.USER32(00000000), ref: 001E374D

Strings

%', xrefs: 0021D081, 0021D0CF
TaskbarCreated, xrefs: 001E3725

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%'
API String ID: 129472671-3979774045
Opcode ID: f6c33ca3e2b17e8c86295bfc5c3b012fa7d02e86ea0f34d8162f4e96cb926e05
Instruction ID: 02803f02088d6f2ac9640678d0b00734111756e6e7f6ea1c35275da03a03ecc7
Opcode Fuzzy Hash: f6c33ca3e2b17e8c86295bfc5c3b012fa7d02e86ea0f34d8162f4e96cb926e05
Instruction Fuzzy Hash: 1B4145B2610D85FBDF285F75FC0DBBE3795EB1A300F140125F912872A1CFA49EA09661

Function 001E3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 001E3892
/AutoIt3ExecuteScript, xrefs: 001E38BC
/AutoIt3ExecuteLine, xrefs: 001E38A7
R*, xrefs: 0021D213
CMDLINERAW, xrefs: 001E37FB
CMDLINE, xrefs: 001E3822
/ErrorStdOut, xrefs: 001E387D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 001E37AE

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R*
API String ID: 1825951767-1315436122
Opcode ID: 31fcd64e3549d3c9f3c3187b6980bd2ab0bc89e4bf0b78763558e9c3520c1d11
Instruction ID: f47303b97031684349958c64f9f48d51e9c03f04f719f75c24ca9c560fd2e23c
Opcode Fuzzy Hash: 31fcd64e3549d3c9f3c3187b6980bd2ab0bc89e4bf0b78763558e9c3520c1d11
Instruction Fuzzy Hash: 7AA16F71910AADABDF05EBA5DC59EEEB778BF25300F40042AF815B7192DF745A08CB60

Function 001EF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00200162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00200193
Part of subcall function 00200162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0020019B
Part of subcall function 00200162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002001A6
Part of subcall function 00200162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002001B1
Part of subcall function 00200162: MapVirtualKeyW.USER32(00000011,00000000), ref: 002001B9
Part of subcall function 00200162: MapVirtualKeyW.USER32(00000012,00000000), ref: 002001C1

Part of subcall function 001F60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,001EF930), ref: 001F6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001EF9CD
OleInitialize.OLE32(00000000), ref: 001EFA4A
CloseHandle.KERNEL32(00000000), ref: 002245C8

Strings

i, xrefs: 001EF7EB
%', xrefs: 001EF796, 001EF7A8, 001EF96E, 001EFA51
<W*, xrefs: 001EF930
\T*, xrefs: 001EF7F7

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W*$\T*$%'$i
API String ID: 1986988660-2250869090
Opcode ID: a6ffe400d69fc5f13bb143e8947ee95eab075bebe53bc275ca038384d13d5a1f
Instruction ID: 398a27ae6fa546ee36bb91e101d3a71d029fbe53e5d8ae4bad3afc225ea5ffa6
Opcode Fuzzy Hash: a6ffe400d69fc5f13bb143e8947ee95eab075bebe53bc275ca038384d13d5a1f
Instruction Fuzzy Hash: 0B81DEB0815EA0DF8784DF79BC4861BBBE5FB9E306790816AD519CB262EFB004958F10

Function 00F5CE28 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F5CEF9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F5D11F

Memory Dump Source

Source File: 00000000.00000002.2247128171.0000000000F5A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5a000_lExtvSjBgq.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 30e8af4b53c3aa052917812e21e5e8fbde56ed90f0e39d50c947676a587081b9
Instruction ID: 26d8e187c9767089dd41cc348e81244cb4aa05d93f900e65da4c56b398ef69b5
Opcode Fuzzy Hash: 30e8af4b53c3aa052917812e21e5e8fbde56ed90f0e39d50c947676a587081b9
Instruction Fuzzy Hash: 38A12B71E01209EBDB24CFA4C888BEEB7B5BF48315F208159EA01BB2C4D7759A45DF91

Function 00209AE6 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__init_pointers.LIBCMT ref: 00209AE6

Part of subcall function 00203187: EncodePointer.KERNEL32(00000000), ref: 0020318A
Part of subcall function 00203187: __initp_misc_winsig.LIBCMT ref: 002031A5
Part of subcall function 00203187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00209EA0
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00209EB4
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00209EC7
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00209EDA
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00209EED
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00209F00
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00209F13
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00209F26
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00209F39
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00209F4C
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00209F5F
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00209F72
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00209F85
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00209F98
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00209FAB
Part of subcall function 00203187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00209FBE

__mtinitlocks.LIBCMT ref: 00209AEB
__mtterm.LIBCMT ref: 00209AF4

Part of subcall function 00209B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00209AF9,00207CD0,0029A0B8,00000014), ref: 00209C56
Part of subcall function 00209B5C: _free.LIBCMT ref: 00209C5D
Part of subcall function 00209B5C: DeleteCriticalSection.KERNEL32(02*,?,?,00209AF9,00207CD0,0029A0B8,00000014), ref: 00209C7F

__calloc_crt.LIBCMT ref: 00209B19
__initptd.LIBCMT ref: 00209B3B
GetCurrentThreadId.KERNEL32 ref: 00209B42

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 09937f969faa64a54b85a7d791fba7db1a3f3710d818e82163eeae8655d93bc3
Instruction ID: 40f320e3bd5e50e0bdfecc161142383b2936d68e0d9987e32a1580480f4f61a9
Opcode Fuzzy Hash: 09937f969faa64a54b85a7d791fba7db1a3f3710d818e82163eeae8655d93bc3
Instruction Fuzzy Hash: 5AF090326797129AEB34BB74BC0774B3B949F02774F204A1AF4A6D51D3FF6084E149A0

Function 001E39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001E3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001E3A24
ShowWindow.USER32(00000000,?,?), ref: 001E3A38
ShowWindow.USER32(00000000,?,?), ref: 001E3A41

Strings

edit, xrefs: 001E3A1E
AutoIt v3, xrefs: 001E39FB, 001E3A00, 001E3A01

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8033e7549498c10a8f8860eb6123253abadd994e3780f2dd44a565683ad266ff
Instruction ID: f1a416a1a7db9270a1ed8fdc2faedb79b89d95d78a3eda0b4bff97609b7e69e7
Opcode Fuzzy Hash: 8033e7549498c10a8f8860eb6123253abadd994e3780f2dd44a565683ad266ff
Instruction Fuzzy Hash: 12F034706012A0BFFA315B23BC4CF2B2E7DE7C7F50F00402ABE00A21B0CAA10850DAB0

Function 00F5CB78 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F5CA68: Sleep.KERNELBASE(000001F4), ref: 00F5CA79

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F5CD0E

Strings

UVZ3AVP0D6QW7ZIHPAPAGYI8Y, xrefs: 00F5CD7A, 00F5CD7D

Memory Dump Source

Source File: 00000000.00000002.2247128171.0000000000F5A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5a000_lExtvSjBgq.jbxd

Similarity

API ID: CreateFileSleep
String ID: UVZ3AVP0D6QW7ZIHPAPAGYI8Y
API String ID: 2694422964-2014000054
Opcode ID: a60807b329e66ae9dddb1d1bce27906da51921d349e20136268f6569280c4b51
Instruction ID: a6620856112f4f946fbf685ed22bc9cb1981b2d9ea5b68e1c808dfe7f52621ce
Opcode Fuzzy Hash: a60807b329e66ae9dddb1d1bce27906da51921d349e20136268f6569280c4b51
Instruction Fuzzy Hash: FD718530D0438CDAEF15DBE4D814BEEBB75AF15301F004199E619BB2C1D77A4A49CBA6

Function 001E407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0021D3D7

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

_memset.LIBCMT ref: 001E40FC
_wcscpy.LIBCMT ref: 001E4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001E4160

Strings

Line: , xrefs: 0021D400

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: beb8a0a5bfb2649d9d95a4169687ed26da2f9d9bf5480a149f873f99c256411f
Instruction ID: 15343c8b620e1f388e06834d41ac1031ec22cf68e1b8429b81f604991467fd9d
Opcode Fuzzy Hash: beb8a0a5bfb2649d9d95a4169687ed26da2f9d9bf5480a149f873f99c256411f
Instruction Fuzzy Hash: DB31D071008B85ABE721EF61EC49BDF77D8AF65310F10451AF685820D2DF74A658CB82

Function 001E686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 001E4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001E4E0F

_free.LIBCMT ref: 0021E263
_free.LIBCMT ref: 0021E2AA

Part of subcall function 001E6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 001E6BAD

Strings

Bad directive syntax error, xrefs: 0021E292
>>>AUTOIT SCRIPT<<<, xrefs: 0021E039

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 1a78fc2709d7e20471b7cef05e55b2a149689eb13d23e27a56d1af49dd114e47
Instruction ID: 1eefec668b8aac3f904262ccac79ec20608fac458609b057c5cd612348fadcbb
Opcode Fuzzy Hash: 1a78fc2709d7e20471b7cef05e55b2a149689eb13d23e27a56d1af49dd114e47
Instruction Fuzzy Hash: E5918E7192065AAFCF04EFA4CC919EDB7B8FF29314F104429F815AB2A1DB709D65CB50

Function 001E35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,001E35A1,SwapMouseButtons,00000004,?), ref: 001E35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,001E35A1,SwapMouseButtons,00000004,?,?,?,?,001E2754), ref: 001E35F5
RegCloseKey.KERNELBASE(00000000,?,?,001E35A1,SwapMouseButtons,00000004,?,?,?,?,001E2754), ref: 001E3617

Strings

Control Panel\Mouse, xrefs: 001E35D2

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a675e2b8e85e25f889089983d9af544c37c2ac7775be26fa08389b0c4ca81f2a
Instruction ID: 3596ee1b1785191c989dcfa44d578802df428b5cb1237a2861a892217aee88e9
Opcode Fuzzy Hash: a675e2b8e85e25f889089983d9af544c37c2ac7775be26fa08389b0c4ca81f2a
Instruction Fuzzy Hash: E2114871510648BFDF20CFA5EC88AAEB7B8EF09740F018469E805D7210D3719F409760

Function 00F5BA68 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F5C223
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F5C2B9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F5C2DB

Memory Dump Source

Source File: 00000000.00000002.2247128171.0000000000F5A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5a000_lExtvSjBgq.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b497c3f98e6e70b5e646438de2a52bb31286a04038d1a50b70c1a456b66b63a7
Instruction ID: be23b770fe47d0a3f71b11691abeeefad8cb5fd05ec22e1625a5e3ff943c83f3
Opcode Fuzzy Hash: b497c3f98e6e70b5e646438de2a52bb31286a04038d1a50b70c1a456b66b63a7
Instruction Fuzzy Hash: C9620B30A14218DBEB24CFA4CC51BDEB372EF58301F1091A9D60DEB290E7799E85DB59

Function 0024955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 001E4EE5: _fseek.LIBCMT ref: 001E4EFD

Part of subcall function 00249734: _wcscmp.LIBCMT ref: 00249824
Part of subcall function 00249734: _wcscmp.LIBCMT ref: 00249837

_free.LIBCMT ref: 002496A2
_free.LIBCMT ref: 002496A9
_free.LIBCMT ref: 00249714

Part of subcall function 00202D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00209A24), ref: 00202D69
Part of subcall function 00202D55: GetLastError.KERNEL32(00000000,?,00209A24), ref: 00202D7B

_free.LIBCMT ref: 0024971C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: e86ca9c3fb66edeb557b26b6ed8faf377c16f5bb4f1c3cae9d2f647fc33ba483
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 8C517FB1D14258AFDF299F65DC85A9EBBB9EF48300F10049EF209A3241DB715E90CF58

Function 0020470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002047A0
__flush.LIBCMT ref: 002047C0
__write.LIBCMT ref: 002047F3
__flsbuf.LIBCMT ref: 00204821

Part of subcall function 00208B28: __getptd_noexit.LIBCMT ref: 00208B28

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 8af68465f3c847b6cc38c5a6570b5a77d34b046d8e6a64040bdfb42e755bed93
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 7A41F8F4A207469BDB18EE69CC8096EB7A6EF85360B10C53DEA15C76D2D770DD608B40

Function 001E44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001E44CF

Part of subcall function 001E407C: _memset.LIBCMT ref: 001E40FC
Part of subcall function 001E407C: _wcscpy.LIBCMT ref: 001E4150
Part of subcall function 001E407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001E4160

KillTimer.USER32(?,00000001,?,?), ref: 001E4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001E4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0021D4B9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 46ef66083ceca1d309c6f5573f5059de9363ffcb9f84916723a4762477faf6ca
Instruction ID: ff0bc726ad1bc4ba32512e2d86e97f4047af6533645c6bcf8d61070ae023e1e8
Opcode Fuzzy Hash: 46ef66083ceca1d309c6f5573f5059de9363ffcb9f84916723a4762477faf6ca
Instruction Fuzzy Hash: 50210770504794EFEB32CB24A849BEBBBECAF15304F04049DE78E56181C7B42984CB51

Function 001E4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001E4CBA

Strings

EA06, xrefs: 0021D8CC
AU3!P/', xrefs: 001E4CB4

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/'$EA06
API String ID: 4104443479-1088489766
Opcode ID: 06d81544e3294b2280a68d35a8b0c7d63464ead6b62d64edfb6e842497372247
Instruction ID: 2d7ddabef6cda039b85a9c68eeee74206af121800352d77cfb8d5d5a4ed9564e
Opcode Fuzzy Hash: 06d81544e3294b2280a68d35a8b0c7d63464ead6b62d64edfb6e842497372247
Instruction Fuzzy Hash: 66418D31A04AD89BDF259FD6CC517BE7FA2EB75300F294474FC829B282D7209D4483A1

Function 001E7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0021EA39
GetOpenFileNameW.COMDLG32(?), ref: 0021EA83

Part of subcall function 001E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E4743,?,?,001E37AE,?), ref: 001E4770

Part of subcall function 00200791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002007B0

Strings

X, xrefs: 0021EA51

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: f90d247d8d507088d56ca2403edf874d9ab9949f3823528b59d7069d6333bb9b
Instruction ID: e3a469ac15af81faece30fd42601e47518ddaf486c72696c02ec6dc83699c809
Opcode Fuzzy Hash: f90d247d8d507088d56ca2403edf874d9ab9949f3823528b59d7069d6333bb9b
Instruction Fuzzy Hash: A1210530A106889BDF01DF94DC45BEE7BF8AF19300F04405AE908A7281DFF459988FA1

Function 002498E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 002498F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0024990F

Strings

aut, xrefs: 00249909

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 2ca15b66cab6809419261bbc2533b88ddd339ac9dc7a22a33e79f7f2d00b5109
Instruction ID: 5b7100d49f306d70d69340e759b86532a435d7005e3ba98bcd7bc0d1d5f04b06
Opcode Fuzzy Hash: 2ca15b66cab6809419261bbc2533b88ddd339ac9dc7a22a33e79f7f2d00b5109
Instruction Fuzzy Hash: C3D05E7954030DABDF909BA0FC0EF9A773CE704704F0042B1FE54910A1EAB095A88FA1

Function 0025CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13f32885c9c3b34c1bb834cd73738ad51bef2a5b3073655c2fc4ed1969c82ca
Instruction ID: 24115fe6e406845bce4da6179da76dd804f3c2eb55fec5a50cbe4f9fc89048ae
Opcode Fuzzy Hash: d13f32885c9c3b34c1bb834cd73738ad51bef2a5b3073655c2fc4ed1969c82ca
Instruction Fuzzy Hash: 79F147706183419FCB14DF29C484A6EBBE5FF88314F24892EF8999B251D770E959CF82

Function 001E434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001E4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 001E4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 001E4432

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 6884f39195637eeb8e60eaa7f29d17efa1cc6c0f0e2680d1d0a8ee3d2aa2698d
Instruction ID: 7c9bb0b8909f5d30629e23dde5ecb2ed00587f1844a780acc35425744d6a2e56
Opcode Fuzzy Hash: 6884f39195637eeb8e60eaa7f29d17efa1cc6c0f0e2680d1d0a8ee3d2aa2698d
Instruction Fuzzy Hash: E6318570504B51DFD761DF35E88879BBBF8FB59308F00092EF69A82291D771A944CB52

Function 0020571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00205733

Part of subcall function 0020A16B: __NMSG_WRITE.LIBCMT ref: 0020A192
Part of subcall function 0020A16B: __NMSG_WRITE.LIBCMT ref: 0020A19C

__NMSG_WRITE.LIBCMT ref: 0020573A

Part of subcall function 0020A1C8: GetModuleFileNameW.KERNEL32(00000000,002A33BA,00000104,?,00000001,00000000), ref: 0020A25A
Part of subcall function 0020A1C8: ___crtMessageBoxW.LIBCMT ref: 0020A308

Part of subcall function 0020309F: ___crtCorExitProcess.LIBCMT ref: 002030A5
Part of subcall function 0020309F: ExitProcess.KERNEL32 ref: 002030AE

Part of subcall function 00208B28: __getptd_noexit.LIBCMT ref: 00208B28

RtlAllocateHeap.NTDLL(00EC0000,00000000,00000001,00000000,?,?,?,00200DD3,?), ref: 0020575F

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ad4a6183485bd23805147fcf489f24c233a9f11832523b6d0691366aeb18a5dc
Instruction ID: aa988ffbdb7680473347ded99abe9e3e1dce2ff1ad3b4484e28af47853d0cbf1
Opcode Fuzzy Hash: ad4a6183485bd23805147fcf489f24c233a9f11832523b6d0691366aeb18a5dc
Instruction Fuzzy Hash: 77019235270B22DBD7106B38AC86A2BB3489B82761F500536F409DA1E3DEB49C20AE61

Function 002498A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00249548,?,?,?,?,?,00000004), ref: 002498BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00249548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002498D1
CloseHandle.KERNEL32(00000000,?,00249548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002498D8

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 76c660fb6ba6a9dda20e4b5ffff83130784de7e427975046a0bf5dff8a986588
Instruction ID: a71f42da737022dee9cbd83defc2255b74fb85fd1410fe8f83821e65b45d9a12
Opcode Fuzzy Hash: 76c660fb6ba6a9dda20e4b5ffff83130784de7e427975046a0bf5dff8a986588
Instruction Fuzzy Hash: 9BE08632141214B7DB211F54FD0DFCA7B59AB067A0F108220FB14690E087F115219798

Function 00248D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00248D1B

Part of subcall function 00202D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00209A24), ref: 00202D69
Part of subcall function 00202D55: GetLastError.KERNEL32(00000000,?,00209A24), ref: 00202D7B

_free.LIBCMT ref: 00248D2C
_free.LIBCMT ref: 00248D3E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: e0cb5193624e2ad2f2a50d7f736573cda1c8edb52b83b9e303229b760aaf1420
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: B0E012A1A32712C6CB28A9B8B944A9713DC4F5C752754091EB40DD71C7CE64FC668524

Function 001EA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0021FC01

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 3f88842bbc6cf8ac77ab51e64f2006fef932694c77a343773387c30995f0789a
Instruction ID: 3b4f5eb2f5a3c29488f4a561c6fcb3d8eef98db51cc672a9d134063046c3ba46
Opcode Fuzzy Hash: 3f88842bbc6cf8ac77ab51e64f2006fef932694c77a343773387c30995f0789a
Instruction Fuzzy Hash: B9227970518781DFD728DF15C494A6EBBE1BF88304F15896DE89A8B362D731EC85CB82

Function 001E7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001E7AAB
_memmove.LIBCMT ref: 001E7B16

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
Instruction ID: fc9d126b7d651382f6805460d13999b2b72fc68ae48983787603f54b27097678
Opcode Fuzzy Hash: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
Instruction Fuzzy Hash: 4131B8B1614A46AFD704DF69C8D1E6DF3A5FF88310B198629E519CB3D1EB30E960CB90

Function 00200DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0020571C: __FF_MSGBANNER.LIBCMT ref: 00205733
Part of subcall function 0020571C: __NMSG_WRITE.LIBCMT ref: 0020573A
Part of subcall function 0020571C: RtlAllocateHeap.NTDLL(00EC0000,00000000,00000001,00000000,?,?,?,00200DD3,?), ref: 0020575F

std::exception::exception.LIBCMT ref: 00200DEC
__CxxThrowException@8.LIBCMT ref: 00200E01

Part of subcall function 0020859B: RaiseException.KERNEL32(?,?,?,00299E78,00000000,?,?,?,?,00200E06,?,00299E78,?,00000001), ref: 002085F0

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: f0b43c38314c0565bbaea9f9b0c42166e92267abafbdeb7a29050bea896c52b8
Instruction ID: 9cdd05f64a29a77da78a1db7fcc433aac060b603f995a3fe712927922f19e12f
Opcode Fuzzy Hash: f0b43c38314c0565bbaea9f9b0c42166e92267abafbdeb7a29050bea896c52b8
Instruction Fuzzy Hash: BEF0A93152031EA6DB10AE98EC41ADF77ACDF05311F104456F948A61D3DF719A74D9E1

Function 002053A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00208B28: __getptd_noexit.LIBCMT ref: 00208B28

__lock_file.LIBCMT ref: 002053EB

Part of subcall function 00206C11: __lock.LIBCMT ref: 00206C34

__fclose_nolock.LIBCMT ref: 002053F6

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 89ab5753cfe8e85408a3a1ce26f0b8334097effefe10a71abcc86e68e803ee73
Instruction ID: 513f3f7394dd5d301b35a8e452d5843e5abcaba55d63440f666fe746fb4103bc
Opcode Fuzzy Hash: 89ab5753cfe8e85408a3a1ce26f0b8334097effefe10a71abcc86e68e803ee73
Instruction Fuzzy Hash: AEF09031830B159ADB10BF7598067AF76A06F41374F258249A4A4AB1C3CBFC89619F62

Function 00F5BA65 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F5C223
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F5C2B9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F5C2DB

Memory Dump Source

Source File: 00000000.00000002.2247128171.0000000000F5A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5a000_lExtvSjBgq.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: f9c04f56f6e2c6f85c849e8443e087477217ac0bd06f40ce2b8fc88a40a2bb6b
Instruction ID: 3d3df925eac37694a422327759b45adffa79c65c43aba2e524430406cad82b9d
Opcode Fuzzy Hash: f9c04f56f6e2c6f85c849e8443e087477217ac0bd06f40ce2b8fc88a40a2bb6b
Instruction Fuzzy Hash: F712DF20E14658C6EB24DF64D8507DEB232EF68301F10A0E9910DEB7A5E77A4F85CF5A

Function 00200C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00200CB7

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 590c2f5bd641ccbb740d314ba80d0a536900d45bcaf845eddf9d340c04f91291
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5A31A770A102069BE718DF58C4C4A69F7B5FB59300F6886A6E40ACB396D771EDE1DB80

Function 0021FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0021FCB7

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2c9129d829bfe03b71dce4877f4f1a73a051f332e963bc3f2dbe78c6944024fe
Instruction ID: f6ebda1ed63346e938cbdf38f764d86e98c2ad305ac32715444c308b8426d1bb
Opcode Fuzzy Hash: 2c9129d829bfe03b71dce4877f4f1a73a051f332e963bc3f2dbe78c6944024fe
Instruction Fuzzy Hash: 0A412774508751DFDB14DF15C484B1ABBE1BF49318F1988ACE8998B362C731E855CF52

Function 001E7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001E7BB3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4ba02f4591312cf4a0ed71574ccf86de6ff97123af463ce1f77dbb092e238bad
Instruction ID: 30de4c1a7f8f0b94909339dabde00ede8872eabcfda08ecf927a359855256f00
Opcode Fuzzy Hash: 4ba02f4591312cf4a0ed71574ccf86de6ff97123af463ce1f77dbb092e238bad
Instruction Fuzzy Hash: A9210572624A08EBEF144F16FC417AD7BF4FB24350F22842FE885C5090EB3080E09781

Function 001E4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 001E4BEF

Part of subcall function 0020525B: __wfsopen.LIBCMT ref: 00205266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001E4E0F

Part of subcall function 001E4B6A: FreeLibrary.KERNEL32(00000000), ref: 001E4BA4

Part of subcall function 001E4C70: _memmove.LIBCMT ref: 001E4CBA

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 8bdb43fafc463dea694a5a5a957da57e1890dbe1c896dc9f46ba5446877a7347
Instruction ID: 836d2ca02a1077bda1131d2b61d301b3360aba28540659ff578ff1f971d06eea
Opcode Fuzzy Hash: 8bdb43fafc463dea694a5a5a957da57e1890dbe1c896dc9f46ba5446877a7347
Instruction Fuzzy Hash: 0811E331610646ABCF14EF75C816FAE77A8AF54B10F108829F942A7181DB759A119B50

Function 0021FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0021FD91

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 950b91271eef887e9b343f314cf94b5be4141b11bd7d7ffe7d49070adda71c8c
Instruction ID: 9deb68d4cd1f46c63e32f13649888c5cd2b219a4b3b8545a2e7bcbabf3d0cd3f
Opcode Fuzzy Hash: 950b91271eef887e9b343f314cf94b5be4141b11bd7d7ffe7d49070adda71c8c
Instruction Fuzzy Hash: 812122B0918741DFDB14DF64C884A2EBBE1BF88304F058868F98A57762D731E814CB92

Function 0020072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002007B0

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 93828b0f7d449951fec27b0093aa7a2bc9f16c7dda435481036d6c76ff432394
Instruction ID: 6d5defc5eca88f705289b5991f015e49b0486bdc705f560fa1c6c5a91832d334
Opcode Fuzzy Hash: 93828b0f7d449951fec27b0093aa7a2bc9f16c7dda435481036d6c76ff432394
Instruction Fuzzy Hash: 2E0149735545549FC321CB20EC46EE477B8EF86220B0801E6FC94CB861D624AE18CB91

Function 00204863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 002048A6

Part of subcall function 00208B28: __getptd_noexit.LIBCMT ref: 00208B28

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 0749deeab5b93385ecbfdedf90c3b1082e54d0d460fef8b3592fc0bf9b9376a1
Instruction ID: 24860319d447cf6a45adb1c00356085015a832eb7662c2d3f46190c48abf8172
Opcode Fuzzy Hash: 0749deeab5b93385ecbfdedf90c3b1082e54d0d460fef8b3592fc0bf9b9376a1
Instruction Fuzzy Hash: AFF08171920709EBDF11BF648C0979E76A0AF01325F15C914B5149A1D3CB788971DF51

Function 001E4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001E4E7E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6cb70d716c5f56bc4f3e7f710c73434ccf795d26f72553a16a66e9b459314da6
Instruction ID: 7301c6221fe6d03539f4663950e67657b6b6cca21041e66554757e66c46ce2c9
Opcode Fuzzy Hash: 6cb70d716c5f56bc4f3e7f710c73434ccf795d26f72553a16a66e9b459314da6
Instruction Fuzzy Hash: DBF03071505B51CFCB349F65E49481AB7E1BF14365315897EE1D682610C7759840DF40

Function 00200791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002007B0

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 3e3439a14612873335806582bed8f816fa841b891380182fb8a19045b10caf0a
Instruction ID: 68cf9b4bbeed4b1b464732a16c72c482c3e1098a09bbefc9f284aaf1a8484159
Opcode Fuzzy Hash: 3e3439a14612873335806582bed8f816fa841b891380182fb8a19045b10caf0a
Instruction Fuzzy Hash: 7BE0CD3690412857C720D659AC06FEA77DDDF887A0F0441B5FD0CD7248D9709C908AD0

Function 0020525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00205266

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: e6c601143906ccddd45389a7b606dbd80d5ebdd34d5020e2dd752cb52627b2a5
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: ADB0927644020C7BCF012A82EC02A4A3B199B41764F408020FF0C181A2A673A6749E89

Function 00F5CA64 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F5CA79

Memory Dump Source

Source File: 00000000.00000002.2247128171.0000000000F5A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5a000_lExtvSjBgq.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 8c4dd6e240bab75ff16340a6a55999b7b900a8cc3b35ccc39761991f330eec37
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 43E0BF7494020EEFDB00DFB4D5496DD7BB4EF04302F1005A1FD05D7680DB309E549A62

Function 00F5CA68 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F5CA79

Memory Dump Source

Source File: 00000000.00000002.2247128171.0000000000F5A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5a000_lExtvSjBgq.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: cb7251c43be05bd413c4136351a2d32e1a7b592ff61010ef0405f7cccb05e0d4
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A7E0E67494020EDFDB00DFB4D54969D7FB4EF04302F100161FD05D2280D7309D509A62

Non-executed Functions

Function 0026CABC Relevance: 77.6, APIs: 40, Strings: 4, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0026CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0026CB95
GetWindowLongW.USER32(?,000000F0), ref: 0026CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0026CC00
SendMessageW.USER32 ref: 0026CC29
_wcsncpy.LIBCMT ref: 0026CC95
GetKeyState.USER32(00000011), ref: 0026CCB6
GetKeyState.USER32(00000009), ref: 0026CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0026CCD9
GetKeyState.USER32(00000010), ref: 0026CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0026CD0C
SendMessageW.USER32 ref: 0026CD33
SendMessageW.USER32(?,00001030,?,0026B348), ref: 0026CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0026CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0026CE60
SetCapture.USER32(?), ref: 0026CE69
ClientToScreen.USER32(?,?), ref: 0026CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0026CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0026CEF5
ReleaseCapture.USER32 ref: 0026CF00
GetCursorPos.USER32(?), ref: 0026CF3A
ScreenToClient.USER32(?,?), ref: 0026CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0026CFA3
SendMessageW.USER32 ref: 0026CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0026D00E
SendMessageW.USER32 ref: 0026D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0026D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0026D06D
GetCursorPos.USER32(?), ref: 0026D08D
ScreenToClient.USER32(?,?), ref: 0026D09A
GetParent.USER32(?), ref: 0026D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0026D123
SendMessageW.USER32 ref: 0026D154
ClientToScreen.USER32(?,?), ref: 0026D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0026D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0026D20C
SendMessageW.USER32 ref: 0026D22F
ClientToScreen.USER32(?,?), ref: 0026D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0026D2B5

Part of subcall function 001E25DB: GetWindowLongW.USER32(?,000000EB), ref: 001E25EC

GetWindowLongW.USER32(?,000000F0), ref: 0026D351

Strings

F, xrefs: 0026D235
xM, xrefs: 0026CC5F, 0026CDBA, 0026CDDD, 0026CE0F, 0026CF5F, 0026D0E0, 0026D18C, 0026D1BC, 0026D25F, 0026D28B, 0026D2DB, 0026D33E, 0026D362, 0026D38C
@GUI_DRAGID, xrefs: 0026CE9C
pb*, xrefs: 0026CEAF

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb*$xM
API String ID: 3977979337-1954401080
Opcode ID: 48068eeedefc0202b50c03716b247cd8c40d6c7543f0715f9032a477c8654066
Instruction ID: efcbafcd05edfd19aecf97baecde4983a9c6d931754a28087f6c1c9c5ff7198f
Opcode Fuzzy Hash: 48068eeedefc0202b50c03716b247cd8c40d6c7543f0715f9032a477c8654066
Instruction Fuzzy Hash: 4142EF34614641AFDB20DF24E888EBABBE5FF49314F244519F5A5872B0C771D8A0DF92

Function 001F6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001F71C3
_memset.LIBCMT ref: 001F7539
_memmove.LIBCMT ref: 001F76AC

Strings

[:>:]], xrefs: 001F7492
Q\E, xrefs: 001F7FCB
\b(?=\w), xrefs: 00233769
DEFINE, xrefs: 00232103
P\), xrefs: 00231AB8
\b(?<=\w), xrefs: 00233773
[:<:]], xrefs: 001F7479
]), xrefs: 00231A22

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memmove$_memset
String ID: ])$DEFINE$P\)$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1781545781
Opcode ID: 57de71f699143e8e837c8023048282a64dc593bfb7da8a2554b0e9f34c33b5ff
Instruction ID: 7d5e3870980a8737d59db1330fdaf6c1d6ec8ef9530729be7e30514f1c6c5ec1
Opcode Fuzzy Hash: 57de71f699143e8e837c8023048282a64dc593bfb7da8a2554b0e9f34c33b5ff
Instruction Fuzzy Hash: E19393B5A1421ADFDB24CF58C881BBDB7B1FF48710F25816AE945EB281E7709E91CB40

Function 001E48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 001E48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0021D665
IsIconic.USER32(?), ref: 0021D66E
ShowWindow.USER32(?,00000009), ref: 0021D67B
SetForegroundWindow.USER32(?), ref: 0021D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0021D69B
GetCurrentThreadId.KERNEL32 ref: 0021D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0021D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0021D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0021D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0021D6CF
SetForegroundWindow.USER32(?), ref: 0021D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0021D6E7
keybd_event.USER32(00000012,00000000), ref: 0021D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0021D6FC
keybd_event.USER32(00000012,00000000), ref: 0021D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0021D70A
keybd_event.USER32(00000012,00000000), ref: 0021D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0021D719
keybd_event.USER32(00000012,00000000), ref: 0021D71E
SetForegroundWindow.USER32(?), ref: 0021D721
AttachThreadInput.USER32(?,?,00000000), ref: 0021D748

Strings

Shell_TrayWnd, xrefs: 0021D660

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a46f74a9b1616625bf250fe0a22537ba15b5ba9cdc630836206267e59aa56aaa
Instruction ID: bbf1bd862cf8e2195e596a8914adb7b5639a4dc45c46a134e37a13049ad917ea
Opcode Fuzzy Hash: a46f74a9b1616625bf250fe0a22537ba15b5ba9cdc630836206267e59aa56aaa
Instruction Fuzzy Hash: C031A771A90318BBEF216F61AD49FBF7F6CEB44B50F104025FA05EA1D1C6F05C51AAA1

Function 00238310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 002387E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0023882B
Part of subcall function 002387E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00238858
Part of subcall function 002387E1: GetLastError.KERNEL32 ref: 00238865

_memset.LIBCMT ref: 00238353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002383A5
CloseHandle.KERNEL32(?), ref: 002383B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002383CD
GetProcessWindowStation.USER32 ref: 002383E6
SetProcessWindowStation.USER32(00000000), ref: 002383F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0023840A

Part of subcall function 002381CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00238309), ref: 002381E0
Part of subcall function 002381CB: CloseHandle.KERNEL32(?,?,00238309), ref: 002381F2

Strings

default, xrefs: 00238405
, xrefs: 00238362
winsta0, xrefs: 002383C8

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: dea4d1a06cb5b78fe8d776a99e766c4f1fd98c0f4a0faaeaa389a47c3c33146a
Instruction ID: d1c18370ead775b25bb8f4111b3f7e57184436eb85f3a3ead0d5f22f8612d783
Opcode Fuzzy Hash: dea4d1a06cb5b78fe8d776a99e766c4f1fd98c0f4a0faaeaa389a47c3c33146a
Instruction Fuzzy Hash: 348150B192030AAFDF119FA4DD49AEE7B79FF04304F148169F915BA161DB718E24DB20

Function 0024C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0024C78D
FindClose.KERNEL32(00000000), ref: 0024C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0024C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0024C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0024C844
__swprintf.LIBCMT ref: 0024C890
__swprintf.LIBCMT ref: 0024C8D3

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

__swprintf.LIBCMT ref: 0024C927

Part of subcall function 00203698: __woutput_l.LIBCMT ref: 002036F1

__swprintf.LIBCMT ref: 0024C975

Part of subcall function 00203698: __flsbuf.LIBCMT ref: 00203713
Part of subcall function 00203698: __flsbuf.LIBCMT ref: 0020372B

__swprintf.LIBCMT ref: 0024C9C4
__swprintf.LIBCMT ref: 0024CA13
__swprintf.LIBCMT ref: 0024CA62

Strings

%4d, xrefs: 0024C8CD
%02d, xrefs: 0024C91B, 0024C925, 0024C973, 0024C9C2, 0024CA11, 0024CA60
%4d%02d%02d%02d%02d%02d, xrefs: 0024C88A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 741e18dca31658c587cca3f057050fc09b36f2bf15de66f12ebf5c191e5f3961
Instruction ID: 0e145f076bd1d363919e5f6bb6bfcf2660bb2fbf83b283edcd322980db225fc8
Opcode Fuzzy Hash: 741e18dca31658c587cca3f057050fc09b36f2bf15de66f12ebf5c191e5f3961
Instruction Fuzzy Hash: 4EA16DB1418785ABD744EFA5C885DAFB7ECFF95704F400929F58587192EB30DA08CB62

Function 0024EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0024EFB6
_wcscmp.LIBCMT ref: 0024EFCB
_wcscmp.LIBCMT ref: 0024EFE2
GetFileAttributesW.KERNEL32(?), ref: 0024EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0024F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0024F026
FindClose.KERNEL32(00000000), ref: 0024F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0024F04D
_wcscmp.LIBCMT ref: 0024F074
_wcscmp.LIBCMT ref: 0024F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0024F09D
SetCurrentDirectoryW.KERNEL32(00298920), ref: 0024F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0024F0C5
FindClose.KERNEL32(00000000), ref: 0024F0D2
FindClose.KERNEL32(00000000), ref: 0024F0E4

Strings

*.*, xrefs: 0024F048

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: d0e8476d944ca02fe0d14fb6213416c55edc4941624412995a5d2420af672974
Instruction ID: 94a372928846c3ebdf6a00747a3d4c09ef8e0842af25a44679e66c7a28a84649
Opcode Fuzzy Hash: d0e8476d944ca02fe0d14fb6213416c55edc4941624412995a5d2420af672974
Instruction Fuzzy Hash: 3231F5325112096BDF58DFB4FD48AEE77AC9F89360F144176E804E21A1EBB0DA64CE61

Function 00260857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00260953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0026F910,00000000,?,00000000,?,?), ref: 002609C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00260A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00260A92
RegCloseKey.ADVAPI32(?), ref: 00260DB2
RegCloseKey.ADVAPI32(00000000), ref: 00260DBF

Strings

REG_MULTI_SZ, xrefs: 00260B7A
REG_BINARY, xrefs: 00260D4D
REG_QWORD, xrefs: 00260D00
REG_EXPAND_SZ, xrefs: 00260A2F
REG_DWORD, xrefs: 00260C83
REG_SZ, xrefs: 00260AD0

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 33a0799db0d924566a3da04af2197fec1c3deb475000d37084b782dcb9e091e3
Instruction ID: 45202b4f3dd4a9cbbc84c12819e37e0262c49483b2e64cfaf98b855dfe5e0425
Opcode Fuzzy Hash: 33a0799db0d924566a3da04af2197fec1c3deb475000d37084b782dcb9e091e3
Instruction Fuzzy Hash: D10258756106419FCB54EF25C885E2AB7E5FF89324F04855DF88A9B3A2CB70EC51CB81

Function 001F66E1 Relevance: 24.6, Strings: 19, Instructions: 889COMMON

Download Yara Rule

Strings

0F(, xrefs: 001F6747
NO_START_OPT), xrefs: 0023114F
ANYCRLF), xrefs: 002312FB
UCP), xrefs: 0023110D
0D(, xrefs: 001F6733
LIMIT_RECURSION=, xrefs: 002311FC
LIMIT_MATCH=, xrefs: 00231170
lldfrplldfrplld9rplld5rplld1rplld0rplldfrplldfrplldfrplldfrplldfrplldfrplld8rplld9rplld4rplld5rplldfrplld4rplld8rplld3rplld7rplldd, xrefs: 00231349
UTF16), xrefs: 002310CF
NO_AUTO_POSSESS), xrefs: 0023112E
pG(, xrefs: 001F6751
UTF), xrefs: 002310FA
CRLF), xrefs: 002312C1
BSR_UNICODE), xrefs: 00231338
0E(, xrefs: 001F673D
ANY), xrefs: 002312DE
CR), xrefs: 00231287
BSR_ANYCRLF), xrefs: 0023131E
LF), xrefs: 002312A4

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID: 0D($0E($0F($ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$lldfrplldfrplld9rplld5rplld1rplld0rplldfrplldfrplldfrplldfrplldfrplldfrplld8rplld9rplld4rplld5rplldfrplld4rplld8rplld3rplld7rplldd$pG(
API String ID: 0-942742358
Opcode ID: e51ed30ef2ef352d092a4cc8db6400031a9e9517e67d9b78a9221ae35698d3f3
Instruction ID: b0228cda670c70882ba1b26bc2f2b356796b702b66045bf8a6d0115a235e6b4f
Opcode Fuzzy Hash: e51ed30ef2ef352d092a4cc8db6400031a9e9517e67d9b78a9221ae35698d3f3
Instruction Fuzzy Hash: 19727FB5E10219DBDB14CF58C8817BEB7B5FF48310F14816AE949EB291EB709E91CB90

Function 0024F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0024F113
_wcscmp.LIBCMT ref: 0024F128
_wcscmp.LIBCMT ref: 0024F13F

Part of subcall function 00244385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002443A0

FindNextFileW.KERNEL32(00000000,?), ref: 0024F16E
FindClose.KERNEL32(00000000), ref: 0024F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0024F195
_wcscmp.LIBCMT ref: 0024F1BC
_wcscmp.LIBCMT ref: 0024F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0024F1E5
SetCurrentDirectoryW.KERNEL32(00298920), ref: 0024F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0024F20D
FindClose.KERNEL32(00000000), ref: 0024F21A
FindClose.KERNEL32(00000000), ref: 0024F22C

Strings

*.*, xrefs: 0024F190

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: b480e87d2a33f4fde7f20abb18079611ff5b3a651f8e84cce6173e650cf0f834
Instruction ID: 67bca2cd9194d4fbe21b69aeef69e3ff4c368ff616b6bfae1dc666371d3341f5
Opcode Fuzzy Hash: b480e87d2a33f4fde7f20abb18079611ff5b3a651f8e84cce6173e650cf0f834
Instruction Fuzzy Hash: 7F31073651121A6ADF58DF60FD48AEE77AC9F8A320F144171EC04E21A0DBB0DE65CE54

Function 0024A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0024A20F
__swprintf.LIBCMT ref: 0024A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0024A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0024A293
_memset.LIBCMT ref: 0024A2B2
_wcsncpy.LIBCMT ref: 0024A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0024A323
CloseHandle.KERNEL32(00000000), ref: 0024A32E
RemoveDirectoryW.KERNEL32(?), ref: 0024A337
CloseHandle.KERNEL32(00000000), ref: 0024A341

Strings

\, xrefs: 0024A247
\??\%s, xrefs: 0024A22B
:, xrefs: 0024A252

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 53a7786c5445f96d2fa50a05477885b08cbcdd97573ce336fc020ad5469666a8
Instruction ID: f7ac86e678b283890c751c097dc34f81c2628b60a540bcfc67256d3b53c8780d
Opcode Fuzzy Hash: 53a7786c5445f96d2fa50a05477885b08cbcdd97573ce336fc020ad5469666a8
Instruction Fuzzy Hash: D631D4B155020AABDB20DFA0EC49FEB37BCEF89740F1041B6F908D2161E7B096648F25

Function 0024001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00240097
SetKeyboardState.USER32(?), ref: 00240102
GetAsyncKeyState.USER32(000000A0), ref: 00240122
GetKeyState.USER32(000000A0), ref: 00240139
GetAsyncKeyState.USER32(000000A1), ref: 00240168
GetKeyState.USER32(000000A1), ref: 00240179
GetAsyncKeyState.USER32(00000011), ref: 002401A5
GetKeyState.USER32(00000011), ref: 002401B3
GetAsyncKeyState.USER32(00000012), ref: 002401DC
GetKeyState.USER32(00000012), ref: 002401EA
GetAsyncKeyState.USER32(0000005B), ref: 00240213
GetKeyState.USER32(0000005B), ref: 00240221

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1f3352b3f6ed7f3e63c729fc9ccdc2276072a01cbb632ac90c4e5f4b0ca15347
Instruction ID: 07303a25d1107d0f003a11e8260331a74952872a27017377ad43c639c3e88edb
Opcode Fuzzy Hash: 1f3352b3f6ed7f3e63c729fc9ccdc2276072a01cbb632ac90c4e5f4b0ca15347
Instruction Fuzzy Hash: B051EE2091478919FB39DFA089947AABFB49F01380F08459EDAC65B1C3D6B49BDCCB61

Function 002603DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00260E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0025FDAD,?,?), ref: 00260E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002604AC

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0026054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002605E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00260822
RegCloseKey.ADVAPI32(00000000), ref: 0026082F

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 9c5cb579372ee178f46607bfeb1a6f4cbc280fd973d723e8fa1ca2adf35831f6
Instruction ID: 4e664dc2ccfc41729fc50129858825c05c791b0cfbed02c4604c78d7ad963273
Opcode Fuzzy Hash: 9c5cb579372ee178f46607bfeb1a6f4cbc280fd973d723e8fa1ca2adf35831f6
Instruction Fuzzy Hash: F9E15C70614205AFCB14DF25C895E2BBBE8EF89314F04856DF84ADB2A1DB30ED51DB91

Function 002583BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

CoInitialize.OLE32 ref: 00258403
CoUninitialize.OLE32 ref: 0025840E
CoCreateInstance.OLE32(?,00000000,00000017,00272BEC,?), ref: 0025846E
IIDFromString.OLE32(?,?), ref: 002584E1
VariantInit.OLEAUT32(?), ref: 0025857B
VariantClear.OLEAUT32(?), ref: 002585DC

Strings

Invalid parameter, xrefs: 002584FA
Failed to create object, xrefs: 00258479, 0025852F
NULL Pointer assignment, xrefs: 002584B3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 601f38d2aa74ad16a18b54c7178f18a05166f6e61e95f62d0e2ff3e4bd49f553
Instruction ID: 9f8f1be5cf6d9f8ffa6868f2d077e95df70964cbc31d33a426f7c80a54c5ebf7
Opcode Fuzzy Hash: 601f38d2aa74ad16a18b54c7178f18a05166f6e61e95f62d0e2ff3e4bd49f553
Instruction Fuzzy Hash: A461EF706283129FCB10DF14D848F6EB7E8AF49755F404419FD82AB2A1DBB0ED58CB96

Function 00254164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0025418B
EmptyClipboard.USER32 ref: 00254191
GlobalAlloc.KERNEL32(00000002,?), ref: 002541A6
CloseClipboard.USER32 ref: 00254245

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1f038839115581ad4f0260ad41f1171d4054ee05fab7af10145deaa5a95cd9b8
Instruction ID: 64165aa8622163f7ed321a8646518a17f2a4efcd8279564a412f699ff67110cc
Opcode Fuzzy Hash: 1f038839115581ad4f0260ad41f1171d4054ee05fab7af10145deaa5a95cd9b8
Instruction Fuzzy Hash: 06219E752106149FDB00AF20FD0DB6EBBA8EF14711F00C02AFD46DB2B1DBB0A8508B95

Function 002437EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E4743,?,?,001E37AE,?), ref: 001E4770

Part of subcall function 00244A31: GetFileAttributesW.KERNEL32(?,0024370B), ref: 00244A32

FindFirstFileW.KERNEL32(?,?), ref: 002438A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0024394B
MoveFileW.KERNEL32(?,?), ref: 0024395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0024397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0024399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 002439B9

Strings

\*.*, xrefs: 0024384E, 00243857, 0024386C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 75d9b72be9fdcb4c092452b31990ff23e5e480b15fd3e2df51d23e30703302e4
Instruction ID: 33ec1302f88fb6c41009974048a17eb8adf89c55b414108a740578c82dfc12c2
Opcode Fuzzy Hash: 75d9b72be9fdcb4c092452b31990ff23e5e480b15fd3e2df51d23e30703302e4
Instruction Fuzzy Hash: FC51BF3181458DAADF09FFA1DA929EDB779AF24304F604069E402B7192EF706F19CB60

Function 0024F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0024F440
Sleep.KERNEL32(0000000A), ref: 0024F470
_wcscmp.LIBCMT ref: 0024F484
_wcscmp.LIBCMT ref: 0024F49F
FindNextFileW.KERNEL32(?,?), ref: 0024F53D
FindClose.KERNEL32(00000000), ref: 0024F553

Strings

*.*, xrefs: 0024F425

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 87355f39e0aee1bd31cc2c8d392c1cacc0e04a69d00d26e7fb58bb99d169724c
Instruction ID: 4462a34af89b70c3500fbc2d3f4d365a137ac5742de4980dea1e3f4d4529b355
Opcode Fuzzy Hash: 87355f39e0aee1bd31cc2c8d392c1cacc0e04a69d00d26e7fb58bb99d169724c
Instruction Fuzzy Hash: 8341E37181024AAFCF54EF64DD48AEEBBB8FF45310F504466E815A3291EB709EA4CF50

Function 001F5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001F58A5
_memmove.LIBCMT ref: 001F58F5
_memmove.LIBCMT ref: 001F595B

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9d51a79fa634eda4fc0f90d1d7806038e90bf54d5567dfc7e1d2bf5edaf9b4ea
Instruction ID: 1a43bc69bef86fb5f28f470001da4385166680a6209e31a2156a18b52ecf7647
Opcode Fuzzy Hash: 9d51a79fa634eda4fc0f90d1d7806038e90bf54d5567dfc7e1d2bf5edaf9b4ea
Instruction Fuzzy Hash: 19129EB0A00A09DFDF04DFA5D991AAEB7F6FF48304F104529E546A7291EB35AD21CB60

Function 00243B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E4743,?,?,001E37AE,?), ref: 001E4770

Part of subcall function 00244A31: GetFileAttributesW.KERNEL32(?,0024370B), ref: 00244A32

FindFirstFileW.KERNEL32(?,?), ref: 00243B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00243BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00243BEA
FindClose.KERNEL32(00000000), ref: 00243C01
FindClose.KERNEL32(00000000), ref: 00243C0A

Strings

\*.*, xrefs: 00243B5B

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6eae2fc3179a8c0f159bf6982bb3e9bda7ce85c4817ab338148518595c1f1152
Instruction ID: 7e71d1bec6d174e68e47833df20362135ad5e63fabb461efc99f7b6990d5f649
Opcode Fuzzy Hash: 6eae2fc3179a8c0f159bf6982bb3e9bda7ce85c4817ab338148518595c1f1152
Instruction Fuzzy Hash: 6231A0310187C59BC705EF64D8958AFB7E8BEA5308F444D2EF4D592191EB20DA18CBA3

Function 002451BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002387E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0023882B
Part of subcall function 002387E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00238858
Part of subcall function 002387E1: GetLastError.KERNEL32 ref: 00238865

ExitWindowsEx.USER32(?,00000000), ref: 002451F9

Strings

@, xrefs: 002451EC
, xrefs: 002451E7
SeShutdownPrivilege, xrefs: 002451C9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 8bdb5118085905bbb31a66e8349bad86aa4853532a95f8045ce4c8d7b2c7a3be
Instruction ID: 1da1e047ed8d05236b247d1631adf73a4d05faa16c4eb76a20b554f9b2d6e116
Opcode Fuzzy Hash: 8bdb5118085905bbb31a66e8349bad86aa4853532a95f8045ce4c8d7b2c7a3be
Instruction Fuzzy Hash: 2101FC356B16325BEB2CAA74BC9AFBB72589B05740F140422FD97E60D3D9D15C208990

Function 00256283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002562DC
WSAGetLastError.WSOCK32(00000000), ref: 002562EB
bind.WSOCK32(00000000,?,00000010), ref: 00256307
listen.WSOCK32(00000000,00000005), ref: 00256316
WSAGetLastError.WSOCK32(00000000), ref: 00256330
closesocket.WSOCK32(00000000,00000000), ref: 00256344

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 58193af70a6778a7d7d1178d1e854dcfbab8abf1231380beaefb1c3134e7b30d
Instruction ID: de330d965be3dedf86f9851a9f301dd429bb57cee846c082e66165667a6918b4
Opcode Fuzzy Hash: 58193af70a6778a7d7d1178d1e854dcfbab8abf1231380beaefb1c3134e7b30d
Instruction Fuzzy Hash: 1921D271610604AFCB00EF64E94DE6EB7A9EF44721F5481A8EC16A73A1CBB0AC15CB51

Function 001F5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00200DB6: std::exception::exception.LIBCMT ref: 00200DEC
Part of subcall function 00200DB6: __CxxThrowException@8.LIBCMT ref: 00200E01

_memmove.LIBCMT ref: 00230258
_memmove.LIBCMT ref: 0023036D
_memmove.LIBCMT ref: 00230414

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: b67b9e24f574a9fe708747f3f22a93f2b933229b8d52368898d92119e2d5c22c
Instruction ID: aa2cd388d86ef19f6b8316b92b5a6631578cc874265de252302bb8797b59b908
Opcode Fuzzy Hash: b67b9e24f574a9fe708747f3f22a93f2b933229b8d52368898d92119e2d5c22c
Instruction Fuzzy Hash: 8002E2B0A10609DBDF04DF65D9D1ABE7BB5EF44310F1480A9E90ADB295EB30DD60CBA1

Function 001E1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 001E19FA
GetSysColor.USER32(0000000F), ref: 001E1A4E
SetBkColor.GDI32(?,00000000), ref: 001E1A61

Part of subcall function 001E1290: DefDlgProcW.USER32(?,00000020,?), ref: 001E12D8

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 520c87967cc61682ad21b7c13a08ade6f601a45b0ef2e01dcf5d99bbc268da20
Instruction ID: 190cd2caa85fe597b9db91a02983393948deca7b040755e2fa3647c87db3316e
Opcode Fuzzy Hash: 520c87967cc61682ad21b7c13a08ade6f601a45b0ef2e01dcf5d99bbc268da20
Instruction Fuzzy Hash: 5CA19B70122CC5BBDB2DAF2B5C48DBF35ADDF96381B250129F502D7192CB348DA18AB1

Function 00256747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00257D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00257DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0025679E
WSAGetLastError.WSOCK32(00000000), ref: 002567C7
bind.WSOCK32(00000000,?,00000010), ref: 00256800
WSAGetLastError.WSOCK32(00000000), ref: 0025680D
closesocket.WSOCK32(00000000,00000000), ref: 00256821

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: f805aa01adea1133f7ca9a3afcffc936d2b32c9ad384559c51efe60dc0072d2f
Instruction ID: 1e8a0f9f0eb0cac83ff661491a64939579b7a5e815f598cfefdf6df064f99da7
Opcode Fuzzy Hash: f805aa01adea1133f7ca9a3afcffc936d2b32c9ad384559c51efe60dc0072d2f
Instruction Fuzzy Hash: 2441F475A00644AFDB50FF699C8AF6E77A8EF58710F448468FD19AB3D2CB709D008B91

Function 00265376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002653C5
IsWindowEnabled.USER32 ref: 002653D3
GetForegroundWindow.USER32(?,?,00000001), ref: 002653E0
IsIconic.USER32 ref: 002653EE
IsZoomed.USER32 ref: 002653FC

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cc3fbaed753fb09d43002514eaa9d80e92f798acc95473b9e223613e8b27d32a
Instruction ID: b9e4037bb7d3a910353f275caa79bc1c58a757d942c3e8c19f8b3f770867d31c
Opcode Fuzzy Hash: cc3fbaed753fb09d43002514eaa9d80e92f798acc95473b9e223613e8b27d32a
Instruction Fuzzy Hash: 7911E6313109616BDB215F26EC48A2F7B9CFF547A0F408069F806D3241CBB09C618690

Function 002380A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002380C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002380CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002380D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002380E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002380F6

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 979a3d6ee7b0ef97e452eceef3d8349c3cc9f17699d2f54ad1ef4d6a124df81b
Instruction ID: 2b444656dcc5496bc1efe833f3f19008288d10e8f3caa7cc5582310653325256
Opcode Fuzzy Hash: 979a3d6ee7b0ef97e452eceef3d8349c3cc9f17699d2f54ad1ef4d6a124df81b
Instruction Fuzzy Hash: 98F062B1254315AFEB100FA5FC8DE673BACFF8A795F104025F949D6150CBA19C51DA60

Function 001E4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,001E4AD0), ref: 001E4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001E4B57

Strings

kernel32.dll, xrefs: 001E4B40
GetNativeSystemInfo, xrefs: 001E4B51

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: f570e7b31c338d766992d66d81a93c40ad6f0e1c4d0952c617f3cc9e05703939
Instruction ID: 50acf9a8fe604ee9cc086d875aa1cdaf2e4daa258597f537dc39c9c1b6b5ee14
Opcode Fuzzy Hash: f570e7b31c338d766992d66d81a93c40ad6f0e1c4d0952c617f3cc9e05703939
Instruction Fuzzy Hash: 2BD01234A10713CFDB609F32F918B0676D4AF06395B11C879D485D6550D7B0D4C0C654

Function 001F3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 42d6e27660be635dd3ebc87d4dd0b530415b6ff6bc94a2e434f4e2e0a38e9ffe
Instruction ID: 594cd7011bcc5f3744392572b8ad187625144a134184023a4ac9f266beb9725c
Opcode Fuzzy Hash: 42d6e27660be635dd3ebc87d4dd0b530415b6ff6bc94a2e434f4e2e0a38e9ffe
Instruction Fuzzy Hash: 6922CC716183559FC728DF64D881B6EB7E4BF84300F00492DFAAA97291DB71EE04CB92

Function 0025EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0025EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0025EE4B

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Process32NextW.KERNEL32(00000000,?), ref: 0025EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0025EF1A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 3fdd34bef094bcef1318226035a46bf4ddd79382e35de972d2e1dae4802623e5
Instruction ID: 80e4f56056c21500131ef9fac5e47a9a59ab3e0eb3c747212b77ade2f270222c
Opcode Fuzzy Hash: 3fdd34bef094bcef1318226035a46bf4ddd79382e35de972d2e1dae4802623e5
Instruction Fuzzy Hash: 7F51AE711047419FD710EF25DC86EAFB7E8EF94710F00482DF895862A1EB70A908CB92

Function 0023E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0023E628

Strings

|, xrefs: 0023E658
(, xrefs: 0023E66E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: e9873d52975e9fa9e0c8bc777c3b8268942e159b30d84523cd46cac4063ad113
Instruction ID: 6c511ea6c0d2fb2beb93581e60597d68d63ec1a0e50107eef05110bd401b6d9b
Opcode Fuzzy Hash: e9873d52975e9fa9e0c8bc777c3b8268942e159b30d84523cd46cac4063ad113
Instruction Fuzzy Hash: 383205B5A107059FDB28CF19C481AAAB7F1FF48310B16C56EE89ADB3A1D770E951CB40

Function 002522EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0025180A,00000000), ref: 002523E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00252418

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b4038a4a216b2474fd0fd176c63446de07793d5a11d6be9580d0fc51d98a3f91
Instruction ID: e66fea710b5c1f8209006f14a0b1f01f838bc389f1b6ac51ec3b795cf5c27057
Opcode Fuzzy Hash: b4038a4a216b2474fd0fd176c63446de07793d5a11d6be9580d0fc51d98a3f91
Instruction Fuzzy Hash: C441F771520309FFEB10DE55DC85EBBB7BCEB41315F10406AFE00A61C1DAB49E6D9A58

Function 0024B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0024B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0024B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0024B3EA

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 23ffb2e5c3e44c0f991f1c85eb7967f6e19f632570097606fa6075848283819c
Instruction ID: 11f60f516542a3e2ca997d19c656c79807830d3fa7e6c0245124feb3b9fbe35b
Opcode Fuzzy Hash: 23ffb2e5c3e44c0f991f1c85eb7967f6e19f632570097606fa6075848283819c
Instruction Fuzzy Hash: 67216075A10508EFCB00EFA5E885EEDBBB8FF49314F1480AAE905AB361CB319955CF51

Function 002387E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00200DB6: std::exception::exception.LIBCMT ref: 00200DEC
Part of subcall function 00200DB6: __CxxThrowException@8.LIBCMT ref: 00200E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0023882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00238858
GetLastError.KERNEL32 ref: 00238865

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 56e8af8ad8006db8e66d3a4e8b33c0a6d4250fed7714fdbf665e8ac25d8c9393
Instruction ID: d23f23e285ec0de5f1b37270b8b1d9af1fcabb59a57d501dfb17d624e69a2a78
Opcode Fuzzy Hash: 56e8af8ad8006db8e66d3a4e8b33c0a6d4250fed7714fdbf665e8ac25d8c9393
Instruction Fuzzy Hash: 3C118FB2524309AFE718DFA4EC85D6BB7FDEB44710B20852EF45597241EB70BC518B60

Function 0023874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00238774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0023878B
FreeSid.ADVAPI32(?), ref: 0023879B

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a5404f2c6d2c49bb669ccedbadc1523abcc0155c8f9ee89b7c492cb6ac1aa0cb
Instruction ID: 341f2ddb712eb636fd37270533bf572cb93290373dcb07ecc88602f180d0531c
Opcode Fuzzy Hash: a5404f2c6d2c49bb669ccedbadc1523abcc0155c8f9ee89b7c492cb6ac1aa0cb
Instruction Fuzzy Hash: 98F04F7591130DBFDF00DFF4ED89AADB7BCEF08201F104469E501E2181D6755A048B50

Function 00248889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0024889B

Part of subcall function 0020520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00248F6E,00000000,?,?,?,?,0024911F,00000000,?), ref: 00205213
Part of subcall function 0020520A: __aulldiv.LIBCMT ref: 00205233

Strings

0e*, xrefs: 00248892

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e*
API String ID: 2893107130-404449974
Opcode ID: 7aa7e880daf42cf0728346d8a27d2d7051cc3e4002b6d0ce0b34725fc783a75c
Instruction ID: 370a48b6c4764feb8d35df61a5198c67e0f22b70d0869df49b16d1d3e1f955a7
Opcode Fuzzy Hash: 7aa7e880daf42cf0728346d8a27d2d7051cc3e4002b6d0ce0b34725fc783a75c
Instruction Fuzzy Hash: 7121AF32A356108BC729CF29D845A52B3E1EFA5311B688E6CE1F5CB2C0CF34A905CB54

Function 0024C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0024C6FB
FindClose.KERNEL32(00000000), ref: 0024C72B

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: def51829af8c209c7ca9fd2a76b5981bc0579c9bdeeef85d6074d09792f771db
Instruction ID: eac29880d2591928e6e1bb72f5ba1d92a5a5c21f818b5e50a931536755eedd49
Opcode Fuzzy Hash: def51829af8c209c7ca9fd2a76b5981bc0579c9bdeeef85d6074d09792f771db
Instruction Fuzzy Hash: E4118E726106449FDB14DF29D849A2AF7E8FF95324F10851EF8A9872A0DB70A811CF81

Function 0024A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00259468,?,0026FB84,?), ref: 0024A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00259468,?,0026FB84,?), ref: 0024A0A9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 34c448074c96752b0a5f8422281c780351ac9297d3f4aab837a9924743ca2d0a
Instruction ID: 9e0bb147fc79c2f2236ba96521493de161e32cb0296be231943d91668784e09b
Opcode Fuzzy Hash: 34c448074c96752b0a5f8422281c780351ac9297d3f4aab837a9924743ca2d0a
Instruction Fuzzy Hash: 27F0E23515422DABDB209FA4DC48FEA736CFF18361F008265F919D2180C6709950CBA1

Function 002381CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00238309), ref: 002381E0
CloseHandle.KERNEL32(?,?,00238309), ref: 002381F2

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d97e04023c2cae6ed198d7fa965c1c563670715ab3db76c39ddadd8e353f5fa1
Instruction ID: 01090e3594759cd3f31bad21bd0edff43ed7a341d02fa356f431aea0372434e5
Opcode Fuzzy Hash: d97e04023c2cae6ed198d7fa965c1c563670715ab3db76c39ddadd8e353f5fa1
Instruction Fuzzy Hash: 4EE0E672014611AFFB652B60FC09E7777E9EF04350B24C86DF49584471DB616CA1DB10

Function 0020A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00208D57,?,?,?,00000001), ref: 0020A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0020A163

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 01e7a4aa8deb7107035726d5042a64595ad139e117f8ecca1d9e6fdd9203aae7
Instruction ID: d898067241f4514a02a015ae2e47edacae8055c4ecc738d6b8b4c9180c18861f
Opcode Fuzzy Hash: 01e7a4aa8deb7107035726d5042a64595ad139e117f8ecca1d9e6fdd9203aae7
Instruction Fuzzy Hash: 1EB09231058248ABCE802B91FD0DB883F68EB44AA2F4080A0FE0D84260EBA254608A91

Function 0020F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9b25c515429f69aaea69200ee2d3d0c1de153b675b70a1336e55a9850ee046
Instruction ID: 8f5f64db472089ef8db2bf76cfc665d269912e60ad1d51cf3cf8c386db117f07
Opcode Fuzzy Hash: bb9b25c515429f69aaea69200ee2d3d0c1de153b675b70a1336e55a9850ee046
Instruction Fuzzy Hash: 4632F122D79F414DD7639A34D926336A249AFB73C8F15D737E81AB5DA6EB28C4C34100

Function 0021242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f829415a5a3ba4920251c734b089f88e7350bf70b0f65a34ce03dffb6106ac
Instruction ID: c6e1be3a6983aad40bc8cb085d4df5f62a088ead3f743c3798bed2d3dfe71290
Opcode Fuzzy Hash: e5f829415a5a3ba4920251c734b089f88e7350bf70b0f65a34ce03dffb6106ac
Instruction Fuzzy Hash: 4CB1EF20D2AF414DD2239A39983933AB69CAFFB2D5B51D71BFC1A74D22EB2285D34141

Function 00244C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00244C4A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 2f2141b124179ffeb5d541cf91fe9d39b8479715ab58d09cf0318d52aa2142be
Instruction ID: c3d117daa3f4f180ef892bb5f82272f3f8687e80361a78f4dc3e2961282256b6
Opcode Fuzzy Hash: 2f2141b124179ffeb5d541cf91fe9d39b8479715ab58d09cf0318d52aa2142be
Instruction Fuzzy Hash: BBD05E9117560A38FC1C2B20EE4FF7A0108E30078AFD8814B75028A0C2ECC05C605031

Function 002387B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00238389), ref: 002387D1

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: b265b94ae88916a381ec6c0d4c15622d0c43c4af042c244e399844f8b1dc6fbd
Instruction ID: f55c4336a91e637be2523439f5c6b6166255ab6c03e3749bd7ac9935e5c7ed39
Opcode Fuzzy Hash: b265b94ae88916a381ec6c0d4c15622d0c43c4af042c244e399844f8b1dc6fbd
Instruction Fuzzy Hash: 45D05E3226050EBBEF018EA4ED05EAE3B69EB04B01F408111FE15C50A1C7B5D835AB60

Function 0020A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0020A12A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 59f0343101511ca07af5f0e10827daf2deb1f348253de4dd0c77a3173637d93e
Instruction ID: 215693e53f5258dc03837f7dc13d7aaf7e588d85fbd82c99b9a39994d8f9260f
Opcode Fuzzy Hash: 59f0343101511ca07af5f0e10827daf2deb1f348253de4dd0c77a3173637d93e
Instruction Fuzzy Hash: DCA0113000020CAB8E002B82FC08888BFACEA002A0B0080A0FC0C80222ABB2A8208A80

Function 001F8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48968177975b07d463f4176d106c03445505027e5d407ab4a80a3229bea80824
Instruction ID: 35fd883deec9d89c7ba0e314ad558e037b122079ba9dbad43826014e8ce4f61d
Opcode Fuzzy Hash: 48968177975b07d463f4176d106c03445505027e5d407ab4a80a3229bea80824
Instruction Fuzzy Hash: D4221470A1452ACBDF288F24C4D477DB7A1FB41348F28806BDA9A8B592DBB09DA1C751

Function 002021C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 6a1b529c8d2155fcd5ba211bb97123ba5cf51a3ce91ce79abab1db67a5540b17
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 99C1CC322252534ADF2D4A39C43803EFFA15EA27B135A075ED8B3DB5D6EE20C979D610

Function 002025FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 00b810292242b7bc9c25d0089e5e29e60c5a14b60a8bc2b1b71048fb6f21ef5a
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 54C1BA322152934ADF2D4A39C43813EFBA15FA27B135A075ED4B3DB4D6EE10C938D620

Function 00201978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: f0cb673887d2c3e667611ceaea86dc6962152aca4831edc2922e5a880f1a3e8f
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: AAC1A63222529309DF2D4A39C47413EFBA15EA2BB135A076DD4B3CB5C6FE20C935D620

Function 00257806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0025785B
DeleteObject.GDI32(00000000), ref: 0025786D
DestroyWindow.USER32 ref: 0025787B
GetDesktopWindow.USER32 ref: 00257895
GetWindowRect.USER32(00000000), ref: 0025789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 002579DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 002579ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00257A35
GetClientRect.USER32(00000000,?), ref: 00257A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00257A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00257A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00257AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00257ABB
GlobalLock.KERNEL32(00000000), ref: 00257AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00257AD3
GlobalUnlock.KERNEL32(00000000), ref: 00257ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00257AE3
GlobalFree.KERNEL32(00000000), ref: 00257AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00257B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00272CAC,00000000), ref: 00257B16
GlobalFree.KERNEL32(00000000), ref: 00257B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00257B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00257B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00257B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00257D7A

Strings

, xrefs: 00257D00
static, xrefs: 00257A75, 00257BCC
AutoIt v3, xrefs: 00257A2D
DISPLAY, xrefs: 00257BDD

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d25d3f383a8ae71e891841e32136ddad71afcaa966f211aaba25e077b2ec8f7f
Instruction ID: 3434444dd327cab310b52efdfd25bc3e4b243e134399b47e35de1222bb5038ff
Opcode Fuzzy Hash: d25d3f383a8ae71e891841e32136ddad71afcaa966f211aaba25e077b2ec8f7f
Instruction Fuzzy Hash: E6027871910119EFDF14DFA4ED89EAE7BB9EB49311F008169FD15AB2A1CB70AD01CB60

Function 0026356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0026F910), ref: 00263627
IsWindowVisible.USER32(?), ref: 0026364B

Strings

HIDEDROPDOWN, xrefs: 00263700
SHOWDROPDOWN, xrefs: 002636E0
DELSTRING, xrefs: 00263749
CHECK, xrefs: 0026386D
SELECTSTRING, xrefs: 00263806
SETCURRENTSELECTION, xrefs: 002637B6
TABRIGHT, xrefs: 0026369D
FINDSTRING, xrefs: 00263776
ISCHECKED, xrefs: 00263839
SENDCOMMANDID, xrefs: 002639DA
TABLEFT, xrefs: 00263687
GETLINE, xrefs: 0026399B
GETCURRENTLINE, xrefs: 002638ED
GETLINECOUNT, xrefs: 002638C6
EDITPASTE, xrefs: 0026395F
ISENABLED, xrefs: 0026366B
ISVISIBLE, xrefs: 00263637
GETSELECTED, xrefs: 002638A3
UNCHECK, xrefs: 00263883
GETCURRENTCOL, xrefs: 00263928
ADDSTRING, xrefs: 00263716
CURRENTTAB, xrefs: 002636BD
GETCURRENTSELECTION, xrefs: 002637E3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 6230d870d0136a8c2a3bd2ade859ecbcc1af519208a60601f30762fd20bf049e
Instruction ID: e4203d3102ed882dab55926caef11f5ce9141e22965bffce431842a6302202e2
Opcode Fuzzy Hash: 6230d870d0136a8c2a3bd2ade859ecbcc1af519208a60601f30762fd20bf049e
Instruction Fuzzy Hash: FBD17C702343419BCF04EF14C895AAEB7A5AF95354F144468F8825B3E3DB71EEAACB41

Function 0026A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0026A630
GetSysColorBrush.USER32(0000000F), ref: 0026A661
GetSysColor.USER32(0000000F), ref: 0026A66D
SetBkColor.GDI32(?,000000FF), ref: 0026A687
SelectObject.GDI32(?,00000000), ref: 0026A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0026A6C1
GetSysColor.USER32(00000010), ref: 0026A6C9
CreateSolidBrush.GDI32(00000000), ref: 0026A6D0
FrameRect.USER32(?,?,00000000), ref: 0026A6DF
DeleteObject.GDI32(00000000), ref: 0026A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0026A731
FillRect.USER32(?,?,00000000), ref: 0026A763
GetWindowLongW.USER32(?,000000F0), ref: 0026A78E

Part of subcall function 0026A8CA: GetSysColor.USER32(00000012), ref: 0026A903
Part of subcall function 0026A8CA: SetTextColor.GDI32(?,?), ref: 0026A907
Part of subcall function 0026A8CA: GetSysColorBrush.USER32(0000000F), ref: 0026A91D
Part of subcall function 0026A8CA: GetSysColor.USER32(0000000F), ref: 0026A928
Part of subcall function 0026A8CA: GetSysColor.USER32(00000011), ref: 0026A945
Part of subcall function 0026A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0026A953
Part of subcall function 0026A8CA: SelectObject.GDI32(?,00000000), ref: 0026A964
Part of subcall function 0026A8CA: SetBkColor.GDI32(?,00000000), ref: 0026A96D
Part of subcall function 0026A8CA: SelectObject.GDI32(?,?), ref: 0026A97A
Part of subcall function 0026A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0026A999
Part of subcall function 0026A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0026A9B0
Part of subcall function 0026A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0026A9C5
Part of subcall function 0026A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0026A9ED

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 8b376eac205500d55f3069cdc67cd7d88189f459c372f4d22ccb13612a2ccf0e
Instruction ID: 4323d0de0cfd876819edd4a3e78057ea799b9f3a8fffdf4932928df5ce52aaeb
Opcode Fuzzy Hash: 8b376eac205500d55f3069cdc67cd7d88189f459c372f4d22ccb13612a2ccf0e
Instruction Fuzzy Hash: 7C919F72008301EFCB519F64ED4CA5BBBA9FF49321F108A29F562A61A0D7B0D944CF52

Function 002574AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 002574DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0025759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002575DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 002575ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00257633
GetClientRect.USER32(00000000,?), ref: 0025763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00257683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00257692
GetStockObject.GDI32(00000011), ref: 002576A2
SelectObject.GDI32(00000000,00000000), ref: 002576A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002576B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002576BF
DeleteDC.GDI32(00000000), ref: 002576C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002576F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0025770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00257746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0025775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0025776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0025779B
GetStockObject.GDI32(00000011), ref: 002577A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002577B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002577BB

Strings

msctls_progress32, xrefs: 0025773C
static, xrefs: 0025767D, 00257795
AutoIt v3, xrefs: 0025762B
DISPLAY, xrefs: 00257688

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9c80c14511335efa467a53f1fb1810fa7da0379fffa2f9e142eb617e0c66793c
Instruction ID: d830131649335e4d131cd989fe305cf25e40f7b622cdadc7b5bf1f67b9eb7736
Opcode Fuzzy Hash: 9c80c14511335efa467a53f1fb1810fa7da0379fffa2f9e142eb617e0c66793c
Instruction Fuzzy Hash: 9BA15F71A50615BFEB14DFA4ED4AFAF7BA9EB05710F008114FA15A72E0DBB0AD10CB64

Function 0024AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0024AD1E
GetDriveTypeW.KERNEL32(?,0026FAC0,?,\\.\,0026F910), ref: 0024ADFB
SetErrorMode.KERNEL32(00000000,0026FAC0,?,\\.\,0026F910), ref: 0024AF59

Strings

1394, xrefs: 0024AEDB
RAID, xrefs: 0024AEF7
FileBackedVirtual, xrefs: 0024AF28
iSCSI, xrefs: 0024AEFE
Unknown, xrefs: 0024AE1B, 0024AEBF
\\.\, xrefs: 0024AD70
SSA, xrefs: 0024AEE2
USB, xrefs: 0024AEF0
CDROM, xrefs: 0024AE2F
ATA, xrefs: 0024AED4
Network, xrefs: 0024AE39
SATA, xrefs: 0024AF0C
ATAPI, xrefs: 0024AECD
PhysicalDrive, xrefs: 0024ADA7
RAMDisk, xrefs: 0024AE25
Virtual, xrefs: 0024AF21
Fixed, xrefs: 0024AE43
Fibre, xrefs: 0024AEE9
Removable, xrefs: 0024AE4D
MMC, xrefs: 0024AF1A
SSD, xrefs: 0024AE86
SCSI, xrefs: 0024AEC6
SAS, xrefs: 0024AF05

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 1b6548aaae9b6b981ed3c7ce37bc5f3083bca4d4b4fc7e5ada007b43914da907
Instruction ID: 7532e6e6282cae9a1c50983b3e6cdba42e5540d41bf6d5272505b2eb9edb53d4
Opcode Fuzzy Hash: 1b6548aaae9b6b981ed3c7ce37bc5f3083bca4d4b4fc7e5ada007b43914da907
Instruction Fuzzy Hash: D451B2B16B4606EB8F08DF10C952CBD73A1EB1A7047294066E407EB6D1CBB29D35DB83

Function 00269A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00269AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00269B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00269BA7

Strings

xM, xrefs: 00269A6B, 00269EB2, 00269F00
0, xrefs: 00269BE4

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$xM
API String ID: 2326795674-2111700025
Opcode ID: 00d981541b36f9cc285cb2813b89a47e61aec37c9e7109fde8ee37144feae6d1
Instruction ID: 99b20cf5b1cfa544af537b878ec4d6790e1417f0abb0d7ba576e7c8ed8baa32d
Opcode Fuzzy Hash: 00d981541b36f9cc285cb2813b89a47e61aec37c9e7109fde8ee37144feae6d1
Instruction Fuzzy Hash: 9802E030128202AFDB15CF14D948BAABBE8FF4A714F04852DF995D62A1CB75DCE4CB52

Function 001E68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 001E6931
__wcsnicmp.LIBCMT ref: 001E6949
__wcsnicmp.LIBCMT ref: 001E6961
__wcsnicmp.LIBCMT ref: 001E6979
__wcsnicmp.LIBCMT ref: 001E6991
__wcsnicmp.LIBCMT ref: 001E69A9
__wcsnicmp.LIBCMT ref: 001E69C1
__wcsnicmp.LIBCMT ref: 001E69D5
__wcsnicmp.LIBCMT ref: 001E6A16
__wcsnicmp.LIBCMT ref: 001E6A2A
__wcsnicmp.LIBCMT ref: 001E6A3E
__wcsnicmp.LIBCMT ref: 001E6A52

Strings

#notrayicon, xrefs: 001E6943
#requireadmin, xrefs: 001E695B
Bad directive syntax error, xrefs: 0021E31A
#include-once, xrefs: 001E698B
#comments-start, xrefs: 001E69BB, 001E6A10
#pragma compile, xrefs: 001E692B
Cannot parse #include, xrefs: 0021E3F0
Unterminated group of comments, xrefs: 0021E403
#OnAutoItStartRegister, xrefs: 001E6973
#comments-end, xrefs: 001E6A38
#ce, xrefs: 001E6A4C
#include, xrefs: 001E69A3
#cs, xrefs: 001E69CF, 001E6A24

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 201ba53e490cc54f1b85b7ab6c88019fde2a6883fea35f53363f24ef324684d3
Instruction ID: 86837e70f03c3c92b8311cf65b3075a433095c96a0ec33a11b69d5e9e32d5af8
Opcode Fuzzy Hash: 201ba53e490cc54f1b85b7ab6c88019fde2a6883fea35f53363f24ef324684d3
Instruction Fuzzy Hash: 3B8127B0620746AADF20AE62EC43FBE77A8AF25744F444025FC056B1D3EB70DE65C661

Function 002689D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00268AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00268AD2
CharNextW.USER32(0000014E), ref: 00268B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00268B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00268B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00268B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00268B86
SetWindowTextW.USER32(?,0000014E), ref: 00268BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00268BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00268C1F
_memset.LIBCMT ref: 00268C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00268C8D
_memset.LIBCMT ref: 00268CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00268D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00268D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00268E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00268E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00268E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00268EB4
DrawMenuBar.USER32(?), ref: 00268EC3
SetWindowTextW.USER32(?,0000014E), ref: 00268EEB

Strings

xM, xrefs: 00268A23
0, xrefs: 00268E55

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$xM
API String ID: 1073566785-2111700025
Opcode ID: c60f85d27d88a79e74c26fb66a312dd42a483b126d01ceff3192189d3c8cb59e
Instruction ID: b8b0470344d5f765da585f8697ae44dba6b1f26a11cf19ebcd7b3ab3d24933db
Opcode Fuzzy Hash: c60f85d27d88a79e74c26fb66a312dd42a483b126d01ceff3192189d3c8cb59e
Instruction Fuzzy Hash: F6E17471920219AFDF20DF54DC88EEE7BB9EF09710F108256F915AA191DBB089E4DF60

Function 0026A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0026A903
SetTextColor.GDI32(?,?), ref: 0026A907
GetSysColorBrush.USER32(0000000F), ref: 0026A91D
GetSysColor.USER32(0000000F), ref: 0026A928
CreateSolidBrush.GDI32(?), ref: 0026A92D
GetSysColor.USER32(00000011), ref: 0026A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0026A953
SelectObject.GDI32(?,00000000), ref: 0026A964
SetBkColor.GDI32(?,00000000), ref: 0026A96D
SelectObject.GDI32(?,?), ref: 0026A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0026A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0026A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0026A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0026A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0026AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0026AA32
DrawFocusRect.USER32(?,?), ref: 0026AA3D
GetSysColor.USER32(00000011), ref: 0026AA4B
SetTextColor.GDI32(?,00000000), ref: 0026AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0026AA67
SelectObject.GDI32(?,0026A5FA), ref: 0026AA7E
DeleteObject.GDI32(?), ref: 0026AA89
SelectObject.GDI32(?,?), ref: 0026AA8F
DeleteObject.GDI32(?), ref: 0026AA94
SetTextColor.GDI32(?,?), ref: 0026AA9A
SetBkColor.GDI32(?,?), ref: 0026AAA4

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1214b116a73aa2b6d7fea11b0fba76036c1954d3429838cf23452b125c2f92ba
Instruction ID: ba01f6a1f3572f6afea5042db849caa340de4e9c5eef620cc45bf38f52ffb0a4
Opcode Fuzzy Hash: 1214b116a73aa2b6d7fea11b0fba76036c1954d3429838cf23452b125c2f92ba
Instruction Fuzzy Hash: FB514D71901208EFDF109FA4ED48EAEBB79EF08320F218165F915AB2A1D7B19950CF90

Function 0026488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002649CA
GetDesktopWindow.USER32 ref: 002649DF
GetWindowRect.USER32(00000000), ref: 002649E6
GetWindowLongW.USER32(?,000000F0), ref: 00264A48
DestroyWindow.USER32(?), ref: 00264A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00264A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00264ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00264AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00264AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00264B09
IsWindowVisible.USER32(?), ref: 00264B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00264B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00264B58
GetWindowRect.USER32(?,?), ref: 00264B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00264B96
GetMonitorInfoW.USER32(00000000,?), ref: 00264BB0
CopyRect.USER32(?,?), ref: 00264BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00264C32

Strings

tooltips_class32, xrefs: 00264A96
(, xrefs: 00264BA3
0, xrefs: 00264975

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 7a72416300f5f987470b01bb26e90c47f19cbc5342fa0061a91c2bcaf6c0d381
Instruction ID: 7546ce9fb94707957e3a3c6f9b8722204bdc26976109f3478295218da52a187f
Opcode Fuzzy Hash: 7a72416300f5f987470b01bb26e90c47f19cbc5342fa0061a91c2bcaf6c0d381
Instruction Fuzzy Hash: B1B1BB70614341AFDB04EF65D948B6ABBE4FF84304F008A1CF9999B2A1C7B1EC54CB91

Function 0024449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 002444AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002444D2
_wcscpy.LIBCMT ref: 00244500
_wcscmp.LIBCMT ref: 0024450B
_wcscat.LIBCMT ref: 00244521
_wcsstr.LIBCMT ref: 0024452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00244548
_wcscat.LIBCMT ref: 00244591
_wcscat.LIBCMT ref: 00244598
_wcsncpy.LIBCMT ref: 002445C3

Strings

StringFileInfo\, xrefs: 0024451B
\VarFileInfo\Translation, xrefs: 00244540
04090000, xrefs: 0024457E
%u.%u.%u.%u, xrefs: 00244626
DefaultLangCodepage, xrefs: 002445AB

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: cf7edc20a8d86aac6692b3ea996543ee044e701bda3edebf2db628c322e8d0c4
Instruction ID: c01b0ec25b72b3053be4fe42a798eec8f457dd8c447365464e0bba6637bd20a3
Opcode Fuzzy Hash: cf7edc20a8d86aac6692b3ea996543ee044e701bda3edebf2db628c322e8d0c4
Instruction Fuzzy Hash: 67410371A20301BBEB14BB70DC47FBF776CDF46710F14006AF904A61C3EA70AA218AA5

Function 001E27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001E28BC
GetSystemMetrics.USER32(00000007), ref: 001E28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001E28EF
GetSystemMetrics.USER32(00000008), ref: 001E28F7
GetSystemMetrics.USER32(00000004), ref: 001E291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001E2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001E2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001E297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001E2990
GetClientRect.USER32(00000000,000000FF), ref: 001E29AE
GetStockObject.GDI32(00000011), ref: 001E29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 001E29D5

Part of subcall function 001E2344: GetCursorPos.USER32(?), ref: 001E2357
Part of subcall function 001E2344: ScreenToClient.USER32(002A57B0,?), ref: 001E2374
Part of subcall function 001E2344: GetAsyncKeyState.USER32(00000001), ref: 001E2399
Part of subcall function 001E2344: GetAsyncKeyState.USER32(00000002), ref: 001E23A7

SetTimer.USER32(00000000,00000000,00000028,001E1256), ref: 001E29FC

Strings

AutoIt v3 GUI, xrefs: 001E2974

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d842a3963da97d19de6ac814bcd1f8418731ad456486442a7edd0ddc23c62d18
Instruction ID: 4cbc1f230df0cb347f5c915559ba2e6b1364e524aab3767f677796bff20b711b
Opcode Fuzzy Hash: d842a3963da97d19de6ac814bcd1f8418731ad456486442a7edd0ddc23c62d18
Instruction Fuzzy Hash: B4B1907165064AEFDF14DFA9ED59BEE7BB8FB08310F108129FA16A7290CB749850CB50

Function 0026C5FE Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

DragQueryPoint.SHELL32(?,?), ref: 0026C627

Part of subcall function 0026AB37: ClientToScreen.USER32(?,?), ref: 0026AB60
Part of subcall function 0026AB37: GetWindowRect.USER32(?,?), ref: 0026ABD6
Part of subcall function 0026AB37: PtInRect.USER32(?,?,0026C014), ref: 0026ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0026C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0026C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0026C6BE
_wcscat.LIBCMT ref: 0026C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0026C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0026C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0026C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0026C757
DragFinish.SHELL32(?), ref: 0026C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0026C851

Strings

@GUI_DROPID, xrefs: 0026C77E
xM, xrefs: 0026C65D, 0026C6CA
pb*, xrefs: 0026C79B
@GUI_DRAGID, xrefs: 0026C7C9
@GUI_DRAGFILE, xrefs: 0026C800

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb*$xM
API String ID: 169749273-1898325468
Opcode ID: 037085138584c373e12167c5d656b7d501ddacf2add3846e13c39b7636104e01
Instruction ID: 816b1b1d7861fb30f035a4913d6188b352d94caf084c03443cb914dba95d06c9
Opcode Fuzzy Hash: 037085138584c373e12167c5d656b7d501ddacf2add3846e13c39b7636104e01
Instruction Fuzzy Hash: 97617971108340AFCB01EF64DC89DAFBBE8FF99710F00492EF5A5921A1DB709A58CB52

Function 0023A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0023A47A
__swprintf.LIBCMT ref: 0023A51B
_wcscmp.LIBCMT ref: 0023A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0023A583
_wcscmp.LIBCMT ref: 0023A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0023A5F6
GetDlgCtrlID.USER32(?), ref: 0023A648
GetWindowRect.USER32(?,?), ref: 0023A67E
GetParent.USER32(?), ref: 0023A69C
ScreenToClient.USER32(00000000), ref: 0023A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0023A71D
_wcscmp.LIBCMT ref: 0023A731
GetWindowTextW.USER32(?,?,00000400), ref: 0023A757
_wcscmp.LIBCMT ref: 0023A76B

Part of subcall function 0020362C: _iswctype.LIBCMT ref: 00203634

Strings

%s%u, xrefs: 0023A515

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 0385e2bc4422699115db592883b55941bfc082a9154b2cd12fff9f4c72bbf201
Instruction ID: a2880c7d2fb35074fc942368ab225d6373d07a32ccdee0fbda26d1e151824f97
Opcode Fuzzy Hash: 0385e2bc4422699115db592883b55941bfc082a9154b2cd12fff9f4c72bbf201
Instruction Fuzzy Hash: D3A1A2B1224707ABDB15DF64C888BAAF7E8FF44314F008529F9D9D2191DB30E965CB92

Function 0023AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0023AF18
_wcscmp.LIBCMT ref: 0023AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0023AF51
CharUpperBuffW.USER32(?,00000000), ref: 0023AF6E
_wcscmp.LIBCMT ref: 0023AF8C
_wcsstr.LIBCMT ref: 0023AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0023AFD5
_wcscmp.LIBCMT ref: 0023AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0023B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0023B055
_wcscmp.LIBCMT ref: 0023B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0023B08D
GetWindowRect.USER32(00000004,?), ref: 0023B0F6

Strings

@, xrefs: 0023AEF9
ThumbnailClass, xrefs: 0023AFE0, 0023B060

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 898633851eec4a4b8384ced3346aa5925566924053bf8827e5d53d0b186548f6
Instruction ID: a87401565a4c2689d08d690177e91fc036b01405a40f516d7698b1ee9e089efc
Opcode Fuzzy Hash: 898633851eec4a4b8384ced3346aa5925566924053bf8827e5d53d0b186548f6
Instruction Fuzzy Hash: 0F81B3B11283069FDB05DF10D885FAA7BE8FF54314F048469FE899A092DB30DD55CBA1

Function 0026A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0026A259
DestroyWindow.USER32(?,?), ref: 0026A2D3

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0026A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0026A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0026A382
DestroyWindow.USER32(00000000), ref: 0026A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001E0000,00000000), ref: 0026A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0026A3F4
GetDesktopWindow.USER32 ref: 0026A40D
GetWindowRect.USER32(00000000), ref: 0026A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0026A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0026A444

Part of subcall function 001E25DB: GetWindowLongW.USER32(?,000000EB), ref: 001E25EC

Strings

tooltips_class32, xrefs: 0026A346, 0026A3D4
xM, xrefs: 0026A1F4, 0026A2B7, 0026A2D9, 0026A2EC
0, xrefs: 0026A26F

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32$xM
API String ID: 1297703922-2934765289
Opcode ID: 91c34e226a55ccff8f13619ecfaa5859bda5cd4ae71915205c4ffd004b42a68d
Instruction ID: 3823bd6c6e8cf63641da05922f3d914091c10b86aaf45b199ae9c5e1c2713296
Opcode Fuzzy Hash: 91c34e226a55ccff8f13619ecfaa5859bda5cd4ae71915205c4ffd004b42a68d
Instruction Fuzzy Hash: 9571CD70150205AFDB21CF28DC48F6A7BE9FB89700F04452CF995972A1DBB5E9A2CF52

Function 0023ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0023AC33

Strings

LAST, xrefs: 0023ABF8
[ACTIVE, xrefs: 0023AC20
[ALL, xrefs: 0023ACD9
ALL, xrefs: 0023ACC7
CLASSNAME=, xrefs: 0023AC70
[CLASS:, xrefs: 0023AC83
[REGEXPTITLE:, xrefs: 0023AC5B
ACTIVE, xrefs: 0023AC0E
REGEXP=, xrefs: 0023AC48
[HANDLE:, xrefs: 0023AC3F
HANDLE=, xrefs: 0023AC2C
[LAST, xrefs: 0023ACE0

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 81c8b8b38f43dba2ad367e3e19f1418a7852f7624f49158342d1d4ce8c4c7b24
Instruction ID: f9054a9ca40e97da1ef1a83824a6054ee4f348ca63ab465708f41bc8c52000ee
Opcode Fuzzy Hash: 81c8b8b38f43dba2ad367e3e19f1418a7852f7624f49158342d1d4ce8c4c7b24
Instruction Fuzzy Hash: E231B471A7860AA7EF14FB51DD03EEE7764AF21B11F20042AF442710E2EF616F24CA56

Function 00254FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00255013
LoadCursorW.USER32(00000000,00007F00), ref: 0025501E
LoadCursorW.USER32(00000000,00007F03), ref: 00255029
LoadCursorW.USER32(00000000,00007F8B), ref: 00255034
LoadCursorW.USER32(00000000,00007F01), ref: 0025503F
LoadCursorW.USER32(00000000,00007F81), ref: 0025504A
LoadCursorW.USER32(00000000,00007F88), ref: 00255055
LoadCursorW.USER32(00000000,00007F80), ref: 00255060
LoadCursorW.USER32(00000000,00007F86), ref: 0025506B
LoadCursorW.USER32(00000000,00007F83), ref: 00255076
LoadCursorW.USER32(00000000,00007F85), ref: 00255081
LoadCursorW.USER32(00000000,00007F82), ref: 0025508C
LoadCursorW.USER32(00000000,00007F84), ref: 00255097
LoadCursorW.USER32(00000000,00007F04), ref: 002550A2
LoadCursorW.USER32(00000000,00007F02), ref: 002550AD
LoadCursorW.USER32(00000000,00007F89), ref: 002550B8
GetCursorInfo.USER32(?), ref: 002550C8

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 68d23da7e7b6bd9319f85d51e2344e32e0e161f2809c03a5bc277dafa40a30d6
Instruction ID: 067ac943ae4582976571e2420171d4f29b8b363deb17de6d34b97ffb8697424b
Opcode Fuzzy Hash: 68d23da7e7b6bd9319f85d51e2344e32e0e161f2809c03a5bc277dafa40a30d6
Instruction Fuzzy Hash: 3A3133B1D1871E6ADF109FB68C8996FBFE8FF08750F50452AE50CE7280DA78A5048F95

Function 00264392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00264424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0026446F

Strings

ISCHECKED, xrefs: 002645F2
GETITEMCOUNT, xrefs: 00264551
GETTEXT, xrefs: 002645C2
GETSELECTED, xrefs: 0026457F
UNCHECK, xrefs: 0026464B
EXISTS, xrefs: 002644D8
SELECT, xrefs: 00264620
GETTOTALCOUNT, xrefs: 00264456
COLLAPSE, xrefs: 002644B5
CHECK, xrefs: 0026448F
EXPAND, xrefs: 00264521

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: abbfa6dca8b70bd87b24fe16fb92754a13dc9660b85a3d6e7021da4a5d18aaef
Instruction ID: 8fc91d11d2232cfb623373f3b3bc062a3c75c694baff0f7987f0f95c47affc55
Opcode Fuzzy Hash: abbfa6dca8b70bd87b24fe16fb92754a13dc9660b85a3d6e7021da4a5d18aaef
Instruction Fuzzy Hash: 81917F702247419FCB04EF14C451A6EB7E5AFA5354F44886CF8D65B3A2CB70EDA9CB81

Function 0026C1AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0026C1FC
GetFocus.USER32 ref: 0026C20C
GetDlgCtrlID.USER32(00000000), ref: 0026C217
_memset.LIBCMT ref: 0026C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0026C36D
GetMenuItemCount.USER32(?), ref: 0026C38D
GetMenuItemID.USER32(?,00000000), ref: 0026C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0026C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0026C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0026C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0026C489

Strings

xM, xrefs: 0026C2F2, 0026C318
0, xrefs: 0026C33A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0$xM
API String ID: 1296962147-2111700025
Opcode ID: 050532b2686fbba8d360fe1335913c731ddb04d9106469842456e0deea535dc4
Instruction ID: 84c7cb88ea9f079ae613991f5f71d0c9484b649c3cfcd7802b8ee111acb6cb40
Opcode Fuzzy Hash: 050532b2686fbba8d360fe1335913c731ddb04d9106469842456e0deea535dc4
Instruction Fuzzy Hash: FF81A1702193529FDB10EF14D894A7BBBE8FF88714F20452EF99597291CB70D8A4CB52

Function 0026B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0026B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002691C2), ref: 0026B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0026B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0026B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0026B9C3
FreeLibrary.KERNEL32(?), ref: 0026B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0026B9DF
DestroyIcon.USER32(?,?,?,?,?,002691C2), ref: 0026B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0026BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0026BA17

Part of subcall function 00202EFD: __wcsicmp_l.LIBCMT ref: 00202F86

Strings

.icl, xrefs: 0026B82A
.dll, xrefs: 0026B86D
.exe, xrefs: 0026B84A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: caa790e6e455ffba3e4f58f87e20101ec97036caebd297d47356001be0b9dffc
Instruction ID: 5f7620332c39614a736a4343c265c37aee500e372c8d0cf602b692c86c6a17bf
Opcode Fuzzy Hash: caa790e6e455ffba3e4f58f87e20101ec97036caebd297d47356001be0b9dffc
Instruction Fuzzy Hash: 1F61FE71960209BAEB15DF64DC45FBE7BACFB08710F10811AFA11D60D1DBB4A9E0DBA0

Function 001E201B Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 001E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001E2036,?,00000000,?,?,?,?,001E16CB,00000000,?), ref: 001E1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 001E20D3
KillTimer.USER32(-00000001,?,?,?,?,001E16CB,00000000,?,?,001E1AE2,?,?), ref: 001E216E
DestroyAcceleratorTable.USER32(00000000), ref: 0021BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001E16CB,00000000,?,?,001E1AE2,?,?), ref: 0021BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001E16CB,00000000,?,?,001E1AE2,?,?), ref: 0021BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001E16CB,00000000,?,?,001E1AE2,?,?), ref: 0021BD0A
DeleteObject.GDI32(00000000), ref: 0021BD1C

Strings

xM, xrefs: 001E2054

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: xM
API String ID: 641708696-315438632
Opcode ID: 7613b89c35ccc5913ef1ba129dff14f893c13419a700803bf8627110db24beb3
Instruction ID: e7270c2ed174fd63049f6a031d0f08bf523d8d732dc219a5d13502a2bd82a495
Opcode Fuzzy Hash: 7613b89c35ccc5913ef1ba129dff14f893c13419a700803bf8627110db24beb3
Instruction Fuzzy Hash: 78618B31110E61DFCB3A9F16E95CB2AB7F5FB51312F108529E5429A9B0CBB4A8D0DF90

Function 00249C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00249C7F

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00249CA0
__swprintf.LIBCMT ref: 00249CF9
__swprintf.LIBCMT ref: 00249D12
_wprintf.LIBCMT ref: 00249DB9
_wprintf.LIBCMT ref: 00249DD7

Strings

Error: , xrefs: 00249D81
Line %d (File "%s"):, xrefs: 00249CF3, 00249D0C
"%s" (%d) : ==> %s:%s%s, xrefs: 00249DB4
Incorrect parameters to object property !, xrefs: 00249D5B
^ ERROR , xrefs: 00249D4E
"%s" (%d) : ==> %s:, xrefs: 00249DD2

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 051f7642b75524940e86f84f73e1348b1829a143ff9860615486cc3a1060e467
Instruction ID: 7cbedf3dc04b00ba8e65c7fdae4d1a5ad3c68ff48c375b8dc515ee15827f4f83
Opcode Fuzzy Hash: 051f7642b75524940e86f84f73e1348b1829a143ff9860615486cc3a1060e467
Instruction Fuzzy Hash: 1E518131D10A4AAADF14FBE1DD46EEEB778AF25304F500065F505720A2DB312F68CB61

Function 0024A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

CharLowerBuffW.USER32(?,?), ref: 0024A3CB
GetDriveTypeW.KERNEL32 ref: 0024A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0024A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0024A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0024A4C5

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

Strings

closed, xrefs: 0024A3DF, 0024A3E8
open , xrefs: 0024A427
wait, xrefs: 0024A482
set cd door , xrefs: 0024A466
close cd wait, xrefs: 0024A4B0
close, xrefs: 0024A3D1
type cdaudio alias cd wait, xrefs: 0024A443
open, xrefs: 0024A3F2

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 952213f31321911c4550e12207cfcc53dffdedc7055eac624ca05f2a10cfb3ac
Instruction ID: 685dfd2146c4a7aea8f4e4d8aa870b5f79c2c9efc8979f87e3114cfdc3aaf266
Opcode Fuzzy Hash: 952213f31321911c4550e12207cfcc53dffdedc7055eac624ca05f2a10cfb3ac
Instruction Fuzzy Hash: DC519D711147459FD704EF11C88186EB3E8EFA5718F04886DF88A972A1DB31EE09CB42

Function 0023F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0021E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0023F8DF
LoadStringW.USER32(00000000,?,0021E029,00000001), ref: 0023F8E8

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0021E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0023F90A
LoadStringW.USER32(00000000,?,0021E029,00000001), ref: 0023F90D
__swprintf.LIBCMT ref: 0023F95D
__swprintf.LIBCMT ref: 0023F96E
_wprintf.LIBCMT ref: 0023FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0023FA2E

Strings

^ ERROR, xrefs: 0023F9C3
Error: , xrefs: 0023F9E5
Line %d (File "%s"):, xrefs: 0023F957
%s (%d) : ==> %s: %s %s, xrefs: 0023FA12
Line %d:, xrefs: 0023F968

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: a735a866588088148e67fe048d622a7c047e50b5fbfd4e11e553e21dd4e2b7c1
Instruction ID: 9b1af016ca7e244a56ea00591f24311fd3dd691b03df5910cf496533eaf4603d
Opcode Fuzzy Hash: a735a866588088148e67fe048d622a7c047e50b5fbfd4e11e553e21dd4e2b7c1
Instruction Fuzzy Hash: 39413B72804649AADF04FBE1DE86EEE777CAF25304F100065F506B60A2EB316F19CB61

Function 001E21A5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 001E25DB: GetWindowLongW.USER32(?,000000EB), ref: 001E25EC

GetSysColor.USER32(0000000F), ref: 001E21D3

Strings

xM, xrefs: 001E21ED

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ColorLongWindow
String ID: xM
API String ID: 259745315-315438632
Opcode ID: 2f14fdebda471dcd08550ee8110af2776418f7b53080d86ae92b5dbd2b9b962f
Instruction ID: 039cd2673a5bb67ea8a3b4ab8378870d014dc73ee7aeebe6bde50b72c9960cc9
Opcode Fuzzy Hash: 2f14fdebda471dcd08550ee8110af2776418f7b53080d86ae92b5dbd2b9b962f
Instruction Fuzzy Hash: 5C4192310009919BDF255F29EC98BBD3BA9EB16731F248265FE658A1E1C7718C82DB21

Function 0026BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00269207,?,?), ref: 0026BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00269207,?,?,00000000,?), ref: 0026BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00269207,?,?,00000000,?), ref: 0026BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00269207,?,?,00000000,?), ref: 0026BA85
GlobalLock.KERNEL32(00000000), ref: 0026BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00269207,?,?,00000000,?), ref: 0026BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0026BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00269207,?,?,00000000,?), ref: 0026BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00269207,?,?,00000000,?), ref: 0026BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00272CAC,?), ref: 0026BAD7
GlobalFree.KERNEL32(00000000), ref: 0026BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0026BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0026BB36
DeleteObject.GDI32(00000000), ref: 0026BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0026BB74

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 21f829864f9315d4fe045ddab865f73b655375c83e4784546bf6cae489145e09
Instruction ID: 9c4e79d1aef4d42f1e818a1b95a60141cbc18e2b1c107891890fd679e1bef6d8
Opcode Fuzzy Hash: 21f829864f9315d4fe045ddab865f73b655375c83e4784546bf6cae489145e09
Instruction Fuzzy Hash: 53414A75600205EFDB119FA5ED8CEAA7BB8FF89711F108068F909D7260D7B09D91CB60

Function 0024D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0024DA10
_wcscat.LIBCMT ref: 0024DA28
_wcscat.LIBCMT ref: 0024DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0024DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0024DA63
GetFileAttributesW.KERNEL32(?), ref: 0024DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0024DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0024DAA7

Strings

*.*, xrefs: 0024DAE6

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: d65cbf5f06db015883eba659d1c4e266ed6ef25fbd0d9e5cac223644974745ce
Instruction ID: b5852887170408af33dff12cd3175d8356f11fb83200ed7e59335e1b0a7ac143
Opcode Fuzzy Hash: d65cbf5f06db015883eba659d1c4e266ed6ef25fbd0d9e5cac223644974745ce
Instruction Fuzzy Hash: 3F81A2725243419FCB68EF64C844A6EB7E4BF89314F18882EF889CB251E770DD55CB52

Function 00266F23 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00266FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00266FA8
GetWindowLongW.USER32(?,000000F0), ref: 00266FCC
_memset.LIBCMT ref: 00266FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00266FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00267067

Strings

xM, xrefs: 00266F6F, 00266F7E, 00266FB4, 00267006, 0026712F

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID: xM
API String ID: 830647256-315438632
Opcode ID: a89a9971e799ff5cb5b1ce38c851b26c46ebd372d2e96d79721a6962cab21b0a
Instruction ID: 812664141a4b774a13b9cae53f5b63e7c3c36d55214f8564b6ffe0359dbc18e7
Opcode Fuzzy Hash: a89a9971e799ff5cb5b1ce38c851b26c46ebd372d2e96d79721a6962cab21b0a
Instruction Fuzzy Hash: A861AE70910218AFDB10DFA4DC85EEE77F8EB09704F10019AFA15AB2A1C771AD95CF60

Function 0025731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0025738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0025739B
CreateCompatibleDC.GDI32(?), ref: 002573A7
SelectObject.GDI32(00000000,?), ref: 002573B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00257408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00257444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00257468
SelectObject.GDI32(00000006,?), ref: 00257470
DeleteObject.GDI32(?), ref: 00257479
DeleteDC.GDI32(00000006), ref: 00257480
ReleaseDC.USER32(00000000,?), ref: 0025748B

Strings

(, xrefs: 00257410

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b1810451dea7670d2ccdd023b7c84ec1ffa398327185f5b748fc0dc564a518de
Instruction ID: 678f396b71f3d1f4c92455d984fda71fe0360302ba2b87dc83626f4ac9c76350
Opcode Fuzzy Hash: b1810451dea7670d2ccdd023b7c84ec1ffa398327185f5b748fc0dc564a518de
Instruction Fuzzy Hash: E9515971914309EFCB14CFA8EC88EAEBBB9EF48310F14842DF95997211D771A854CB50

Function 00260E1A Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0025FDAD,?,?), ref: 00260E31

Strings

HKEY_LOCAL_MACHINE, xrefs: 00260E9A
HKCR, xrefs: 00260ED9
HKEY_CLASSES_ROOT, xrefs: 00260EC4
HKEY_CURRENT_CONFIG, xrefs: 00260EEE
HKU, xrefs: 00260F43
HKEY_USERS, xrefs: 00260F32
HKCC, xrefs: 00260EFF
HKCU, xrefs: 00260F21
HKEY_CURRENT_USER, xrefs: 00260F10
HKLM, xrefs: 00260EAF
r, xrefs: 00260E89

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$r
API String ID: 3964851224-3410716189
Opcode ID: 1e654cfab64368aaf0223e09ba2a86ebd0054049fc54c64bb79dce3dedfc00b0
Instruction ID: f9788de5aed2d81680e814213b342b594ad5b537f3e656243e2483c729bb37a1
Opcode Fuzzy Hash: 1e654cfab64368aaf0223e09ba2a86ebd0054049fc54c64bb79dce3dedfc00b0
Instruction Fuzzy Hash: 78417E3123038A8BDF21EF14D895AEF3764AF25314F140418FC951B692DB709EBADBA0

Function 001E6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00200957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,001E6B0C,?,00008000), ref: 00200973

Part of subcall function 001E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E4743,?,?,001E37AE,?), ref: 001E4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 001E6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 001E6CFA

Part of subcall function 001E586D: _wcscpy.LIBCMT ref: 001E58A5

Part of subcall function 0020363D: _iswctype.LIBCMT ref: 00203645

Strings

Error opening the file, xrefs: 0021E43D, 0021E4B8
AU3!, xrefs: 001E6B61
Bad directive syntax error, xrefs: 0021E79D
EA06, xrefs: 0021E452
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0021E421
>>>AUTOIT SCRIPT<<<, xrefs: 0021E496
Unterminated string, xrefs: 0021E7E4

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: acd23acdb022e6600a9468de43e1ac4dec652f0441fdbe2d59d09dfa0abdb640
Instruction ID: 238c38a08caf878ab8498219dac86f7995f777372fac701514e933aa96047a7b
Opcode Fuzzy Hash: acd23acdb022e6600a9468de43e1ac4dec652f0441fdbe2d59d09dfa0abdb640
Instruction Fuzzy Hash: E202C1301187819FCB14EF21C8819AFBBE5FFA9354F54481DF485972A2DB30D999CB52

Function 00242D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00242D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00242DDD
GetMenuItemCount.USER32(002A5890), ref: 00242E66
DeleteMenu.USER32(002A5890,00000005,00000000,000000F5,?,?), ref: 00242EF6
DeleteMenu.USER32(002A5890,00000004,00000000), ref: 00242EFE
DeleteMenu.USER32(002A5890,00000006,00000000), ref: 00242F06
DeleteMenu.USER32(002A5890,00000003,00000000), ref: 00242F0E
GetMenuItemCount.USER32(002A5890), ref: 00242F16
SetMenuItemInfoW.USER32(002A5890,00000004,00000000,00000030), ref: 00242F4C
GetCursorPos.USER32(?), ref: 00242F56
SetForegroundWindow.USER32(00000000), ref: 00242F5F
TrackPopupMenuEx.USER32(002A5890,00000000,?,00000000,00000000,00000000), ref: 00242F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00242F7E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: a9552f55f4829352e550ea8859a5a952c6b64d89d49961522462e1a797bbf097
Instruction ID: d00101818aa74e19f3dbf23fa55b69d30bca075436fe7b083aadd9337f1b4a54
Opcode Fuzzy Hash: a9552f55f4829352e550ea8859a5a952c6b64d89d49961522462e1a797bbf097
Instruction Fuzzy Hash: 9E71E770610216FBEB298F56EC49FAABF64FF04314F904216F615AA1E1C7B16C78DB50

Function 002588AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002588D7
CoInitialize.OLE32(00000000), ref: 00258904
CoUninitialize.OLE32 ref: 0025890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00258A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00258B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00272C0C), ref: 00258B6F
CoGetObject.OLE32(?,00000000,00272C0C,?), ref: 00258B92
SetErrorMode.KERNEL32(00000000), ref: 00258BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00258C25
VariantClear.OLEAUT32(?), ref: 00258C35

Strings

,,', xrefs: 002588C1

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,'
API String ID: 2395222682-1378728019
Opcode ID: 44bcd26d818095cb5a144a6491160efeed0543c6d5fac97ed66b3f630a894c37
Instruction ID: 0e08ab589463a09d657b75b6b1823fc0972e6f8f951cca4e32bd8c2a22e49c2e
Opcode Fuzzy Hash: 44bcd26d818095cb5a144a6491160efeed0543c6d5fac97ed66b3f630a894c37
Instruction Fuzzy Hash: D3C125B1218305AFD700DF24C88492AB7E9FF89349F00496DF989DB251DBB1ED19CB52

Function 002377DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

_memset.LIBCMT ref: 0023786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002378A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002378BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002378D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00237902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0023792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00237935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0023793A

Strings

\IPC$, xrefs: 00237882
\CLSID, xrefs: 00237822
SOFTWARE\Classes\, xrefs: 0023780C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 2ddb3ad72bafaa0058e2cec90acf96139cd551b3a83b073fa05f1683559c0c67
Instruction ID: 141f94716f15096f826c58be957e6c7e178441a5b291ffcac6f928218e890272
Opcode Fuzzy Hash: 2ddb3ad72bafaa0058e2cec90acf96139cd551b3a83b073fa05f1683559c0c67
Instruction Fuzzy Hash: 6A4138B2C2462DABDF21EFA5EC85DEDB778BF14350F004029E905A31A1DB709D14CB90

Function 00267152 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0026716A
CreateMenu.USER32 ref: 00267185
SetMenu.USER32(?,00000000), ref: 00267194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00267221
IsMenu.USER32(?), ref: 00267237
CreatePopupMenu.USER32 ref: 00267241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0026726E
DrawMenuBar.USER32 ref: 00267276

Strings

F, xrefs: 00267262
xM, xrefs: 002671E0, 002671FD
0, xrefs: 00267160

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F$xM
API String ID: 176399719-3658317446
Opcode ID: 9044f9d857ae6779d834248536a7c6f740d952c23cc6637de5db0a75965ecc64
Instruction ID: 07fefa61f2790fabb8f40900bb40c532feba1e3b7e33c65cf3f18bca1e8f874f
Opcode Fuzzy Hash: 9044f9d857ae6779d834248536a7c6f740d952c23cc6637de5db0a75965ecc64
Instruction Fuzzy Hash: B6417674A21209EFDB20DF64E998E9ABBB5FF09310F144029FD06A7360D771AD64CB90

Function 0023F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0021E2A0,00000010,?,Bad directive syntax error,0026F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0023F7C2
LoadStringW.USER32(00000000,?,0021E2A0,00000010), ref: 0023F7C9

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

_wprintf.LIBCMT ref: 0023F7FC
__swprintf.LIBCMT ref: 0023F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0023F88D

Strings

., xrefs: 0023F873
Line %d (File "%s"):, xrefs: 0023F833
%s (%d) : ==> %s.: %s %s, xrefs: 0023F7F7
Line %d:, xrefs: 0023F818
Error: , xrefs: 0023F85B

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 7c784637671a99b2d8202be7a7962bd8520c5128f03a3b4d92055d22e48c2582
Instruction ID: 67eef665e496adb6c0bbddf16633d7b12ee3269c30cb17b16f355bbffeefa8bb
Opcode Fuzzy Hash: 7c784637671a99b2d8202be7a7962bd8520c5128f03a3b4d92055d22e48c2582
Instruction Fuzzy Hash: C1219131D2025AFBDF15EF90DD0AEEE7739BF25300F040466F515660A2EB719628CB51

Function 002452C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

Part of subcall function 001E7924: _memmove.LIBCMT ref: 001E79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00245330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00245346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00245357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00245369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0024537A

Strings

open , xrefs: 002452DF
play PlayMe wait, xrefs: 00245364
status PlayMe mode, xrefs: 0024532B
close PlayMe, xrefs: 00245341, 0024536E
play PlayMe, xrefs: 00245375
alias PlayMe, xrefs: 00245309

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a7e86f519ce7f15c90b360892024f5d4f357d3f3caa064fcb15d79a39c5ae478
Instruction ID: 3be8d1dea076339fec9c054921a0c6ccc83b418f0656e697823713a585ee6eed
Opcode Fuzzy Hash: a7e86f519ce7f15c90b360892024f5d4f357d3f3caa064fcb15d79a39c5ae478
Instruction Fuzzy Hash: 0511B62196056A7AEB24BBA2DC49DFFBB7CEFA3B44F040469B401920D2DFA00D15C561

Function 002446B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002446D2
gethostname.WSOCK32(?,00000100), ref: 002446EC
gethostbyname.WSOCK32(?), ref: 002446F9
_wcscpy.LIBCMT ref: 00244721
_memmove.LIBCMT ref: 00244734
inet_ntoa.WSOCK32(?), ref: 0024473F
_strcat.LIBCMT ref: 0024474D
_wcscpy.LIBCMT ref: 00244764
WSACleanup.WSOCK32 ref: 00244772
_wcscpy.LIBCMT ref: 00244780

Strings

0.0.0.0, xrefs: 0024471B

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 4a060ccaa4cb4c583c1e4fbcbd8cd52560e4b29a17efe46ff1b3626daecd7643
Instruction ID: 09479fb63b44314cca11376115ec87f11bdbdb38914329288e533a5569258755
Opcode Fuzzy Hash: 4a060ccaa4cb4c583c1e4fbcbd8cd52560e4b29a17efe46ff1b3626daecd7643
Instruction Fuzzy Hash: D011D531524215AFDB19BB30AC4AFEAB7BCEB42711F0441B6F54596092EFB09DA28A50

Function 00244F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00244F7A

Part of subcall function 0020049F: timeGetTime.WINMM(?,7694B400,001F0E7B), ref: 002004A3

Sleep.KERNEL32(0000000A), ref: 00244FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00244FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00244FEC
SetActiveWindow.USER32 ref: 0024500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00245019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00245038
Sleep.KERNEL32(000000FA), ref: 00245043
IsWindow.USER32 ref: 0024504F
EndDialog.USER32(00000000), ref: 00245060

Strings

BUTTON, xrefs: 00244FDE

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 6766e1959195b3150e260f6e4658166d50979082156f733e50560bbc7f54fb96
Instruction ID: ee87020a7d40caef4788946c23efbb9de3e94c2201b789cf4e57a1b306d507dd
Opcode Fuzzy Hash: 6766e1959195b3150e260f6e4658166d50979082156f733e50560bbc7f54fb96
Instruction Fuzzy Hash: E321F374614602BFEB146F30FD8CB263BADEB0A745F496024F502811F1CFB18D28CA61

Function 0024D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

CoInitialize.OLE32(00000000), ref: 0024D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0024D67D
SHGetDesktopFolder.SHELL32(?), ref: 0024D691
CoCreateInstance.OLE32(00272D7C,00000000,00000001,00298C1C,?), ref: 0024D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0024D74C
CoTaskMemFree.OLE32(?,?), ref: 0024D7A4
_memset.LIBCMT ref: 0024D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0024D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0024D840
CoTaskMemFree.OLE32(00000000), ref: 0024D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0024D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0024D880

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 27f95234a447ab0c32728f76f84e6002e6233c1c80a2ba437ad5ab6b0cd7ed40
Instruction ID: 4e7113d020bdec1744ce5e806be6aa71c13e0aaf1966e0de0b685495762dd218
Opcode Fuzzy Hash: 27f95234a447ab0c32728f76f84e6002e6233c1c80a2ba437ad5ab6b0cd7ed40
Instruction Fuzzy Hash: 9FB10B75A10109AFDB04DFA4D888DAEBBB9FF48314F1484A9F909EB261DB70ED41CB50

Function 0023C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0023C283
GetWindowRect.USER32(00000000,?), ref: 0023C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0023C2F3
GetDlgItem.USER32(?,00000002), ref: 0023C2FE
GetWindowRect.USER32(00000000,?), ref: 0023C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0023C364
GetDlgItem.USER32(?,000003E9), ref: 0023C372
GetWindowRect.USER32(00000000,?), ref: 0023C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0023C3C6
GetDlgItem.USER32(?,000003EA), ref: 0023C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0023C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0023C3FE

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b14332c0d41a6d19ca5799ece0988cf97fedd5723823ed93cd1409f68b193e63
Instruction ID: 646000834f0e2e0b1bf72c8450c6a5a3abb44f865a004668874218867b075c58
Opcode Fuzzy Hash: b14332c0d41a6d19ca5799ece0988cf97fedd5723823ed93cd1409f68b193e63
Instruction Fuzzy Hash: CC5132B1B10205AFDF18CFA9ED89A6EBBB9FB88710F14812DF515E7290D7B09D008B10

Function 0024A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0026F910), ref: 0024A90B
GetDriveTypeW.KERNEL32(00000061,002989A0,00000061), ref: 0024A9D5
_wcscpy.LIBCMT ref: 0024A9FF

Strings

unknown, xrefs: 0024A996
all, xrefs: 0024A911
cdrom, xrefs: 0024A927
fixed, xrefs: 0024A953
ramdisk, xrefs: 0024A97F
removable, xrefs: 0024A93D
network, xrefs: 0024A969

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 9600dc4155cb35d3ce3421a9bbe4883101595d3087f5e146ed57e5458698303b
Instruction ID: 8feb956233123b34c31906ab02a1c9f1b7f71b76bbc3d151e391de0b63a2cdd5
Opcode Fuzzy Hash: 9600dc4155cb35d3ce3421a9bbe4883101595d3087f5e146ed57e5458698303b
Instruction Fuzzy Hash: 7751DF311683419BCB08EF14C892AAFB7A9FF95304F04482DF596972E2DB709D28CA43

Function 00268645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002686FF

Strings

xM, xrefs: 00268681

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: InvalidateRect
String ID: xM
API String ID: 634782764-315438632
Opcode ID: 4c070ddd4b61a815027029a35697debcf169018fdfd2838862a34fa6ea77c80a
Instruction ID: 1697b98d13146c12d919b20f0b75139b8a53c4c9813ad9d365d851bf3aa5206e
Opcode Fuzzy Hash: 4c070ddd4b61a815027029a35697debcf169018fdfd2838862a34fa6ea77c80a
Instruction Fuzzy Hash: B2519F34520249BFEF219F24DC89FAD7BA8AB05710F604311FA11E61A0CFB1A9E0CB51

Function 001E9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 001E9862
__swprintf.LIBCMT ref: 001E98AC
__i64tow.LIBCMT ref: 0021F5E6

Strings

%.15g, xrefs: 001E98A6
False, xrefs: 0021F5AE
0x%p, xrefs: 0021F5C8
True, xrefs: 0021F5A7

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 53189454b63bc4d3672665255e5acb20d246ba84daabbf9012288aacbc32b4df
Instruction ID: 663e12738af4531fc53751635873e2550f465deea8efed411ca9d7ac7ab80085
Opcode Fuzzy Hash: 53189454b63bc4d3672665255e5acb20d246ba84daabbf9012288aacbc32b4df
Instruction Fuzzy Hash: B941E471520709AFEB28DF35D942EBA73E9FF06300F60447EE559DB292EB3199518B10

Function 002674BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0026755E
CreateCompatibleDC.GDI32(00000000), ref: 00267565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00267578
SelectObject.GDI32(00000000,00000000), ref: 00267580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0026758B
DeleteDC.GDI32(00000000), ref: 00267594
GetWindowLongW.USER32(?,000000EC), ref: 0026759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002675B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002675BE

Strings

static, xrefs: 002674F6

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 5d903a7d29e764d8b270f43721ea382ef6cde4ffd75120d3885e06a3dba7d69d
Instruction ID: 3efab344b5ea8ac387bcbcba25d852aa07f996ce4f8a83dee7fe271323b6e77c
Opcode Fuzzy Hash: 5d903a7d29e764d8b270f43721ea382ef6cde4ffd75120d3885e06a3dba7d69d
Instruction Fuzzy Hash: 82319E72114215BBDF129F64FC08FDB3B69FF09364F114224FA26A20A0D771D861DBA0

Function 00206E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00206E3E

Part of subcall function 00208B28: __getptd_noexit.LIBCMT ref: 00208B28

__gmtime64_s.LIBCMT ref: 00206ED7
__gmtime64_s.LIBCMT ref: 00206F0D
__gmtime64_s.LIBCMT ref: 00206F2A
__allrem.LIBCMT ref: 00206F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00206F9C
__allrem.LIBCMT ref: 00206FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00206FD1
__allrem.LIBCMT ref: 00206FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00207006
__invoke_watson.LIBCMT ref: 00207077

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 0f1932e1ff91646f114b9b2357fb6644148ffa4d5f83f51e1fea19108df00581
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 8F7117B2E10717ABD714EE68DC85BAAB3E9AF14320F144229F514D72C2E770ED708B90

Function 00242527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00242542
GetMenuItemInfoW.USER32(002A5890,000000FF,00000000,00000030), ref: 002425A3
SetMenuItemInfoW.USER32(002A5890,00000004,00000000,00000030), ref: 002425D9
Sleep.KERNEL32(000001F4), ref: 002425EB
GetMenuItemCount.USER32(?), ref: 0024262F
GetMenuItemID.USER32(?,00000000), ref: 0024264B
GetMenuItemID.USER32(?,-00000001), ref: 00242675
GetMenuItemID.USER32(?,?), ref: 002426BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00242700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00242714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00242735

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 7d226fbbf94f0cc96c1ed2fede76553df3e6bd3ff4c0f9e0bd6d75056d1724fb
Instruction ID: 06f635c811fbd03ebad44ef5fd03a6a9944af396ef3d0a3b7f5d2ea5eac57e88
Opcode Fuzzy Hash: 7d226fbbf94f0cc96c1ed2fede76553df3e6bd3ff4c0f9e0bd6d75056d1724fb
Instruction Fuzzy Hash: 4661A47092024AEFDF19CF65ED88EBEBBB8EB01304F944059F84297251D771AD29DB21

Function 00236B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00236BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00236C18
VariantInit.OLEAUT32(?), ref: 00236C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00236C4A
VariantCopy.OLEAUT32(?,?), ref: 00236C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00236CB1
VariantClear.OLEAUT32(?), ref: 00236CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00236CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00236CDC
VariantClear.OLEAUT32(?), ref: 00236CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00236CF9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: daa5d2739da1f4f96119f2e2f196a1b2c2ece478fd83bb888a93cd2d9d8645c4
Instruction ID: e04943fb9d7ab761eec03fd9578617d69554ce9675b60134e6582b98e6576819
Opcode Fuzzy Hash: daa5d2739da1f4f96119f2e2f196a1b2c2ece478fd83bb888a93cd2d9d8645c4
Instruction Fuzzy Hash: F7416071A10219AFCF00DFA8E94C9AEBBB9FF08354F00C469E955E7261CB70A955CF90

Function 0026D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

GetSystemMetrics.USER32(0000000F), ref: 0026D47C
GetSystemMetrics.USER32(0000000F), ref: 0026D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0026D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0026D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0026D716
ShowWindow.USER32(00000003,00000000), ref: 0026D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0026D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0026D77D

Strings

xM, xrefs: 0026D4E9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: xM
API String ID: 1211466189-315438632
Opcode ID: 356070cac5e898cabe0e0a62af5c51c17f16d5cecfaa861f3ecc832fb93b1b44
Instruction ID: 15401afecaadfdbaead862cf61665bfa6e82c1edff0a898ddfa42726182c9745
Opcode Fuzzy Hash: 356070cac5e898cabe0e0a62af5c51c17f16d5cecfaa861f3ecc832fb93b1b44
Instruction Fuzzy Hash: 2CB1AE75A1022AEFDF14CF68D9857AD7BB1BF04701F08C069EC499B295D774A9A0CB90

Function 00242A96 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001FFC86: _wcscpy.LIBCMT ref: 001FFCA9

_memset.LIBCMT ref: 00242B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00242BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00242C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00242C97

Strings

XO, xrefs: 00242B0F
0, xrefs: 00242B73
XO, xrefs: 00242B16
8, xrefs: 00242B25
8, xrefs: 00242B2C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0$8$8$XO$XO
API String ID: 4152858687-3464290333
Opcode ID: 5c766c6be0ced30f7de1aff46db9c2923ff33357a75f67142bb5f882a1c2c286
Instruction ID: ceca20ea1602e8d4603b62e7b923961f3211bfbb4394fcbd50e5a08ffe41b345
Opcode Fuzzy Hash: 5c766c6be0ced30f7de1aff46db9c2923ff33357a75f67142bb5f882a1c2c286
Instruction Fuzzy Hash: 0951E131128312DBD7189E2AD88476FB7E8EF55314F45092EF881D71D1DBA0CC688B52

Function 00255732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00255793
inet_addr.WSOCK32(?,?,?), ref: 002557D8
gethostbyname.WSOCK32(?), ref: 002557E4
IcmpCreateFile.IPHLPAPI ref: 002557F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00255862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00255878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 002558ED
WSACleanup.WSOCK32 ref: 002558F3

Strings

Ping, xrefs: 00255816

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0c64caea9ac04f1869a9bd2473dac4c70f0f98c3348e0ee17059bda54e72b51f
Instruction ID: 73a61df70bc636fd59aff89b0e9b6808aaf71c9b99b905a58cf8d7e59898e330
Opcode Fuzzy Hash: 0c64caea9ac04f1869a9bd2473dac4c70f0f98c3348e0ee17059bda54e72b51f
Instruction Fuzzy Hash: EF51DD31614B11DFDB10EF25DC59B2AB7E4EF48320F048929F996DB2A1DB70E854CB46

Function 0024B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0024B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0024B546
GetLastError.KERNEL32 ref: 0024B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0024B5BD

Strings

READY, xrefs: 0024B596
UNKNOWN, xrefs: 0024B575
INVALID, xrefs: 0024B58F
READONLY, xrefs: 0024B588
NOTREADY, xrefs: 0024B57C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: cfbf70979212e70fc8587eab42bc536929ae24a152aa5bea350818d6c086424c
Instruction ID: b71d5dbdf0413b20326fee69c994dcc77bc3897819b0aeb77ab55037a051c138
Opcode Fuzzy Hash: cfbf70979212e70fc8587eab42bc536929ae24a152aa5bea350818d6c086424c
Instruction Fuzzy Hash: 8731E435A1020ADFCB05EF68D845EBDB7B4FF09314F548065E505D7291DB70DA62CB50

Function 00238F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Part of subcall function 0023AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0023AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00239014
GetDlgCtrlID.USER32 ref: 0023901F
GetParent.USER32 ref: 0023903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0023903E
GetDlgCtrlID.USER32(?), ref: 00239047
GetParent.USER32(?), ref: 00239063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00239066

Strings

ComboBox, xrefs: 00238F9C
ListBox, xrefs: 00238FD1

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5a747880ac13848aa5d988fcdcd192fe9aa3473e691dac467149dececb83c9dc
Instruction ID: f42e78f92ddb6cff289d5a12a7681054f32ade945d2e59e11ea77bbd7d77f8a8
Opcode Fuzzy Hash: 5a747880ac13848aa5d988fcdcd192fe9aa3473e691dac467149dececb83c9dc
Instruction Fuzzy Hash: 2B21C4B0A10108BBDF04ABA0DC89EFEBB79FF55310F104129F961972A1DBB55865DA20

Function 0023907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Part of subcall function 0023AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0023AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002390FD
GetDlgCtrlID.USER32 ref: 00239108
GetParent.USER32 ref: 00239124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00239127
GetDlgCtrlID.USER32(?), ref: 00239130
GetParent.USER32(?), ref: 0023914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0023914F

Strings

ComboBox, xrefs: 00239087
ListBox, xrefs: 002390BC

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 82fd4a3edc0fa3ca93c7a7bdc5287ef8ce58f051dcb1387ee10579daedda8175
Instruction ID: c2bc8d8d66a23ce74e66689217ed9150e16a91ae94f252088e05af63b23d62d0
Opcode Fuzzy Hash: 82fd4a3edc0fa3ca93c7a7bdc5287ef8ce58f051dcb1387ee10579daedda8175
Instruction Fuzzy Hash: B121F5B4A10109BBDF00ABA1DC89EFEBB78FF55300F004025F961972A2DBB54865DF20

Function 00239163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0023916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00239184
_wcscmp.LIBCMT ref: 00239196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00239211

Strings

smallicons, xrefs: 002391D9
SHELLDLL_DefView, xrefs: 00239190
details, xrefs: 002391BF
list, xrefs: 002391F3
largeicons, xrefs: 002391A5

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 2491e773817cef1019b6b844030d47bac226873ef5df00bffd23ade757b27a6c
Instruction ID: 26b928a9fcecd3e8b0a1f90636bf601ab060a15055295d525538afc5c3c8a7c8
Opcode Fuzzy Hash: 2491e773817cef1019b6b844030d47bac226873ef5df00bffd23ade757b27a6c
Instruction Fuzzy Hash: 25110AB62BC707BAFF116624EC0ADA7379CDB17720F200026FD14A50E2EEE168B15D94

Function 00247990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00247A6C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 40e84659fadeca42cc3ad0fa89805d15247abbe0c237d9bafbffc2ece70abeb3
Instruction ID: 1090de9cc4fdee0a8bdccf177616ac0bf23b6aef896b24fd8e6b3f646a58b210
Opcode Fuzzy Hash: 40e84659fadeca42cc3ad0fa89805d15247abbe0c237d9bafbffc2ece70abeb3
Instruction Fuzzy Hash: ADB1A17192421A9FDB04DFA4D8C4BBEB7B4FF09325F20442AEA21EB241D774E951CB90

Function 001EFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001EFAA6
OleUninitialize.OLE32(?,00000000), ref: 001EFB45
UnregisterHotKey.USER32(?), ref: 001EFC9C
DestroyWindow.USER32(?), ref: 002245D6
FreeLibrary.KERNEL32(?), ref: 0022463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00224668

Strings

close all, xrefs: 001EFAA1

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 12098e6e9e573680600590550443c091dce16ae88c0a12ef8d1867f7f48218b9
Instruction ID: 9d8c553bc7e1a124992fde8cf65775bd48bfed2441bd9057eb45897922e61a2b
Opcode Fuzzy Hash: 12098e6e9e573680600590550443c091dce16ae88c0a12ef8d1867f7f48218b9
Instruction Fuzzy Hash: 4FA18B30711626DFCB29EF51D594E7DF368AF15704F6142ADE80AAB262CB30AD26CF50

Function 00259113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00259167
VariantInit.OLEAUT32(?), ref: 00259238
VariantInit.OLEAUT32(?), ref: 00259339
VariantClear.OLEAUT32(?), ref: 00259343
VariantClear.OLEAUT32(?), ref: 002593A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002591C8, 002592F6, 002593AE
,,', xrefs: 002591E5
Incorrect Object type in FOR..IN loop, xrefs: 0025931C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,'$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-799487193
Opcode ID: 8d4fec70f06829fa01da5690c0148adf0e78a8987737f46d9e32904c85a9facf
Instruction ID: 8f332061da3a835c2b29ea06c29173bd66fece0a4c57f3263d73c802424fe3fb
Opcode Fuzzy Hash: 8d4fec70f06829fa01da5690c0148adf0e78a8987737f46d9e32904c85a9facf
Instruction Fuzzy Hash: 5091B030A20216EBDF24CFA5C848FAEB7B8EF45711F108159F905EB280D7709998CFA4

Function 0023A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0023A439), ref: 0023A377

Strings

INSTANCE, xrefs: 0023A285
REGEXPCLASS, xrefs: 0023A13C
TEXT, xrefs: 0023A2AE
CLASSNN, xrefs: 0023A119
CLASS, xrefs: 0023A0F6
NAME, xrefs: 0023A1A9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 00914eb8739f53ae062ca3e16e1ce55c6d52daaacd0f974060cda931fd56c576
Instruction ID: c082dfcb7dbbe8725d503a53fe33ff22ba7397caa8aa8c840eb3dd8bf0b3113a
Opcode Fuzzy Hash: 00914eb8739f53ae062ca3e16e1ce55c6d52daaacd0f974060cda931fd56c576
Instruction Fuzzy Hash: 4F91C770624606AADF08DFA0C485BEEFB74FF04300F548129E9D9A7191DF316AB9CB91

Function 0026B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00ED4D78), ref: 0026B3EB
IsWindowEnabled.USER32(00ED4D78), ref: 0026B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0026B4DB
SendMessageW.USER32(00ED4D78,000000B0,?,?), ref: 0026B512
IsDlgButtonChecked.USER32(?,?), ref: 0026B54F
GetWindowLongW.USER32(00ED4D78,000000EC), ref: 0026B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0026B589

Strings

xM, xrefs: 0026B38A, 0026B401, 0026B4BC

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: xM
API String ID: 4072528602-315438632
Opcode ID: b66a92b290293143102a706e1cf730c6b6762933c20d4b6fbac3513b339a523c
Instruction ID: 5014ef2f4e489169f099bb24f298e4c7f4af82dade6c237d5b5f40725cfe0ee0
Opcode Fuzzy Hash: b66a92b290293143102a706e1cf730c6b6762933c20d4b6fbac3513b339a523c
Instruction Fuzzy Hash: CE71B534614615EFDB229F54D8A4FBA77B9EF09300F144059F952D7362CB71A8E0CB50

Function 001E2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 001E2EAE

Part of subcall function 001E1DB3: GetClientRect.USER32(?,?), ref: 001E1DDC
Part of subcall function 001E1DB3: GetWindowRect.USER32(?,?), ref: 001E1E1D
Part of subcall function 001E1DB3: ScreenToClient.USER32(?,?), ref: 001E1E45

GetDC.USER32 ref: 0021CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0021CD45
SelectObject.GDI32(00000000,00000000), ref: 0021CD53
SelectObject.GDI32(00000000,00000000), ref: 0021CD68
ReleaseDC.USER32(?,00000000), ref: 0021CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0021CDFB

Strings

U, xrefs: 0021CCD0

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e24555f1e01655e87982b9379d7a72cbedd3d2b3f769428c317881e8d8af2ccb
Instruction ID: 7b94eec70cf84ba35a46df12b3194a7e70abbba95fca7d20a21d7abfb8b48c27
Opcode Fuzzy Hash: e24555f1e01655e87982b9379d7a72cbedd3d2b3f769428c317881e8d8af2ccb
Instruction Fuzzy Hash: D971023441060ADFCF258F64DC84AEA7BF5FF59320F24426AED559A2A6C7308CA0DF60

Function 00251A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00251A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00251A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00251ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00251AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00251AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00251B10
InternetCloseHandle.WININET(00000000), ref: 00251B57

Part of subcall function 00252483: GetLastError.KERNEL32(?,?,00251817,00000000,00000000,00000001), ref: 00252498
Part of subcall function 00252483: SetEvent.KERNEL32(?,?,00251817,00000000,00000000,00000001), ref: 002524AD

Strings

, xrefs: 00251B01

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 8375dbe6ff757f08ea70e6073820dd5c7a628fcb9e7b9e2ac095d31d7b7b9454
Instruction ID: 56e66b4963225f86aa853daca09cd885331a82377be1454b71ec1862c4ca0312
Opcode Fuzzy Hash: 8375dbe6ff757f08ea70e6073820dd5c7a628fcb9e7b9e2ac095d31d7b7b9454
Instruction Fuzzy Hash: D74183B1511219BFEB128F50DC89FBB77ACEF08355F008126FD059A181E7B09E689BA4

Function 002662CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002662EC
GetWindowLongW.USER32(00ED4D78,000000F0), ref: 0026631F
GetWindowLongW.USER32(00ED4D78,000000F0), ref: 00266354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00266386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002663B0
GetWindowLongW.USER32(00000000,000000F0), ref: 002663C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002663DB

Strings

xM, xrefs: 002662D0, 00266304, 00266339, 00266371, 00266395, 002663CD

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: xM
API String ID: 2178440468-315438632
Opcode ID: 6f3b948bf70bfacce09f9ffb857cb3c594053a8a78622aff42b91d237f0c5cf5
Instruction ID: fec0f63f471b4af02e97221d650221f3dc87e2a8223e8a55c6b0480e8a91c770
Opcode Fuzzy Hash: 6f3b948bf70bfacce09f9ffb857cb3c594053a8a78622aff42b91d237f0c5cf5
Instruction Fuzzy Hash: BD310330654151AFDB20CF18ED88F5937E5FB4AB14F1941A4F521DF2B1CB71ACA09B50

Function 00258C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0026F910), ref: 00258D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0026F910), ref: 00258D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00258ED6
SysFreeString.OLEAUT32(?), ref: 00258F00

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 00a9c57214493d2bb967514613e7482ff5efeb4f97f4bcd4e228a5e1a3f45060
Instruction ID: 83e1ed2f52d2ef0c10687189c749a528bba57143cf2edb3f84471a9c4ddcdd16
Opcode Fuzzy Hash: 00a9c57214493d2bb967514613e7482ff5efeb4f97f4bcd4e228a5e1a3f45060
Instruction Fuzzy Hash: 62F15A71A10209EFCF04DF94C888EAEB7B9FF49315F108498F905AB291DB71AE59CB54

Function 0025F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0025F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0025F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0025F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0025F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0025F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0025FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0025FA7C
CloseHandle.KERNEL32(?), ref: 0025FAAB
CloseHandle.KERNEL32(?), ref: 0025FB22

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 2fee31d06bc1c1f9b2b2b48267a4daa36e5cb50889a427383a4136476e8c792b
Instruction ID: d2445180daaf3f081aeda6283827571baaacfeaaacd75bb95cd36da4f8a9d03d
Opcode Fuzzy Hash: 2fee31d06bc1c1f9b2b2b48267a4daa36e5cb50889a427383a4136476e8c792b
Instruction Fuzzy Hash: DDE1D0312143419FCB54EF24C985B6EBBE1AF89314F14886DF8899B2A2CB70DC59CF52

Function 00244CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0024466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00243697,?), ref: 0024468B

Part of subcall function 0024466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00243697,?), ref: 002446A4

Part of subcall function 00244A31: GetFileAttributesW.KERNEL32(?,0024370B), ref: 00244A32

lstrcmpiW.KERNEL32(?,?), ref: 00244D40
_wcscmp.LIBCMT ref: 00244D5A
MoveFileW.KERNEL32(?,?), ref: 00244D75

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 71b507bbaf62865ad9c436aa7552c40a204269705b367d61cbb9442545cb7183
Instruction ID: 8f7b6ed1293a25795a8330505d02b20f9c9de8e66293f98ef5ab20d80bb803f6
Opcode Fuzzy Hash: 71b507bbaf62865ad9c436aa7552c40a204269705b367d61cbb9442545cb7183
Instruction Fuzzy Hash: C65166B24183859BC724EF90D885ADFB3ECAF84754F00092EF685D3192EF70A598CB56

Function 001E2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0021C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0021C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0021C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0021C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0021C370
DestroyIcon.USER32(00000000), ref: 0021C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0021C39C
DestroyIcon.USER32(?), ref: 0021C3AB

Part of subcall function 0026A4AF: DeleteObject.GDI32(00000000), ref: 0026A4E8

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 5fdf5539e14313ea19e0d3e3d5eb83c595049b38c1972cc5430ef2bf91053101
Instruction ID: 39db97a46349cc562192018c7dc26ceebf44902a99c662673c8c50be55e04551
Opcode Fuzzy Hash: 5fdf5539e14313ea19e0d3e3d5eb83c595049b38c1972cc5430ef2bf91053101
Instruction Fuzzy Hash: BA519B74A50649AFDB24DF25DC59FAE77F9FB18310F204528F912972A0DBB0AC90DB50

Function 0023966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0023A84C
Part of subcall function 0023A82C: GetCurrentThreadId.KERNEL32 ref: 0023A853
Part of subcall function 0023A82C: AttachThreadInput.USER32(00000000,?,00239683,?,00000001), ref: 0023A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0023968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002396AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 002396AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 002396B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002396D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002396D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 002396E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002396F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002396FB

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5c659f15e5d3ed63f5b18a07453d952a10503ff03899260e3be3a2ce2a856db0
Instruction ID: 9feb3e61d91087d73fb4725e0dbd23ec91cb63dd2d697912aa1a054b03b2ad3f
Opcode Fuzzy Hash: 5c659f15e5d3ed63f5b18a07453d952a10503ff03899260e3be3a2ce2a856db0
Instruction Fuzzy Hash: 0011E1B1920218BEFA106F60EC8EF6A3B2DEB4D790F104425F654AB0A0C9F35C50DEA4

Function 00238921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0023853C,00000B00,?,?), ref: 0023892A
HeapAlloc.KERNEL32(00000000,?,0023853C,00000B00,?,?), ref: 00238931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0023853C,00000B00,?,?), ref: 00238946
GetCurrentProcess.KERNEL32(?,00000000,?,0023853C,00000B00,?,?), ref: 0023894E
DuplicateHandle.KERNEL32(00000000,?,0023853C,00000B00,?,?), ref: 00238951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0023853C,00000B00,?,?), ref: 00238961
GetCurrentProcess.KERNEL32(0023853C,00000000,?,0023853C,00000B00,?,?), ref: 00238969
DuplicateHandle.KERNEL32(00000000,?,0023853C,00000B00,?,?), ref: 0023896C
CreateThread.KERNEL32(00000000,00000000,00238992,00000000,00000000,00000000), ref: 00238986

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 5c7498c9aafc7c7fbc30a92e6043ed56ebae287e933189e0e9de9d38b2e9a750
Instruction ID: e401dc76381a30fde6cb9053aa57a141a715c49f42c3fe1f72ba8a3c97a4c8c5
Opcode Fuzzy Hash: 5c7498c9aafc7c7fbc30a92e6043ed56ebae287e933189e0e9de9d38b2e9a750
Instruction Fuzzy Hash: 1401BFB5240304FFEB50ABA5ED4DF673B6CEB89751F508461FA09DB191CAB19C00CB20

Function 00259B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00259B7B
NULL Pointer assignment, xrefs: 00259BA4, 00259EC8

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 80066957bb1852a99175f700a070e85392adeaa0e7edc953490138104b1f9ca5
Instruction ID: 8e41202fe87c8f5ea4c4f17c7df3d45dee3a16fceef165af4f43ead9fc633b2a
Opcode Fuzzy Hash: 80066957bb1852a99175f700a070e85392adeaa0e7edc953490138104b1f9ca5
Instruction Fuzzy Hash: 35C1A271A2020ADFDF10DF98D885BAEB7F5FB48315F14846AED05AB280E7709D98CB54

Function 0025975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0023710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00237044,80070057,?,?,?,00237455), ref: 00237127
Part of subcall function 0023710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00237044,80070057,?,?), ref: 00237142
Part of subcall function 0023710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00237044,80070057,?,?), ref: 00237150
Part of subcall function 0023710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00237044,80070057,?), ref: 00237160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00259806
_memset.LIBCMT ref: 00259813
_memset.LIBCMT ref: 00259956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00259982
CoTaskMemFree.OLE32(?), ref: 0025998D

Strings

NULL Pointer assignment, xrefs: 002599DB

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 938f7982430d5dddac74cf0e661356ffedf1f72aba6c5a64bb3c72331d845399
Instruction ID: 2dd6f0b778388b56e9593caab791191cf6792addb5d6c76c242017fcbdb32558
Opcode Fuzzy Hash: 938f7982430d5dddac74cf0e661356ffedf1f72aba6c5a64bb3c72331d845399
Instruction Fuzzy Hash: 95912871D10229EBDF10DFA5DC45EDEBBB9AF08310F10415AF819A7291DB719A54CFA0

Function 00266D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00266E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00266E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00266E52
_wcscat.LIBCMT ref: 00266EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00266EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00266EF2

Strings

SysListView32, xrefs: 00266DF6

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 12d9fd7316db48416129ddb29e1cfd5874c73f7b22cc6cf00ff663cf9aa4825a
Instruction ID: 8035063adef6fdb4ca636af95202a5a3893fe2f7b0b45653b926e632f1bb6119
Opcode Fuzzy Hash: 12d9fd7316db48416129ddb29e1cfd5874c73f7b22cc6cf00ff663cf9aa4825a
Instruction Fuzzy Hash: 4841A070A10349ABDF219F64DC89BEEB7E8EF08350F10442AF555A7191D6729DE48B60

Function 0025E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00243C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00243C7A
Part of subcall function 00243C55: Process32FirstW.KERNEL32(00000000,?), ref: 00243C88
Part of subcall function 00243C55: CloseHandle.KERNEL32(00000000), ref: 00243D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0025E9A4
GetLastError.KERNEL32 ref: 0025E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0025E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0025EA63
GetLastError.KERNEL32(00000000), ref: 0025EA6E
CloseHandle.KERNEL32(00000000), ref: 0025EAA3

Strings

SeDebugPrivilege, xrefs: 0025E9C2

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2b2e0ef09112b74b328c2fdcc54e2fc1da4f82a1809636af36afdf24c7909559
Instruction ID: 15c0bd39e967f23302c9405df35363b22132c07d4a28f00e3daef7eb45a9d1ae
Opcode Fuzzy Hash: 2b2e0ef09112b74b328c2fdcc54e2fc1da4f82a1809636af36afdf24c7909559
Instruction Fuzzy Hash: 2B41CC712102059FDF18EF24DC95F6EB7A5AF50310F148458F9069B2D2CBB4A928CF96

Function 00267291 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002672AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00267351
IsMenu.USER32(?), ref: 00267369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002673B1
DrawMenuBar.USER32 ref: 002673C4

Strings

xM, xrefs: 00267311, 0026732C
0, xrefs: 0026729E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0$xM
API String ID: 3866635326-2111700025
Opcode ID: 8f5a779462135ae459103fd5e09e0fd6575736557e8fd2d3869d0961eec4fc23
Instruction ID: f0f7526c07a1fb2406c0a92e692cd34291dca9a40bdaf37a8dadec3c7c20a90e
Opcode Fuzzy Hash: 8f5a779462135ae459103fd5e09e0fd6575736557e8fd2d3869d0961eec4fc23
Instruction Fuzzy Hash: 15413575A14209EFDB20DF50E884AAABBF8FB09318F148469FD15A7390D770ADA0DF50

Function 00242F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00243033

Strings

info, xrefs: 00242FD4
question, xrefs: 00242FEC
warning, xrefs: 0024301C
blank, xrefs: 00242FB5
stop, xrefs: 00243004

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b927ab4fff54e40514dfc4323475e14e3d71196b16ddc5362c29c31f3da49dbd
Instruction ID: f3df20ba638125cbf68aee8554c4c608327bdacdb2924f5a61f00295aea34554
Opcode Fuzzy Hash: b927ab4fff54e40514dfc4323475e14e3d71196b16ddc5362c29c31f3da49dbd
Instruction Fuzzy Hash: 571108322AC347BADB29DA14DC46C6B679C9F16320F60012AF900A61C2DAF16F6859A0

Function 002442F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00244312
LoadStringW.USER32(00000000), ref: 00244319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0024432F
LoadStringW.USER32(00000000), ref: 00244336
_wprintf.LIBCMT ref: 0024435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0024437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00244357

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: d6237c2b0f705559b0fbbed261a9d7e749e281488e67ba2af7904fb4400a2b19
Instruction ID: 3fd2df8c4ba7040e5ec8de77e47792afb7c79e94f697fd2c8c518f28d76b6aa2
Opcode Fuzzy Hash: d6237c2b0f705559b0fbbed261a9d7e749e281488e67ba2af7904fb4400a2b19
Instruction Fuzzy Hash: 8B0144F2914208BFEB51AB94EE8DFE6776CE708700F0045A2F749E2051EAB45E954B70

Function 001E2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0021C1C7,00000004,00000000,00000000,00000000), ref: 001E2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0021C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 001E2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0021C1C7,00000004,00000000,00000000,00000000), ref: 0021C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0021C1C7,00000004,00000000,00000000,00000000), ref: 0021C286

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 387b41d78d5ac54153a9555c2ec9921901521e10460ae0a53a9b949f2b511162
Instruction ID: 3a80c344b8adc15ad91bbd590354fd23d15d7908584053294494a6e595440e45
Opcode Fuzzy Hash: 387b41d78d5ac54153a9555c2ec9921901521e10460ae0a53a9b949f2b511162
Instruction Fuzzy Hash: F441E735214EC09BCB399B2AEDACB6F7B99AB95310F298429F44783960C77498D1D710

Function 002470C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002470DD

Part of subcall function 00200DB6: std::exception::exception.LIBCMT ref: 00200DEC
Part of subcall function 00200DB6: __CxxThrowException@8.LIBCMT ref: 00200E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00247114
EnterCriticalSection.KERNEL32(?), ref: 00247130
_memmove.LIBCMT ref: 0024717E
_memmove.LIBCMT ref: 0024719B
LeaveCriticalSection.KERNEL32(?), ref: 002471AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002471BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 002471DE

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 76badeeb749129b6969763f78f94203f8f8c65e9eab42dba416a5572987d5e55
Instruction ID: 5d901f238794423d8d860000d1709e2d2acb2e14aa0a66a30c6f07020542a9a5
Opcode Fuzzy Hash: 76badeeb749129b6969763f78f94203f8f8c65e9eab42dba416a5572987d5e55
Instruction Fuzzy Hash: 0E316E31900205EBDF10DFA4ED89AAEB778FF45310F1481A5E908AB246DB709E20CBA0

Function 002661D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002661EB
GetDC.USER32(00000000), ref: 002661F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002661FE
ReleaseDC.USER32(00000000,00000000), ref: 0026620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00266246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00266257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0026902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00266291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002662B1

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 068e25e095a711512b982528f5405f82be57044f0046150af7d22b15bcc1a2ab
Instruction ID: 8655bbed48d2d5adb0a5b4a846a08ee8a6693796c4a9f59f8ac6cae496c52550
Opcode Fuzzy Hash: 068e25e095a711512b982528f5405f82be57044f0046150af7d22b15bcc1a2ab
Instruction Fuzzy Hash: 80317F72111210BFEF118F50ED8AFEA3BADEF49765F044065FE089A2A1C6B59C51CB70

Function 0023BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0023BBC4
_memcmp.LIBCMT ref: 0023BBE6
_memcmp.LIBCMT ref: 0023BBFE
_memcmp.LIBCMT ref: 0023BC11
_memcmp.LIBCMT ref: 0023BC2B
_memcmp.LIBCMT ref: 0023BC3E
_memcmp.LIBCMT ref: 0023BC56
_memcmp.LIBCMT ref: 0023BC71

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f4f88e7c65c8fa0b55a58f520603f1f375605a10c2e94e28170af05f478443c0
Instruction ID: 3e4ea7574f66bd195ab61fd7fdbb37f8bc30b950024f9343625fdafaf6f9f318
Opcode Fuzzy Hash: f4f88e7c65c8fa0b55a58f520603f1f375605a10c2e94e28170af05f478443c0
Instruction Fuzzy Hash: D821C5E1631307BBE6266E119D42FBFB35D9E1134CF048416FE0896683EF64DE3585A1

Function 0024EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

Part of subcall function 001FFC86: _wcscpy.LIBCMT ref: 001FFCA9

_wcstok.LIBCMT ref: 0024EC94
_wcscpy.LIBCMT ref: 0024ED23
_memset.LIBCMT ref: 0024ED56

Strings

X, xrefs: 0024ED93

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 9ae9f4401fe36c11a8e62f59f3b31f99d695d411b987b34f02da58e25f98d35e
Instruction ID: e9bf7296bd802b786e21792a0703d3cf7c90388946b0d4a55b7f20436f725fbc
Opcode Fuzzy Hash: 9ae9f4401fe36c11a8e62f59f3b31f99d695d411b987b34f02da58e25f98d35e
Instruction Fuzzy Hash: 9AC18D306187419FDB18EF24C881A5EB7E4FF95314F01492DF89A9B2A2DB70EC55CB42

Function 00256B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00256C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00256C21
WSAGetLastError.WSOCK32(00000000), ref: 00256C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00256CEA
inet_ntoa.WSOCK32(?), ref: 00256CA7

Part of subcall function 0023A7E9: _strlen.LIBCMT ref: 0023A7F3
Part of subcall function 0023A7E9: _memmove.LIBCMT ref: 0023A815

_strlen.LIBCMT ref: 00256D44
_memmove.LIBCMT ref: 00256DAD

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 47a1e4405ee68ec632b3a63f14304bdc9fd0bd3c736e2d400470c5d32ffdf174
Instruction ID: 716ee942bfd8a07b99d2f12626bc179ee1c7a9eab4b6b91c8806c2d850a941c7
Opcode Fuzzy Hash: 47a1e4405ee68ec632b3a63f14304bdc9fd0bd3c736e2d400470c5d32ffdf174
Instruction Fuzzy Hash: 12811271214701ABC710EF25DC8AEAEB7B9AF94718F40492CF9459B2D2DB70DD04CB91

Function 001E1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b926a7ac49f5ffa708eb105799d4393b5bd7f2c813d88f01ecd78137424cedb9
Instruction ID: 8323f2a1f1a8417891a3b0e405fdb69520106d44b162bcf0282f5293bddb6d80
Opcode Fuzzy Hash: b926a7ac49f5ffa708eb105799d4393b5bd7f2c813d88f01ecd78137424cedb9
Instruction Fuzzy Hash: 61717C31900549FFCB15CF99CC48EBEBBB9FF85310F248159F915AA291D730AA51CBA0

Function 0025F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0025F448
_memset.LIBCMT ref: 0025F511
ShellExecuteExW.SHELL32(?), ref: 0025F556

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

Part of subcall function 001FFC86: _wcscpy.LIBCMT ref: 001FFCA9

GetProcessId.KERNEL32(00000000), ref: 0025F5CD
CloseHandle.KERNEL32(00000000), ref: 0025F5FC

Strings

@, xrefs: 0025F525

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 5c8c694c5410c5dfceac5ab50b4350c4e68920cb72a9fc52c728506af24fdd6a
Instruction ID: fb903075ae06b63e18af15685a9d4cce886063dcda569184ff404f97e1a4426d
Opcode Fuzzy Hash: 5c8c694c5410c5dfceac5ab50b4350c4e68920cb72a9fc52c728506af24fdd6a
Instruction Fuzzy Hash: 3E61BD71A006599FCF04EFA5C5859AEBBF5FF48310F148069E85AAB361CB30AD55CF84

Function 00240F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00240F8C
GetKeyboardState.USER32(?), ref: 00240FA1
SetKeyboardState.USER32(?), ref: 00241002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00241030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0024104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00241095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002410B8

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: acede3b6d8e249bacb0f631db50194eb8c4ad7d73e81b37e23d974737ac2390c
Instruction ID: 72701adb778f5ea086c678a8cfa60ad24ed9aed8fe3d34edb763ccd2e168086c
Opcode Fuzzy Hash: acede3b6d8e249bacb0f631db50194eb8c4ad7d73e81b37e23d974737ac2390c
Instruction Fuzzy Hash: B75125605247D63DFB3A4B348C45BB6BFA95B06300F088589E6D9868C3D6E4ECF8DB51

Function 00240D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00240DA5
GetKeyboardState.USER32(?), ref: 00240DBA
SetKeyboardState.USER32(?), ref: 00240E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00240E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00240E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00240EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00240EC9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b2f81f930f52f02954d44ac7022b3d276645d30031fce2224cf5af0dc2f453bb
Instruction ID: 9bf02fb40cb539e41e03900e1db4e0429ecca1658da7f6183bc8f9642a71e143
Opcode Fuzzy Hash: b2f81f930f52f02954d44ac7022b3d276645d30031fce2224cf5af0dc2f453bb
Instruction Fuzzy Hash: 9F510B60A247D67DFB3A8B748C85B767E995B06300F088889E2D5868C2D7F5ECF8D750

Function 002455FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0024560A
_wcsncpy.LIBCMT ref: 0024563F
_wcsncpy.LIBCMT ref: 00245671
_wcsncpy.LIBCMT ref: 002456A4
_wcsncpy.LIBCMT ref: 002456E6
_wcsncpy.LIBCMT ref: 00245720
_wcsncpy.LIBCMT ref: 0024574F

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 966e7ec24d73229a47d53f8352d2e6d3de4cc1b8eab7822b3c912c0643548156
Instruction ID: 89cfc3d3c997cedf817ce20963168936643e77ba8e33a2826980d0635147edb5
Opcode Fuzzy Hash: 966e7ec24d73229a47d53f8352d2e6d3de4cc1b8eab7822b3c912c0643548156
Instruction Fuzzy Hash: 17418565C30718B6CB15EBB48C46ACFB7BC9F04310F508567E515E3162FA34A265CBE6

Function 0026A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

xM, xrefs: 0026A099, 0026A133

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID: xM
API String ID: 0-315438632
Opcode ID: bc5bb6bc6e24dc88a12ca6a8c76986b48002086968cb6a47745d012199ffda85
Instruction ID: 2314ab9da7e2b19666e8b4f2b4b8f4c2b1019098870f0acf13bdd333c7a65f70
Opcode Fuzzy Hash: bc5bb6bc6e24dc88a12ca6a8c76986b48002086968cb6a47745d012199ffda85
Instruction Fuzzy Hash: 0A411735924115AFCB10DF28DC49FA9BBA8FB0A310F1441A5F91AB72E1CB709DE1DE51

Function 0023D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0023D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0023D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0023D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0023D69D

Strings

,,', xrefs: 0023D578
DllGetClassObject, xrefs: 0023D610

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,'$DllGetClassObject
API String ID: 753597075-2611884504
Opcode ID: 5e3949124905e382e65eb04c817fceaf385991cd340c424088618c213bb08437
Instruction ID: 2fa31e18b7dade252b8277dd770001d9839d0263c926c709879c04779602e334
Opcode Fuzzy Hash: 5e3949124905e382e65eb04c817fceaf385991cd340c424088618c213bb08437
Instruction Fuzzy Hash: D44179F1620205EFDB05CF64E885A9ABBB9EF45310F1580A9E8099F205D7B1D964CFA0

Function 001E2344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001E2357
ScreenToClient.USER32(002A57B0,?), ref: 001E2374
GetAsyncKeyState.USER32(00000001), ref: 001E2399
GetAsyncKeyState.USER32(00000002), ref: 001E23A7

Strings

lldfrplldfrplld9rplld5rplld1rplld0rplldfrplldfrplldfrplldfrplldfrplldfrplld8rplld9rplld4rplld5rplldfrplld4rplld8rplld3rplld7rplldd, xrefs: 0021BFF9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: lldfrplldfrplld9rplld5rplld1rplld0rplldfrplldfrplldfrplldfrplldfrplldfrplld8rplld9rplld4rplld5rplldfrplld4rplld8rplld3rplld7rplldd
API String ID: 4210589936-141170929
Opcode ID: 814092accb6b6baec1eec433f4882ccf672199f5a962245beb34f2b0d9a89fbe
Instruction ID: ce0e5d95ed60ce5c60b2e187c413a3390ce3898cc55943d411848f972d6696e7
Opcode Fuzzy Hash: 814092accb6b6baec1eec433f4882ccf672199f5a962245beb34f2b0d9a89fbe
Instruction Fuzzy Hash: 1C418135614505FBCF198F69CC48AEDBBB8FB19360F20435AF829922A0C7749DA0DF90

Function 00243671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0024466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00243697,?), ref: 0024468B

Part of subcall function 0024466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00243697,?), ref: 002446A4

lstrcmpiW.KERNEL32(?,?), ref: 002436B7
_wcscmp.LIBCMT ref: 002436D3
MoveFileW.KERNEL32(?,?), ref: 002436EB
_wcscat.LIBCMT ref: 00243733
SHFileOperationW.SHELL32(?), ref: 0024379F

Strings

\*.*, xrefs: 0024372D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 7e4b24c724364625eafd9aedb812c64e6194e6e2482cbaf89de2f39e96fcdf25
Instruction ID: a04cc1d184c18fbcf074a25680625bb7376240a4389a9bea2999e23151fc6ce9
Opcode Fuzzy Hash: 7e4b24c724364625eafd9aedb812c64e6194e6e2482cbaf89de2f39e96fcdf25
Instruction Fuzzy Hash: 4441CE71118345AEC755EF60D845ADFB7ECAF88384F00082EF49AC3291EB34D699CB56

Function 00260FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00260FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00260FFE
FreeLibrary.KERNEL32(00000000), ref: 002610B5

Part of subcall function 00260FA5: RegCloseKey.ADVAPI32(?), ref: 0026101B
Part of subcall function 00260FA5: FreeLibrary.KERNEL32(?), ref: 0026106D
Part of subcall function 00260FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00261090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00261058

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f4380dc21d599eeffed177b358cb9ea2eccf855f97f9dfa48472fbe3369f40e2
Instruction ID: e6c23decb87aff5ba62949a5b9956d48be928fcb451dd33d5bc6c426453046ec
Opcode Fuzzy Hash: f4380dc21d599eeffed177b358cb9ea2eccf855f97f9dfa48472fbe3369f40e2
Instruction Fuzzy Hash: 12312D71910109BFDF15DF90ED89EFFB7BCEF08300F04416AE905A2151EA74AEE59AA0

Function 0023DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0023DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0023DB54
SysAllocString.OLEAUT32(00000000), ref: 0023DB57
SysAllocString.OLEAUT32(?), ref: 0023DB75
SysFreeString.OLEAUT32(?), ref: 0023DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0023DBA3
SysAllocString.OLEAUT32(?), ref: 0023DBB1

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bc010d2b6df717026a2f8ce7f4577e9ed171c2166f50cce5ea60b9dae7503081
Instruction ID: 64a87b349b73b0df071726cd5834fc8b21c305241529109c529fdf7c1e38a827
Opcode Fuzzy Hash: bc010d2b6df717026a2f8ce7f4577e9ed171c2166f50cce5ea60b9dae7503081
Instruction Fuzzy Hash: C021A7B6614219AFDF10DFA8FC88CBBB3ADEB09364F018565FA14DB251DA70DC418760

Function 00256173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00257D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00257DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002561C6
WSAGetLastError.WSOCK32(00000000), ref: 002561D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0025620E
connect.WSOCK32(00000000,?,00000010), ref: 00256217
WSAGetLastError.WSOCK32 ref: 00256221
closesocket.WSOCK32(00000000), ref: 0025624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00256263

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: c6dce5af2107c0839e38d117c5719e45470084d25c533e03960b883dcd292875
Instruction ID: d420645256f02f5a5aeb8e17181084cc3fcbdf92c28402de87fdc78332cc930b
Opcode Fuzzy Hash: c6dce5af2107c0839e38d117c5719e45470084d25c533e03960b883dcd292875
Instruction Fuzzy Hash: 0B31A471610108AFDF10AF64DC89FBD77ADEB45711F448069FD05E7291CBB0AC188BA5

Function 0023F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0023F671
__wcsnicmp.LIBCMT ref: 0023F692
__wcsnicmp.LIBCMT ref: 0023F6AC

Strings

#notrayicon, xrefs: 0023F669
#requireadmin, xrefs: 0023F68C
#OnAutoItStartRegister, xrefs: 0023F6A6

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ed8592fd525d01dace3dc77d070203347de6f992f319cdba8c510a2b02b3dbca
Instruction ID: 31a7da8e0ff72436b57f327c4def78a7263c8a1c78b0681376dad1245c750136
Opcode Fuzzy Hash: ed8592fd525d01dace3dc77d070203347de6f992f319cdba8c510a2b02b3dbca
Instruction Fuzzy Hash: 5A213AF253461266D320EA34BD03FABB39CDF55350F50403AF445860A2EB915D66CA95

Function 0023DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0023DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0023DC2F
SysAllocString.OLEAUT32(00000000), ref: 0023DC32
SysAllocString.OLEAUT32 ref: 0023DC53
SysFreeString.OLEAUT32 ref: 0023DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0023DC76
SysAllocString.OLEAUT32(?), ref: 0023DC84

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 93df4dbffa6b3e10d11cee47cc40d7a6e057c77562b18cdf588365d01c543239
Instruction ID: 0e2b8f05d5b7c28fa5e07fc1c22cc731c29af5157e51eb69c35e69493182a204
Opcode Fuzzy Hash: 93df4dbffa6b3e10d11cee47cc40d7a6e057c77562b18cdf588365d01c543239
Instruction Fuzzy Hash: 2F213175624205AF9F109FB8FD88DAA77ECEB09360B108526F914CB2A1DAB0DC51CB64

Function 002675CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001E1D73
Part of subcall function 001E1D35: GetStockObject.GDI32(00000011), ref: 001E1D87
Part of subcall function 001E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001E1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00267632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0026763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0026764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00267659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00267665

Strings

Msctls_Progress32, xrefs: 00267603

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e6ac3477528bb3a4393262c0ae8820a75117126f13de743755482023bf305a43
Instruction ID: c09c9f37b047d4114160b8b79eb9903e41c8f33dcc052d3b9bde436a11c5235d
Opcode Fuzzy Hash: e6ac3477528bb3a4393262c0ae8820a75117126f13de743755482023bf305a43
Instruction Fuzzy Hash: 3911B2B2110219BFEF118F64DC85EEB7F6DEF08798F014114BA04A20A0CB729C61DBA4

Function 0026B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0026B644
_memset.LIBCMT ref: 0026B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002A6F20,002A6F64), ref: 0026B682
CloseHandle.KERNEL32 ref: 0026B694

Strings

do*, xrefs: 0026B64D
o*, xrefs: 0026B63E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o*$do*
API String ID: 3277943733-2035452387
Opcode ID: e8b42d6e5d461cbc2201dcfce51132eb52d1c7e668d611cfcd5c834455ff9185
Instruction ID: f3d0644e7e3b432d1f3ff760d960c8e7c97d2ba64fabbd702fb958944f49719c
Opcode Fuzzy Hash: e8b42d6e5d461cbc2201dcfce51132eb52d1c7e668d611cfcd5c834455ff9185
Instruction Fuzzy Hash: 16F054B1550340BFE7102761BC0DF7B7A5CEB0A355F044061FA09D5592EBB14C208BA8

Function 0020406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00203F85), ref: 00204085
GetProcAddress.KERNEL32(00000000), ref: 0020408C
EncodePointer.KERNEL32(00000000), ref: 00204097
DecodePointer.KERNEL32(00203F85), ref: 002040B2

Strings

RoUninitialize, xrefs: 00204074
combase.dll, xrefs: 00204080

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2acc3b89d7dcceac1366377f420c0a0eace4c236bfcd7ad425e889fcf0b1a06c
Instruction ID: 962b6ff4c632eb5006ca7855456a38ccf5cf64d0ece159e84a0470e1683ffa56
Opcode Fuzzy Hash: 2acc3b89d7dcceac1366377f420c0a0eace4c236bfcd7ad425e889fcf0b1a06c
Instruction Fuzzy Hash: B8E092B0691301EFEB60EF61FE0DB157AE5B706742F208065F619E11A0CFF646248E14

Function 002464B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0024660B
_memmove.LIBCMT ref: 00246546

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

_memmove.LIBCMT ref: 002465B9
_memmove.LIBCMT ref: 002466A0
_memmove.LIBCMT ref: 002466B9
_memmove.LIBCMT ref: 002466D5

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: ef50ae5c25668af8b02fce2141f51b72681a68da295338dd53ce24912e083d37
Instruction ID: a12a61fc8b784516333dd9a867a177f2e897c1d2d0f6aa394e434755f384411c
Opcode Fuzzy Hash: ef50ae5c25668af8b02fce2141f51b72681a68da295338dd53ce24912e083d37
Instruction Fuzzy Hash: 1461DF3052069A9BDF09EF60CC86EFE37A9AF19308F054428FD556B1A2DB74DC25CB51

Function 002601E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Part of subcall function 00260E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0025FDAD,?,?), ref: 00260E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002602BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002602FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00260320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00260349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0026038C
RegCloseKey.ADVAPI32(00000000), ref: 00260399

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: a403a6db25d9ae2b7cb261ffbbc9b4ca5c9b4494d9085c4eaff59b2b3b2519c8
Instruction ID: 86b00f1a8fce20fe56c556d2a80ee915664590165b19ce3240b72ed07a32cb0d
Opcode Fuzzy Hash: a403a6db25d9ae2b7cb261ffbbc9b4ca5c9b4494d9085c4eaff59b2b3b2519c8
Instruction Fuzzy Hash: EF517A31118241AFDB00EF64D885E6FBBE9FF88314F04492DF8458B2A2DB71E964DB52

Function 00265799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002657FB
GetMenuItemCount.USER32(00000000), ref: 00265832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0026585A
GetMenuItemID.USER32(?,?), ref: 002658C9
GetSubMenu.USER32(?,?), ref: 002658D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00265928

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 577bd18917f1aae8e4709f8e0a07f728c5bf62dbf595574680b25978558a3474
Instruction ID: c73fe5879eb2d73b53d7ec2ead52699c39a1d8b8ea30c60d18a726bb480ac0bd
Opcode Fuzzy Hash: 577bd18917f1aae8e4709f8e0a07f728c5bf62dbf595574680b25978558a3474
Instruction Fuzzy Hash: 85517F31E11A26EFCF15DF64D845AAEB7B4EF48320F104069E852BB351CB70AE91CB90

Function 0023EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0023EF06
VariantClear.OLEAUT32(00000013), ref: 0023EF78
VariantClear.OLEAUT32(00000000), ref: 0023EFD3
_memmove.LIBCMT ref: 0023EFFD
VariantClear.OLEAUT32(?), ref: 0023F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0023F078

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 77294221ee60a880085bbfbde715c16ecaf62b465f24ab64a90a692aab20e783
Instruction ID: 69c24cdfa562eebb595f4107c64dc8d3185881e720b60a9260c8f0b7669ce71c
Opcode Fuzzy Hash: 77294221ee60a880085bbfbde715c16ecaf62b465f24ab64a90a692aab20e783
Instruction Fuzzy Hash: B95189B5A10209EFDB14CF58D884AAAB7B8FF4C310F158569EA49DB305E730E911CFA0

Function 0024220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00242258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002422A3
IsMenu.USER32(00000000), ref: 002422C3
CreatePopupMenu.USER32 ref: 002422F7
GetMenuItemCount.USER32(000000FF), ref: 00242355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00242386

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7dab2ea10374de8d85fffa6719e08f3247be7b79677c48daacfede7191932e29
Instruction ID: 5e28a909aa9bc83527a8cb999ad9a87c5c867c0713fff974e06d3cd116b64612
Opcode Fuzzy Hash: 7dab2ea10374de8d85fffa6719e08f3247be7b79677c48daacfede7191932e29
Instruction Fuzzy Hash: D151D27061020ADBCF29CF65D988BAEBFF4FF45314F5081A9F811A7290D3B49968CB11

Function 001E1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 001E179A
GetWindowRect.USER32(?,?), ref: 001E17FE
ScreenToClient.USER32(?,?), ref: 001E181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001E182C
EndPaint.USER32(?,?), ref: 001E1876

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 03755c8f8dfc08976712d8ebab1227c75750d355521271800bcf544938925512
Instruction ID: 29577a4074afa6ecdb43d802d9cb79b66aadf418f23645cb7c0555517a1e2b35
Opcode Fuzzy Hash: 03755c8f8dfc08976712d8ebab1227c75750d355521271800bcf544938925512
Instruction Fuzzy Hash: 3041B031100B41AFDB11DF25EC88FBB7BF8FB5A720F144628F9A4861A1C7709885DB61

Function 0026B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(002A57B0,00000000,00ED4D78,?,?,002A57B0,?,0026B5A8,?,?), ref: 0026B712
EnableWindow.USER32(00000000,00000000), ref: 0026B736
ShowWindow.USER32(002A57B0,00000000,00ED4D78,?,?,002A57B0,?,0026B5A8,?,?), ref: 0026B796
ShowWindow.USER32(00000000,00000004,?,0026B5A8,?,?), ref: 0026B7A8
EnableWindow.USER32(00000000,00000001), ref: 0026B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0026B7EF

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 2d245e1292248896fe6d88ca65eaaa61399186090a7b46d1d653d7144250b7a6
Instruction ID: 360320ce8b8a46511a2bc6aa5ed6c47e3d1dcad38efa43aba4fcc562935160c6
Opcode Fuzzy Hash: 2d245e1292248896fe6d88ca65eaaa61399186090a7b46d1d653d7144250b7a6
Instruction Fuzzy Hash: 65419F35610241AFDB23CF24D599B94BBE0FF45311F1881B9E948CF6A2C771A8E6CB50

Function 0025709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00254E41,?,?,00000000,00000001), ref: 002570AC

Part of subcall function 002539A0: GetWindowRect.USER32(?,?), ref: 002539B3

GetDesktopWindow.USER32 ref: 002570D6
GetWindowRect.USER32(00000000), ref: 002570DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0025710F

Part of subcall function 00245244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002452BC

GetCursorPos.USER32(?), ref: 0025713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00257199

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 7e7c06055c6c682fb0e5ba19334aa1c72f147413bac36c999ed77f7333aabd19
Instruction ID: 0f223f790843a6c86a5c1abf6d4ccc024f85fb060af843d189b234a9b68d97f8
Opcode Fuzzy Hash: 7e7c06055c6c682fb0e5ba19334aa1c72f147413bac36c999ed77f7333aabd19
Instruction Fuzzy Hash: EE310472118306ABCB20DF14E849F9BB7E9FF88304F004919F88997191C7B0EA18CB96

Function 00238879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002380A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002380C0
Part of subcall function 002380A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002380CA
Part of subcall function 002380A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002380D9
Part of subcall function 002380A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002380E0
Part of subcall function 002380A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002380F6

GetLengthSid.ADVAPI32(?,00000000,0023842F), ref: 002388CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002388D6
HeapAlloc.KERNEL32(00000000), ref: 002388DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 002388F6
GetProcessHeap.KERNEL32(00000000,00000000,0023842F), ref: 0023890A
HeapFree.KERNEL32(00000000), ref: 00238911

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d4916d4baf9b6359a1c8e1ca2b04e2205538d8e4e5ba2ca8448c0cec2eafa04f
Instruction ID: 8feb3b65ce15b6b8bdaa78711ca095225c6b2d1544feae8ffacd403b69f58c69
Opcode Fuzzy Hash: d4916d4baf9b6359a1c8e1ca2b04e2205538d8e4e5ba2ca8448c0cec2eafa04f
Instruction Fuzzy Hash: E811AFB1521209FFDF109FA4ED09BBE7768FB45355F108068F8859B210CB729924DB60

Function 002385B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002385E2
OpenProcessToken.ADVAPI32(00000000), ref: 002385E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002385F8
CloseHandle.KERNEL32(00000004), ref: 00238603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00238632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00238646

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: faf5ddea19b5a2fde3bc0427398b82694f1863aadf071bf67eeece8bcdca2f3d
Instruction ID: 6eda45b1f53c3463e655c63d83966a528ca37fdd062a3b73f37fab472be7366e
Opcode Fuzzy Hash: faf5ddea19b5a2fde3bc0427398b82694f1863aadf071bf67eeece8bcdca2f3d
Instruction Fuzzy Hash: 27116DB250024EABDF018FA4ED49FDE7BA9EF08304F048065FE04A6160C7B18D65DB60

Function 0023B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0023B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0023B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0023B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0023B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0023B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0023B7FE

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 92b6f7e8f3f9e374acf2e0d64d567273a561788f36827ee06ac5a9ec38dff311
Instruction ID: fb22bf125f217733eab5b764f90b4818a5101dfe7d03d3d9eb2739237c143281
Opcode Fuzzy Hash: 92b6f7e8f3f9e374acf2e0d64d567273a561788f36827ee06ac5a9ec38dff311
Instruction Fuzzy Hash: 650144B5E00219BBEF109FA6ED49A5EBFB8EB49751F008075FA08A7291D6719C10CF91

Function 00200162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00200193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0020019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002001A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002001B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 002001B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 002001C1

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d6ab67d606de516982bf57f9b5c0b28da5ed582e51e84e84602b3b6f105f1fe7
Instruction ID: be6caf2823fe032308650a12380469076daa4f2627483aa7d2c3f8245e8acac2
Opcode Fuzzy Hash: d6ab67d606de516982bf57f9b5c0b28da5ed582e51e84e84602b3b6f105f1fe7
Instruction Fuzzy Hash: E80148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7F5A864CBE5

Function 002453E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002453F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0024540F
GetWindowThreadProcessId.USER32(?,?), ref: 0024541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0024542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00245437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0024543E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e40f60676b0a4a2590787437f745882763243997c682703fdd3dfbedf9e02ca2
Instruction ID: 8b861a87c7283648abc6e926b5ceff61a3cf5b76ef06f4bdb247a0240acd82d0
Opcode Fuzzy Hash: e40f60676b0a4a2590787437f745882763243997c682703fdd3dfbedf9e02ca2
Instruction Fuzzy Hash: 09F06D32240158BBEB205BA2FD0DEAB7A7CEBC7B11F0041A9FA14D105196E01A0186B5

Function 00247230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00247243
EnterCriticalSection.KERNEL32(?,?,001F0EE4,?,?), ref: 00247254
TerminateThread.KERNEL32(00000000,000001F6,?,001F0EE4,?,?), ref: 00247261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,001F0EE4,?,?), ref: 0024726E

Part of subcall function 00246C35: CloseHandle.KERNEL32(00000000,?,0024727B,?,001F0EE4,?,?), ref: 00246C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00247281
LeaveCriticalSection.KERNEL32(?,?,001F0EE4,?,?), ref: 00247288

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9c5ead9a671bbefead1c372322499c3ac65ffb083856ad6ca627022decc94eae
Instruction ID: ed1094c1198ceec4c086128333387fb1400ea95c7162db1a377260a42570322e
Opcode Fuzzy Hash: 9c5ead9a671bbefead1c372322499c3ac65ffb083856ad6ca627022decc94eae
Instruction Fuzzy Hash: 57F05E36544612EBDB951F64FE9C9DA7729FF45702B114632F903910A0CBF65851CF50

Function 00238992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0023899D
UnloadUserProfile.USERENV(?,?), ref: 002389A9
CloseHandle.KERNEL32(?), ref: 002389B2
CloseHandle.KERNEL32(?), ref: 002389BA
GetProcessHeap.KERNEL32(00000000,?), ref: 002389C3
HeapFree.KERNEL32(00000000), ref: 002389CA

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7448bc6714cf53f17ebe39cd557be1602fa974c97cfb24ec7fafc4d9adade3b5
Instruction ID: 0c6105e968e67fbbea1f99a0714bf6903cd79add2322e7e5a15308f3c0716c29
Opcode Fuzzy Hash: 7448bc6714cf53f17ebe39cd557be1602fa974c97cfb24ec7fafc4d9adade3b5
Instruction Fuzzy Hash: 65E0C236004001FBDE411FE1FE0C90ABB69FB8A362B108270F21981170CBB29430DB50

Function 00237530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00272C7C,?), ref: 002376EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00272C7C,?), ref: 00237702
CLSIDFromProgID.OLE32(?,?,00000000,0026FB80,000000FF,?,00000000,00000800,00000000,?,00272C7C,?), ref: 00237727
_memcmp.LIBCMT ref: 00237748

Strings

,,', xrefs: 0023753D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,'
API String ID: 314563124-1378728019
Opcode ID: cebc5d36b5cfa5ae6d1ccc6d5bf9147fa9d4a53e5ba9a2269600ec33dd4f0d4a
Instruction ID: 44e1e35dc9a2651469a7b71f3548d00b3a50dfef492ae2f25a0ffa5ea0891fdd
Opcode Fuzzy Hash: cebc5d36b5cfa5ae6d1ccc6d5bf9147fa9d4a53e5ba9a2269600ec33dd4f0d4a
Instruction Fuzzy Hash: 93812CB1A1010AEFDF14DFA4C984EEEB7B9FF89315F204558E505AB250DB71AE06CB60

Function 002585ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00258613
CharUpperBuffW.USER32(?,?), ref: 00258722
VariantClear.OLEAUT32(?), ref: 0025889A

Part of subcall function 00247562: VariantInit.OLEAUT32(00000000), ref: 002475A2
Part of subcall function 00247562: VariantCopy.OLEAUT32(00000000,?), ref: 002475AB
Part of subcall function 00247562: VariantClear.OLEAUT32(00000000), ref: 002475B7

Strings

Incorrect Parameter format, xrefs: 0025864B, 0025880D
AUTOIT.ERROR, xrefs: 00258728

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 8f33c3bedeb552809190b5f8828e57c4215614167ca756146af713f413bbeed9
Instruction ID: 1e5371a25a17c1106ec65d5f7a1b8e316fdf4f0870c08a76bba9494278224d63
Opcode Fuzzy Hash: 8f33c3bedeb552809190b5f8828e57c4215614167ca756146af713f413bbeed9
Instruction Fuzzy Hash: 4391BD70614745DFCB00DF25C48495AB7E4EF89714F04892EF88A9B362DB70ED09CB92

Function 002697F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00EDE900,?), ref: 00269863
ScreenToClient.USER32(00000002,00000002), ref: 00269896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00269903

Strings

xM, xrefs: 00269832, 0026992D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: xM
API String ID: 3880355969-315438632
Opcode ID: 9d79bf8a894cc8e715981097266590d00cc65e527370ac932b015bb120bb83ac
Instruction ID: d26c51e4518ef01bdad0a3f91b4569d9d3615ad152b76f56266a5256ac0268c7
Opcode Fuzzy Hash: 9d79bf8a894cc8e715981097266590d00cc65e527370ac932b015bb120bb83ac
Instruction Fuzzy Hash: 98515034A11209EFCF10CF54D984AAE7BB9FF45360F108159F8659B2A0DB31ADD1CB90

Function 00242753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002427C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002427DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00242822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002A5890,00000000), ref: 0024286B

Strings

0, xrefs: 002427B5

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 33dcd3a039269cea58d1c80cca448ae5dea8ee9957e855af0ffba4b520df65b3
Instruction ID: 690b0011a3491835d62e85011cd3bf50bf7700776d6b8f6e92707cbab8f60cd2
Opcode Fuzzy Hash: 33dcd3a039269cea58d1c80cca448ae5dea8ee9957e855af0ffba4b520df65b3
Instruction Fuzzy Hash: 0941A070214342DFDB28DF26D844B1ABBE8EF85314F44496DF866972D2DB70A819CB62

Function 00268851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002688DE

Strings

xM, xrefs: 0026888D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: InvalidateRect
String ID: xM
API String ID: 634782764-315438632
Opcode ID: 66942a7fe4a52261d061d1bdb8f9cd6e271d920ece5bf6d0413c9f5a8e3d05b6
Instruction ID: 6707279d7d535d9ca965910d63838d666c90d0675eeb5375ff4f7a2f158077cf
Opcode Fuzzy Hash: 66942a7fe4a52261d061d1bdb8f9cd6e271d920ece5bf6d0413c9f5a8e3d05b6
Instruction Fuzzy Hash: F731D434632109AFEF209E68DC49BBD77A5EB06310F544612FA51E72A1CE70DDE09B53

Function 0026AB37 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0026AB60
GetWindowRect.USER32(?,?), ref: 0026ABD6
PtInRect.USER32(?,?,0026C014), ref: 0026ABE6
MessageBeep.USER32(00000000), ref: 0026AC57

Strings

xM, xrefs: 0026AB9C, 0026ABFE

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID: xM
API String ID: 1352109105-315438632
Opcode ID: 1ec554c8c3ee53ea6a8b22fb5fc52401fea03489a297046b249227139b86985e
Instruction ID: a0621f21f3633491b00bedd787973cfb8e566317f43b96575adb0ae590aec1e1
Opcode Fuzzy Hash: 1ec554c8c3ee53ea6a8b22fb5fc52401fea03489a297046b249227139b86985e
Instruction Fuzzy Hash: 07417F30620119DFCB11DF58E888B697BF5FF49710F1480AAE815AB261D770E891CF92

Function 00240AD6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00240B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00240B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00240BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00240BFB

Strings

lldfrplldfrplld9rplld5rplld1rplld0rplldfrplldfrplldfrplldfrplldfrplldfrplld8rplld9rplld4rplld5rplldfrplld4rplld8rplld3rplld7rplldd, xrefs: 00240B5D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: lldfrplldfrplld9rplld5rplld1rplld0rplldfrplldfrplldfrplldfrplldfrplldfrplld8rplld9rplld4rplld5rplldfrplld4rplld8rplld3rplld7rplldd
API String ID: 432972143-141170929
Opcode ID: fb85e224102c761e7a3914372e4ee6360dc60c51cac1c73b9d0b23b9830e3792
Instruction ID: b5116ab900617abb64f040f0becb7f72a84e00946b9c31acee707058ec392b7a
Opcode Fuzzy Hash: fb85e224102c761e7a3914372e4ee6360dc60c51cac1c73b9d0b23b9830e3792
Instruction Fuzzy Hash: 8E317C70D60209AEFF388F25DC89BFABBA5EB4531CF04425AE681521D1C3B48DE19B59

Function 00240C11 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00240C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00240C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00240CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00240D33

Strings

lldfrplldfrplld9rplld5rplld1rplld0rplldfrplldfrplldfrplldfrplldfrplldfrplld8rplld9rplld4rplld5rplldfrplld4rplld8rplld3rplld7rplldd, xrefs: 00240C9F

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: lldfrplldfrplld9rplld5rplld1rplld0rplldfrplldfrplldfrplldfrplldfrplldfrplld8rplld9rplld4rplld5rplldfrplld4rplld8rplld3rplld7rplldd
API String ID: 432972143-141170929
Opcode ID: 0a8505fbd940ce85b8518bad63f6365a520df99f3892418ebcc899db03c1dab0
Instruction ID: 3ffc2daa05102113e89c31f8112415a2a5a7cf3a311053c08d959cde79aa3f64
Opcode Fuzzy Hash: 0a8505fbd940ce85b8518bad63f6365a520df99f3892418ebcc899db03c1dab0
Instruction Fuzzy Hash: 90312630D60219EEFF288F65D888BBEBB65EB45310F04831BE681521D1C3B599E58B91

Function 0025D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0025D7C5

Part of subcall function 001E784B: _memmove.LIBCMT ref: 001E7899

Strings

stdcall, xrefs: 0025D847
winapi, xrefs: 0025D836
none, xrefs: 0025D8A0
cdecl, xrefs: 0025D81C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 9a009f1671ec5a4836b4b124a98f299f2446f6319c4812b78e4396529f0d5e0b
Instruction ID: 70edb71385a368b53621a9135a35cede9fb1f6709dfabb17d4097c9db3f49594
Opcode Fuzzy Hash: 9a009f1671ec5a4836b4b124a98f299f2446f6319c4812b78e4396529f0d5e0b
Instruction Fuzzy Hash: F5310470A24606AFDF10EF58CC859EEB3B5FF14320F008629E865972C1DB71AD1ACB80

Function 00238E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Part of subcall function 0023AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0023AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00238F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00238F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00238F57

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

Strings

ComboBox, xrefs: 00238E9E
ListBox, xrefs: 00238ED3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: f1012d94dee1dd66866636197e5b921e80f5cbcb45e1b5ec6e9465cf499f53cf
Instruction ID: f29bda7bcc6e79c53ebba1c2ddaf56ed363598c2b0a8fc8131861bed700964cb
Opcode Fuzzy Hash: f1012d94dee1dd66866636197e5b921e80f5cbcb45e1b5ec6e9465cf499f53cf
Instruction Fuzzy Hash: EF2134B1A14208BEEF14ABB0DC89DFFB779EF15320F144529F4219B1E1DF7409199A20

Function 00267B93 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00267C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00267C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00267C5F

Strings

xM, xrefs: 00267C15, 00267C34
msctls_updown32, xrefs: 00267BC4

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32$xM
API String ID: 4014797782-3939976129
Opcode ID: a3023ac9b94f7c3eb3983d8a46165503b5a7fcf82990b39e88a9da6a226a645f
Instruction ID: 31572bf741424c3dabe3e2f2c51c07aea2c592a53be6015d27134efda59ed2b7
Opcode Fuzzy Hash: a3023ac9b94f7c3eb3983d8a46165503b5a7fcf82990b39e88a9da6a226a645f
Instruction Fuzzy Hash: 4F2192B1214219AFEB10DF14ECC5CAB77ECEF5A358B140059F9119B3A1CB71ECA18B60

Function 0025182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0025184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00251872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002518A2
InternetCloseHandle.WININET(00000000), ref: 002518E9

Part of subcall function 00252483: GetLastError.KERNEL32(?,?,00251817,00000000,00000000,00000001), ref: 00252498
Part of subcall function 00252483: SetEvent.KERNEL32(?,?,00251817,00000000,00000000,00000001), ref: 002524AD

Strings

, xrefs: 00251893

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 883295cff3570935668fc8122b016e3b2434a87948e59d91521966a300f2e520
Instruction ID: 2cd02e20030e6962ccbba256fab7b3f0063bfda787529757823cd58b43ae6ac1
Opcode Fuzzy Hash: 883295cff3570935668fc8122b016e3b2434a87948e59d91521966a300f2e520
Instruction Fuzzy Hash: C421B0B5520308BFEB219F60DC89FBB77EDEB49746F10412AFC0596240DA709D285BA4

Function 0026C498 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

GetCursorPos.USER32(?), ref: 0026C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0021B9AB,?,?,?,?,?), ref: 0026C4E7
GetCursorPos.USER32(?), ref: 0026C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0021B9AB,?,?,?), ref: 0026C56E

Strings

xM, xrefs: 0026C504, 0026C53A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: xM
API String ID: 2864067406-315438632
Opcode ID: 0706d2dee2cc2f67ede2e1126f211221d8891abb9bd265ba94513907a6119f90
Instruction ID: f83836a7a3b208710816d41faa067492ba6cf029bbdb6e652cb589fe3ebbf6d8
Opcode Fuzzy Hash: 0706d2dee2cc2f67ede2e1126f211221d8891abb9bd265ba94513907a6119f90
Instruction Fuzzy Hash: CD31F535510158AFCF11DF58DC58EFB7BB9EB09310F904065F9469B261CB31ADA0DBA0

Function 002663E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001E1D73
Part of subcall function 001E1D35: GetStockObject.GDI32(00000011), ref: 001E1D87
Part of subcall function 001E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001E1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00266461
LoadLibraryW.KERNEL32(?), ref: 00266468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0026647D
DestroyWindow.USER32(?), ref: 00266485

Strings

SysAnimate32, xrefs: 0026643C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 94112c3f36b9d3c22e7009d696c7ec773cea676f74709c657bd4d5f37660396a
Instruction ID: 91a341cb73b1638aea8e08d2e5792ebe71e8edcc89a5a4e257c96d301c507e88
Opcode Fuzzy Hash: 94112c3f36b9d3c22e7009d696c7ec773cea676f74709c657bd4d5f37660396a
Instruction Fuzzy Hash: 81218171120246BFEF204F64EC98EBB77ADEF59764F108629FA2093190DB71DCA19760

Function 00246D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00246DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00246DEF
GetStdHandle.KERNEL32(0000000C), ref: 00246E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00246E3B

Strings

nul, xrefs: 00246E36

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 09a71ebfc3bdc64a2be65f9788c76a2e13dc47a26c3e77711ae7d8cf4fc5ee9b
Instruction ID: fd2acd4839a35af99b0a640b7fbf1a36a967a678932f93fae7beac085ad97445
Opcode Fuzzy Hash: 09a71ebfc3bdc64a2be65f9788c76a2e13dc47a26c3e77711ae7d8cf4fc5ee9b
Instruction Fuzzy Hash: 35219575A1020AEBDF249F29EC4CA9977F4EF46720F204629FCA1D72D0D77099608B52

Function 00246E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00246E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00246EBB
GetStdHandle.KERNEL32(000000F6), ref: 00246ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00246F06

Strings

nul, xrefs: 00246F01

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 48f38c475e7a76587de50e1753414c3fcbba958a503327d73712e7261c8bdeed
Instruction ID: 772f897cddd9d3cf3c58126544b8a7a5ec2f110d907a19c71c38d70c5ae21a72
Opcode Fuzzy Hash: 48f38c475e7a76587de50e1753414c3fcbba958a503327d73712e7261c8bdeed
Instruction Fuzzy Hash: DC21C4796103069BDF249F69DC4CE9A77E8EF46720F204A1AFCA0D32D0D7B09864CB12

Function 0024AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0024AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0024ACA8
__swprintf.LIBCMT ref: 0024ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0026F910), ref: 0024ACFF

Strings

%lu, xrefs: 0024ACBB

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 8ac640e45b935adba8dea3a11ffd640f4dc8bd0ff1903c01200788df57362585
Instruction ID: 7adf75c95a9b0fc6a520c533bb0321b5316c738957d4651d9c4659163f7f3689
Opcode Fuzzy Hash: 8ac640e45b935adba8dea3a11ffd640f4dc8bd0ff1903c01200788df57362585
Instruction Fuzzy Hash: 7B217174A00209AFCB10DF65D985DEE7BB8FF89314B0440A9F909DB252DB71EA51CB61

Function 00241142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0023FCED,?,00240D40,?,00008000), ref: 0024115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0023FCED,?,00240D40,?,00008000), ref: 00241184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0023FCED,?,00240D40,?,00008000), ref: 0024118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0023FCED,?,00240D40,?,00008000), ref: 002411C1

Strings

@$, xrefs: 0024119D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @$
API String ID: 2875609808-108449358
Opcode ID: d02fcb03948e948b1d3614ac1261a4b86f9d1b10dba8f0e4d164e0e2fc518352
Instruction ID: 8b9c8a2995199e65317194f70cdf6719fd5b7a9018d7bb7f122c53e7c0a305a6
Opcode Fuzzy Hash: d02fcb03948e948b1d3614ac1261a4b86f9d1b10dba8f0e4d164e0e2fc518352
Instruction Fuzzy Hash: 1C113C31D1061DD7CF049FA5E988AEEBB78FF0A751F004096EA4DB2240DBB095B0DB95

Function 00241AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00241B19

Strings

REMOVE, xrefs: 00241B1F
EXISTS, xrefs: 00241B41
KEYS, xrefs: 00241B30
APPEND, xrefs: 00241B52

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: ffb44e8501bae572d60538dc1d5144f57ae1cd193df29de6a82e70c476212ce9
Instruction ID: 464e009654ef645005d6f2fbbb658903f29d23789b64683df7e2879bd09cb94f
Opcode Fuzzy Hash: ffb44e8501bae572d60538dc1d5144f57ae1cd193df29de6a82e70c476212ce9
Instruction Fuzzy Hash: 941184309202498FCF04EF64D891AFEB7B4FF26708F558465D855A7292EB325D2ACF50

Function 0025EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0025EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0025EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0025ED6A
CloseHandle.KERNEL32(?), ref: 0025EDEB

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: e98e55cacf554137ddec073f9c78487dc74fb9f226ccc35bc3a8b09f653c6406
Instruction ID: 95eaeca1d1028e7ca32e03a1592e50b811fc60d6781751e161fbdad79246348d
Opcode Fuzzy Hash: e98e55cacf554137ddec073f9c78487dc74fb9f226ccc35bc3a8b09f653c6406
Instruction Fuzzy Hash: EA81B0B16007419FDB24EF29C886F2EB7E5AF54710F04881DF999DB292DBB0AD44CB46

Function 0020541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0020547B
_memcpy_s.LIBCMT ref: 002054ED
__read_nolock.LIBCMT ref: 0020554B
__filbuf.LIBCMT ref: 0020556E
_memset.LIBCMT ref: 002055B2

Part of subcall function 00208B28: __getptd_noexit.LIBCMT ref: 00208B28

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 72c671b74bdd030e42c4ec2f76302432a820f67daadfa3071e6760ef4f4d9446
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: B451BB70A20B16DBDF249F65DC805AF7BB6AF40321F548729F825962D2D7709DB08F41

Function 00260037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Part of subcall function 00260E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0025FDAD,?,?), ref: 00260E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002600FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0026013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00260183
RegCloseKey.ADVAPI32(?,?), ref: 002601AF
RegCloseKey.ADVAPI32(00000000), ref: 002601BC

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: d6710f1bb4d54e64c69028a3fd1f677d28b6c547f92eaa76cb7634b1eab6ceb8
Instruction ID: 6a3cb31a06af8008365b071dccb42fcf1cedced662ae672fefeb50d1e48362e2
Opcode Fuzzy Hash: d6710f1bb4d54e64c69028a3fd1f677d28b6c547f92eaa76cb7634b1eab6ceb8
Instruction Fuzzy Hash: 3B518B71228244AFD704EF58D881E6FB7E9FF84304F40886DF48A872A2DB71E954DB52

Function 0025D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0025D927
GetProcAddress.KERNEL32(00000000,?), ref: 0025D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0025D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0025DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0025DA21

Part of subcall function 001E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00247896,?,?,00000000), ref: 001E5A2C
Part of subcall function 001E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00247896,?,?,00000000,?,?), ref: 001E5A50

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: d6ec96cf408c34aeda027bd94716213972c425c77edf748ce079a151469c5576
Instruction ID: bd457a08ebe75c02ebeb7582f337ad4aaeae1c5f971e4c590429640dd3fc57f1
Opcode Fuzzy Hash: d6ec96cf408c34aeda027bd94716213972c425c77edf748ce079a151469c5576
Instruction Fuzzy Hash: BE515635A1064ADFCB10EFA8C4849ADB7F5FF19324B0480A5EC19AB322D770AD55CF90

Function 0024E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0024E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0024E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0024E687

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0024E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0024E6B4

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: d3f991eeb4bb65fd12be379337230ecc0dd0f1cb708bcc28ae4fbe4cc2af66a2
Instruction ID: 496c775bd90879261f5b455be26552c7cbb09018423584a39b63032f2b721886
Opcode Fuzzy Hash: d3f991eeb4bb65fd12be379337230ecc0dd0f1cb708bcc28ae4fbe4cc2af66a2
Instruction Fuzzy Hash: 94511535A006499FDB04EF65C985AAEBBF5EF19314F1480A9E849AB362CB31ED10CF50

Function 002363AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002363E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00236433
TranslateMessage.USER32(?), ref: 0023645C
DispatchMessageW.USER32(?), ref: 00236466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00236475

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 8dffef7cd66808459855a207d35885a398caa0bdfb7e660b9c464fa380d68915
Instruction ID: 7d55626400846ca6a67b3f0ea9928732f8befb46a7c42d933c74f77366dc5d98
Opcode Fuzzy Hash: 8dffef7cd66808459855a207d35885a398caa0bdfb7e660b9c464fa380d68915
Instruction Fuzzy Hash: EA31C6B1920657BFDB748F70EC4CBB7BBACAB02300F148165E521C31A1EB6594A5DB60

Function 00238A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00238A30
PostMessageW.USER32(?,00000201,00000001), ref: 00238ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00238AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00238AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00238AF8

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dba5a44ca1eb44175017a8439bc3f438bc1f5482818b75a1d841189ae73a6291
Instruction ID: b2ce645858388b3e4b6f20cabdf435a41425a41cb377ef6a4594a422b8b7f2ed
Opcode Fuzzy Hash: dba5a44ca1eb44175017a8439bc3f438bc1f5482818b75a1d841189ae73a6291
Instruction Fuzzy Hash: 3D31A2B150021AEBDF14CF68E94DA9E7BB5FB05315F10822AF925EB2D1C7B09924DB90

Function 0023B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0023B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0023B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0023B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0023B27F
_wcsstr.LIBCMT ref: 0023B289

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 2b7e9b516c09655812230186a946cbe4ea419862f2bd2e39435e855d94ed0b51
Instruction ID: 29a1db178bc5a17b084f9aecc4f080bec29b5853eff616651ecc3f5367ebea83
Opcode Fuzzy Hash: 2b7e9b516c09655812230186a946cbe4ea419862f2bd2e39435e855d94ed0b51
Instruction Fuzzy Hash: 042128712142017AEB169F75EC49E7F7B9CDF49710F108229FD04DA1A1EFA1CC609660

Function 0026B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

GetWindowLongW.USER32(?,000000F0), ref: 0026B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0026B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0026B1CF
GetSystemMetrics.USER32(00000004), ref: 0026B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00250E90,00000000), ref: 0026B216

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 367ed33f345714cfee1a1ab4c17c5a16f044323c496e1057ac2977c9b24de0b0
Instruction ID: 3b200b2ee187f0820a8eb37851fb598b33c701f8038daa8d7299eb3b819be098
Opcode Fuzzy Hash: 367ed33f345714cfee1a1ab4c17c5a16f044323c496e1057ac2977c9b24de0b0
Instruction Fuzzy Hash: E0218071930662AFCB119F38AC18A6A37A4FB06361F114738FD36D71E0E73098E08B90

Function 00239307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00239320

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00239352
__itow.LIBCMT ref: 0023936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00239392
__itow.LIBCMT ref: 002393A3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 1e80b3611dc434dfe7071957fd4c2262c02bbcf0d68c251562bc5a68b5ecab00
Instruction ID: 5abeca9f5b49446b8f05e8c89e98b90f0c806e643acdba270541dbb81447f1e5
Opcode Fuzzy Hash: 1e80b3611dc434dfe7071957fd4c2262c02bbcf0d68c251562bc5a68b5ecab00
Instruction Fuzzy Hash: 042107B1724209ABDB10AF659C89EAE3BACEF5A710F044065F905DB1D1D6F08DA18BA1

Function 00255A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00255A6E
GetForegroundWindow.USER32 ref: 00255A85
GetDC.USER32(00000000), ref: 00255AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00255ACD
ReleaseDC.USER32(00000000,00000003), ref: 00255B08

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e8915578067769beea86dbab2d2883419c3158fa40ab55ec9f9a4985fa153744
Instruction ID: 9dbb2b65d0d06f5faa4c38c765d17001aeab16c86b7a5e258e1a4e72315a0a8d
Opcode Fuzzy Hash: e8915578067769beea86dbab2d2883419c3158fa40ab55ec9f9a4985fa153744
Instruction Fuzzy Hash: 2B219F75A10504AFDB04EF65E998A9EBBE9EF48351F14C079F80997362CBB0AC04CB90

Function 001E12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001E134D
SelectObject.GDI32(?,00000000), ref: 001E135C
BeginPath.GDI32(?), ref: 001E1373
SelectObject.GDI32(?,00000000), ref: 001E139C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9d27472e9116f208b87f7cd5877938a3ecf6b0d5f3d047bc7949d324f813caf2
Instruction ID: 6f3e2fdc00882b78e5383de7f5bf11f7f799c9752b3a9a532e5240ea8d91253b
Opcode Fuzzy Hash: 9d27472e9116f208b87f7cd5877938a3ecf6b0d5f3d047bc7949d324f813caf2
Instruction Fuzzy Hash: 09215931800A58EFDB118F26FD487AE7BE8FB11721F148226E810965B0DBB598D1DF90

Function 00244A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00244ABA
__beginthreadex.LIBCMT ref: 00244AD8
MessageBoxW.USER32(?,?,?,?), ref: 00244AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00244B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00244B0A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: d8f9b0d61329cf6d21e073a8a63c6cbd112f26df32b88f93957ca04cfb26a688
Instruction ID: 481d6e6cf67c9680e6b69c4e06f6c5dc039935a2104a5a2d555ea429b8d501f2
Opcode Fuzzy Hash: d8f9b0d61329cf6d21e073a8a63c6cbd112f26df32b88f93957ca04cfb26a688
Instruction Fuzzy Hash: D1110876915A15BBCB059FB8FC0CB9B7FACEB46320F154265FD24D3250DAB1C91487A0

Function 00238202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0023821E
GetLastError.KERNEL32(?,00237CE2,?,?,?), ref: 00238228
GetProcessHeap.KERNEL32(00000008,?,?,00237CE2,?,?,?), ref: 00238237
HeapAlloc.KERNEL32(00000000,?,00237CE2,?,?,?), ref: 0023823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00238255

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1bf1532ab20a03c61bc3f331f2563d03b2ef9cf704d9c80ba7173d800caa7642
Instruction ID: 3e3cb17134baa88d2c1f24876437f8e2edc65c5f914ad76bedfaa7e904779997
Opcode Fuzzy Hash: 1bf1532ab20a03c61bc3f331f2563d03b2ef9cf704d9c80ba7173d800caa7642
Instruction Fuzzy Hash: 1B016DB1210245BFDF204FA5FD4CD6B7BACFF8A754B504469FC09C6220DAB18C20CA60

Function 0023710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00237044,80070057,?,?,?,00237455), ref: 00237127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00237044,80070057,?,?), ref: 00237142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00237044,80070057,?,?), ref: 00237150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00237044,80070057,?), ref: 00237160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00237044,80070057,?,?), ref: 0023716C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: dbf2a7e0c416556e17b9f6ffdcbcdb4941f982f0172dc698ab6c08a6d14c8276
Instruction ID: 244b4ef7bf5e60746fa0fa86ba74e4f28fd5e9ac2a9e3c24ce7207ca1da5f603
Opcode Fuzzy Hash: dbf2a7e0c416556e17b9f6ffdcbcdb4941f982f0172dc698ab6c08a6d14c8276
Instruction Fuzzy Hash: 1B017CF3625205ABDF214F64ED48AAA7BADEB447A1F1440A4FD88D3220D7B1DD50DBA0

Function 00245244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00245260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0024526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00245276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00245280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002452BC

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e7b4a431c07138a0347325ef7bf0cbd2341a8702a5373ab1152da8905d8f2a51
Instruction ID: 3beb90c0b2bf3c92a4ecd995b78516a9acfc47d7ce78a824875c89ded541254d
Opcode Fuzzy Hash: e7b4a431c07138a0347325ef7bf0cbd2341a8702a5373ab1152da8905d8f2a51
Instruction Fuzzy Hash: 95011731D11A2DDBCF04EFE4ED4DAEDBB78BB09711F404196E985B2141CBB055608BA5

Function 0023810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00238121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0023812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0023813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00238141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00238157

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bff5884a1134cbd9923e9f3b527c5bdd1524b69aaa5525a050cb3bae53b0f31a
Instruction ID: dbfea5587887c7c934c36d2480936d87bd2c50cbdaf634de01c8a6e64d43830f
Opcode Fuzzy Hash: bff5884a1134cbd9923e9f3b527c5bdd1524b69aaa5525a050cb3bae53b0f31a
Instruction Fuzzy Hash: 52F062B1210315AFEB510FA5FC8CE673BACFF4A754F104025F989C6150CBA19D51DA60

Function 0023C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0023C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0023C20E
MessageBeep.USER32(00000000), ref: 0023C226
KillTimer.USER32(?,0000040A), ref: 0023C242
EndDialog.USER32(?,00000001), ref: 0023C25C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c2f4eb1f95d769ce3f4c942c6cc9d9f0997615caaf3e7eb3c101b74cbf0f1623
Instruction ID: 342c6b98a0b3a80a9eed58786106fa5022f5cd6a5d6f5147788f7863ad4f6721
Opcode Fuzzy Hash: c2f4eb1f95d769ce3f4c942c6cc9d9f0997615caaf3e7eb3c101b74cbf0f1623
Instruction Fuzzy Hash: 1301A270524704ABEF60AF64FE4EB9777BCBB00B06F104269E952A14E0DBF469648B90

Function 001E13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001E13BF
StrokeAndFillPath.GDI32(?,?,0021B888,00000000,?), ref: 001E13DB
SelectObject.GDI32(?,00000000), ref: 001E13EE
DeleteObject.GDI32 ref: 001E1401
StrokePath.GDI32(?), ref: 001E141C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9a84a1011d8b65a17747fe11df72d3a55b6401049df9d1e91428ea1646d4b443
Instruction ID: d6153d35b9092e18dd145e89f94147bd3b4f68ee87a572d5b5d4941ec6078bd4
Opcode Fuzzy Hash: 9a84a1011d8b65a17747fe11df72d3a55b6401049df9d1e91428ea1646d4b443
Instruction Fuzzy Hash: CBF0F230104B48EFDB115F26FD4C7593BE4AB02326F08C224E42A889F2CB798995DF50

Function 0024C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0024C432
CoCreateInstance.OLE32(00272D6C,00000000,00000001,00272BDC,?), ref: 0024C44A

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

CoUninitialize.OLE32 ref: 0024C6B7

Strings

.lnk, xrefs: 0024C3C6, 0024C3EE, 0024C3F8

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: c1ed6044c15f5724238eaeaabcf9834c1f2ed92325759daec74875c1a0be8e85
Instruction ID: 31263af241451d167db7d9ea94e588543bd0ae58fb337ce88c7c2d80fffefb34
Opcode Fuzzy Hash: c1ed6044c15f5724238eaeaabcf9834c1f2ed92325759daec74875c1a0be8e85
Instruction Fuzzy Hash: 6DA138B1104645AFD704EF55C881EAFB7A8FF99358F00492CF1598B1A2EB71AA09CB52

Function 001F2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00200DB6: std::exception::exception.LIBCMT ref: 00200DEC
Part of subcall function 00200DB6: __CxxThrowException@8.LIBCMT ref: 00200E01

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Part of subcall function 001E7A51: _memmove.LIBCMT ref: 001E7AAB

__swprintf.LIBCMT ref: 001F2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 001F2D66

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 17ef8826b6ba73b44bcba19da201ecf340fb095bfd2f4c4f0f81fa7585ef56d2
Instruction ID: 8087d45f95189d32dcbab4af644cd671e4b44b7e16ee7fac9daf888e5497bea1
Opcode Fuzzy Hash: 17ef8826b6ba73b44bcba19da201ecf340fb095bfd2f4c4f0f81fa7585ef56d2
Instruction Fuzzy Hash: D891BC32118715AFD714EF28D889C7EB7A9EF95314F10081DF981AB2A2EB30ED44CB52

Function 0024B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 001E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E4743,?,?,001E37AE,?), ref: 001E4770

CoInitialize.OLE32(00000000), ref: 0024B9BB
CoCreateInstance.OLE32(00272D6C,00000000,00000001,00272BDC,?), ref: 0024B9D4
CoUninitialize.OLE32 ref: 0024B9F1

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

Strings

.lnk, xrefs: 0024B99D, 0024B9AB

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 234bb26ead94a1903e33bb93b7e7804bb4e84464c6e0dffe02306cab9e077ea0
Instruction ID: ee98858bcbfd58200ba49c9faf864bdd21e5f53df185ead72a33805a9eeaff99
Opcode Fuzzy Hash: 234bb26ead94a1903e33bb93b7e7804bb4e84464c6e0dffe02306cab9e077ea0
Instruction Fuzzy Hash: 36A143756042469FCB04DF15C884D6EBBE5FF89318F148998F89A9B3A2CB31EC45CB91

Function 0023B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0023B4BE

Strings

%', xrefs: 0023B561
AutoIt3GUI, xrefs: 0023B436
Container, xrefs: 0023B43B

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%'
API String ID: 3565006973-1466662205
Opcode ID: 1a809a76a34af1af462fabff3723121e5337d200b06500d8e766cbfc20237424
Instruction ID: a2865015fdfbde814f7aa9374bb7e767b6f85805b7c5de8a6d7cce3517147e5c
Opcode Fuzzy Hash: 1a809a76a34af1af462fabff3723121e5337d200b06500d8e766cbfc20237424
Instruction Fuzzy Hash: 349139B0620601EFDB15DF64C894B6AB7F5FF49710F10856EEA4ACB291DBB0E851CB50

Function 0020501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002050AD

Part of subcall function 002100F0: __87except.LIBCMT ref: 0021012B

Strings

pow, xrefs: 00205085, 002050A2

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 49cfb23c9483abc8b0de2c09fc3c9f0cd476fa19de4fac5b8f80c4c339d32b32
Instruction ID: 69f2ed4a31551a48129639fe83c72c08db38cfbcd19698f49ae135cec4ace974
Opcode Fuzzy Hash: 49cfb23c9483abc8b0de2c09fc3c9f0cd476fa19de4fac5b8f80c4c339d32b32
Instruction Fuzzy Hash: 28515B3093870396DB12AF14D8853AF2BD59B64700F208959E4D9862DADEB889F49E86

Function 001F6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001F6248
_memmove.LIBCMT ref: 001F62E4
_memset.LIBCMT ref: 001F6308

Strings

ERCP, xrefs: 001F61B3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 89591d5ac0b8dcecc3d6758dc5127cbc72b15fee6261cf93852b1d5239e7703f
Instruction ID: d0810175096aa7a0f3b25173bb17931ec84a2327f1d22337b113626722bd760f
Opcode Fuzzy Hash: 89591d5ac0b8dcecc3d6758dc5127cbc72b15fee6261cf93852b1d5239e7703f
Instruction Fuzzy Hash: DD51A071A10309DBDB24DF69C885BAAB7F4FF04714F20456EE94ACB281E770EA54CB50

Function 002397F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002414BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00239296,?,?,00000034,00000800,?,00000034), ref: 002414E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0023983F

Part of subcall function 00241487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002392C5,?,?,00000800,?,00001073,00000000,?,?), ref: 002414B1

Part of subcall function 002413DE: GetWindowThreadProcessId.USER32(?,?), ref: 00241409
Part of subcall function 002413DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0023925A,00000034,?,?,00001004,00000000,00000000), ref: 00241419
Part of subcall function 002413DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0023925A,00000034,?,?,00001004,00000000,00000000), ref: 0024142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002398AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002398F9

Strings

@, xrefs: 00239911

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f7c8226bd0e90f7ac27c1cb3265251e9ada8bb6aa14410e38217c9da07407355
Instruction ID: 88a44cbe3791e3b249200f2e8b79c7b1510f39e78b555954c3c6c89c98b84fe9
Opcode Fuzzy Hash: f7c8226bd0e90f7ac27c1cb3265251e9ada8bb6aa14410e38217c9da07407355
Instruction Fuzzy Hash: D2415C7690021DAFCB14DFA4CD85ADEBBB8EB4A300F004099FA55B7191DA716E95CFA0

Function 00267946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0026F910,00000000,?,?,?,?), ref: 002679DF
GetWindowLongW.USER32 ref: 002679FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00267A0C

Strings

SysTreeView32, xrefs: 002679B1

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 353856120f4b920c65da5531d1ccffb51c5b025163fe43fcfa5f3f6db4565708
Instruction ID: 4f20d2a33532b78d43f123e840ed01fd65eed6781560db04b57621424fadc056
Opcode Fuzzy Hash: 353856120f4b920c65da5531d1ccffb51c5b025163fe43fcfa5f3f6db4565708
Instruction Fuzzy Hash: 1331D231215606ABDF118E78EC45BEA77A9FB05328F244725F975A22E0D730EDA08B50

Function 00267A71 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00267B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00267B76

Strings

xM, xrefs: 00267B19
', xrefs: 00267ACA

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend
String ID: '$xM
API String ID: 3850602802-3752091257
Opcode ID: 91bead11aa22d881108d662946dfb795d98364b33418f8e2236b844200ae5445
Instruction ID: 7fbf742eac1795d4a5eb7dbb4cd6429f05502a27d42ef2fd449a9f17057c9923
Opcode Fuzzy Hash: 91bead11aa22d881108d662946dfb795d98364b33418f8e2236b844200ae5445
Instruction Fuzzy Hash: 65410A74A1520A9FDB14CFA4D981BDABBB5FB09304F10016AE904AB391D770A991CF90

Function 002673D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00267461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00267475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00267499

Strings

SysMonthCal32, xrefs: 0026742C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8149c619001d3d73604981f1447615e4432b4157731cc7fc8f4d096386768c1b
Instruction ID: 34db7f2e566a52eed87f460fa17ebb19285a4e1f14bc869194a56224ed5eadd1
Opcode Fuzzy Hash: 8149c619001d3d73604981f1447615e4432b4157731cc7fc8f4d096386768c1b
Instruction Fuzzy Hash: 4721A032510219BBDF118F54DC4AFEA3B79EB48724F110114FA156B190DAB5A8A0CBA0

Function 00266CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00266D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00266D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00266D70

Strings

Listbox, xrefs: 00266D08

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 87adbf5ab19afa9045a542f50b8d268f5d942a2dc05ac5b6fb97b35995fbdd8a
Instruction ID: f42e7726ea1803412feba96797facf15ed2d133b674fd8801c71be829b7c1c0a
Opcode Fuzzy Hash: 87adbf5ab19afa9045a542f50b8d268f5d942a2dc05ac5b6fb97b35995fbdd8a
Instruction Fuzzy Hash: 5F219532620119BFDF118F54DC49EAB3B7AEF89750F118125F9559B1A0CA719CA1CBA0

Function 002539E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00253A66

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Strings

%', xrefs: 002539F4
, $, xrefs: 00253AA6
AUTOITCALLVARIABLE%d, xrefs: 00253A58

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%'
API String ID: 3506404897-1973242307
Opcode ID: 52108caba54e3a713ccd8fbca33a6bd6519cbf608afd6a4acbcf325e09c0935c
Instruction ID: df1e5155d3d83ea2dc75d315e01797d0934235233b3fdcb33de9b56195d3b163
Opcode Fuzzy Hash: 52108caba54e3a713ccd8fbca33a6bd6519cbf608afd6a4acbcf325e09c0935c
Instruction Fuzzy Hash: DE21D030620219AFCF10EF64CC82EAE77B9FF55340F100454F949AB282DB30EA65CB65

Function 0026770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00267772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00267787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00267794

Strings

msctls_trackbar32, xrefs: 00267749

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5a4ac5e9eeba6aa1b92c2a8724cf2c957f952fbb770b1db6e00e8a83c3f70fc0
Instruction ID: 4228d8e1572d869279738c1fc1d9de4020a0a50ccc0a1d89da8251220e869ab0
Opcode Fuzzy Hash: 5a4ac5e9eeba6aa1b92c2a8724cf2c957f952fbb770b1db6e00e8a83c3f70fc0
Instruction Fuzzy Hash: 69113A72214209BFEF115F65DC05FDB776CEF89B68F114118F641A2090C672E8A1CB20

Function 00206B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00206B93
__calloc_crt.LIBCMT ref: 00206BAC

Strings

), xrefs: 00206BD1
@B*, xrefs: 00206BC3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __calloc_crt
String ID: )$@B*
API String ID: 3494438863-3297673903
Opcode ID: cf483ad34bef0acab853d330209692ea67653af00dd4d9f0c00652d697c827ca
Instruction ID: 14d7fda150d1d6954b742439ff5b2758617a5b326954a01e4f93346add2a9fd5
Opcode Fuzzy Hash: cf483ad34bef0acab853d330209692ea67653af00dd4d9f0c00652d697c827ca
Instruction Fuzzy Hash: 45F0C8B52247228BFB24DF58BC59BA377A5E701334B100016E500EE1D2EF70887186C4

Function 0026ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,002A57B0,0026D809,000000FC,?,00000000,00000000,?,?,?,0021B969,?,?,?,?,?), ref: 0026ACD1
GetFocus.USER32 ref: 0026ACD9

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

Part of subcall function 001E25DB: GetWindowLongW.USER32(?,000000EB), ref: 001E25EC

SendMessageW.USER32(00EDE900,000000B0,000001BC,000001C0), ref: 0026AD4B

Strings

xM, xrefs: 0026AD12, 0026AD23

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: xM
API String ID: 3601265619-315438632
Opcode ID: d6605b7952bbf7a83aa6263f63056367ed0e50e96877d1454296decfbc286fcd
Instruction ID: e2485e3ed97cc4b5d4a6b9142844f562ab17da31b507daa6c282a8905fd172fd
Opcode Fuzzy Hash: d6605b7952bbf7a83aa6263f63056367ed0e50e96877d1454296decfbc286fcd
Instruction Fuzzy Hash: CB0196312005108FC7149F28E898A6677E9FF8A321F184279F425972B1CB31AC96CF51

Function 00221935 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00221775

Part of subcall function 0025BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0022195E,?), ref: 0025BFFE
Part of subcall function 0025BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0025C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0022196D

Strings

WIN_XPe, xrefs: 00221788
r, xrefs: 00221935

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe$r
API String ID: 582185067-2007470913
Opcode ID: 2583f582f47e9d3890a027267d38bbf79d925ad7339f11d2bf57676bfa950655
Instruction ID: 9cf91314180c56597c0d1f5c1e1b258e874ffbc4df6ca7563d2d018033a26fc6
Opcode Fuzzy Hash: 2583f582f47e9d3890a027267d38bbf79d925ad7339f11d2bf57676bfa950655
Instruction Fuzzy Hash: 32F0C970824159EFDB25DFA5EA88EECBBF8AF58301F540095E102A2190D7B14FA5DF60

Function 00209B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00209B94

Part of subcall function 00209C0B: __mtinitlocknum.LIBCMT ref: 00209C1D
Part of subcall function 00209C0B: EnterCriticalSection.KERNEL32(00000000,?,00209A7C,0000000D), ref: 00209C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00209BA4

Part of subcall function 00209100: ___addlocaleref.LIBCMT ref: 0020911C
Part of subcall function 00209100: ___removelocaleref.LIBCMT ref: 00209127
Part of subcall function 00209100: ___freetlocinfo.LIBCMT ref: 0020913B

Strings

8), xrefs: 00209B85
8), xrefs: 00209B8A, 00209B9F, 00209BAB

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8)$8)
API String ID: 547918592-3781683585
Opcode ID: df8d5af35bdf188feeca885cdc2eaa8959d2efb858a1cbd05078ecb533ae7a54
Instruction ID: 2c839a1e80ff3a5b7efbce7c9174f20ab2024f8f232026e6cace2aa4706daeac
Opcode Fuzzy Hash: df8d5af35bdf188feeca885cdc2eaa8959d2efb858a1cbd05078ecb533ae7a54
Instruction Fuzzy Hash: 2AE08C71963305AAEF10FBA46917B097660AB41B39F21215BF09A651C3CDB008A08E57

Function 001E4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,001E4BD0,?,001E4DEF,?,002A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001E4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001E4C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 001E4C1D
kernel32.dll, xrefs: 001E4C0C

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: df3660e564cf1ef891dda20637763bd4673d131dbb34e1b0201401537c46c378
Instruction ID: 633d6fc8bb14e54528ffceef88a51e3576769ee76815866bef4da88890da9aae
Opcode Fuzzy Hash: df3660e564cf1ef891dda20637763bd4673d131dbb34e1b0201401537c46c378
Instruction Fuzzy Hash: 64D01230511B13CFDB209F71EA0860AB6D5EF0A795B11CC79E489D7150E7B0D480C750

Function 001E4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,001E4B83,?), ref: 001E4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001E4C56

Strings

kernel32.dll, xrefs: 001E4C3F
Wow64RevertWow64FsRedirection, xrefs: 001E4C50

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 6a16e5b8919c336fb409e6bcc7aba4bf7b7526953702204ec2463553ca9b9e4f
Instruction ID: afabad6a32db31f642bac3d519c1d9908aa798a0c6211254bcb8a3026b99d20d
Opcode Fuzzy Hash: 6a16e5b8919c336fb409e6bcc7aba4bf7b7526953702204ec2463553ca9b9e4f
Instruction Fuzzy Hash: 53D01230510B13CFDB209F32EA0861A76D4AF0A395B21C879D499D7160E7B4D480C650

Function 00260DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00261039), ref: 00260DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00260E07

Strings

RegDeleteKeyExW, xrefs: 00260E01
advapi32.dll, xrefs: 00260DF0

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 95f53ff41484df31ab12a0f5adf2eaeafe13795d18a64a93925887d1c2fed3ac
Instruction ID: de6784d70b489de2df8f8e106ed93fafebf84e01fc4774971aaf4596afac4133
Opcode Fuzzy Hash: 95f53ff41484df31ab12a0f5adf2eaeafe13795d18a64a93925887d1c2fed3ac
Instruction Fuzzy Hash: 1AD01270520723CFDB205F75E94864776D5AF06391F51CC7DD485D2150D6B1D8F0C650

Function 002590E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00258CF4,?,0026F910), ref: 002590EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00259100

Strings

GetModuleHandleExW, xrefs: 002590FA
kernel32.dll, xrefs: 002590E9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: c5e2324896bec82fb940740aa145ae86fb03f08b5cad6125f4a17405dac65ef9
Instruction ID: 67842f0ead2a0d47e58b7193dc788cdeadfd16b4cacbfb43fb12f63b21d6244c
Opcode Fuzzy Hash: c5e2324896bec82fb940740aa145ae86fb03f08b5cad6125f4a17405dac65ef9
Instruction Fuzzy Hash: 3ED01234520723CFDF209F31E91C51676D4AF06396B15C879D88AD6550E7B0C4D0C650

Function 00221714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00221718
__swprintf.LIBCMT ref: 00221749

Strings

WIN_XPe, xrefs: 00221788
%.3d, xrefs: 00221723

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 184820abac9ed23a1ba70e8a4f9a67ac3b97c8ff722c8418c379afb2d401ad3c
Instruction ID: c0ac98734c9a6c9850a88758a88156dbeaad06eb6e8e266912a14cc71a0f0253
Opcode Fuzzy Hash: 184820abac9ed23a1ba70e8a4f9a67ac3b97c8ff722c8418c379afb2d401ad3c
Instruction Fuzzy Hash: BDD01271834128FACB1497D0BC99CFDB37CAB69311F500462F406A2040E3A187B5EA25

Function 0023717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b780ac40e86903273324d7acc57d64097215a74aa19d0ced47169040427a10
Instruction ID: 4d26bfb291c48a6b6e07bfb6dda4b4e0434937d870891eed1e2f2ac3731be1a0
Opcode Fuzzy Hash: d8b780ac40e86903273324d7acc57d64097215a74aa19d0ced47169040427a10
Instruction Fuzzy Hash: 56C16BB4A14216EFCF24CFA4C884AAEBBB5FF48704F148598E905EB251D730ED91DB90

Function 0025E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0025E0BE
CharLowerBuffW.USER32(?,?), ref: 0025E101

Part of subcall function 0025D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0025D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0025E301
_memmove.LIBCMT ref: 0025E314

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: cf4d02aad53ea8a3d8c54d911406255d8e937869152bb12e8dc3b8dfaecee5ea
Instruction ID: 55495bb383c393253d20abb8d1f13792dc2dcf076771a0a33378aaf43ceb3e3e
Opcode Fuzzy Hash: cf4d02aad53ea8a3d8c54d911406255d8e937869152bb12e8dc3b8dfaecee5ea
Instruction Fuzzy Hash: E3C169716187419FCB08DF28C480A6ABBE4FF89314F05896EF899DB351D730EA49CB85

Function 00258093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002580C3
CoUninitialize.OLE32 ref: 002580CE

Part of subcall function 0023D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0023D5D4

VariantInit.OLEAUT32(?), ref: 002580D9
VariantClear.OLEAUT32(?), ref: 002583AA

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: c3624006e03272c6ef30f71194d2ab06f431c64dc8aa9ac8507fd42bf820a5ac
Instruction ID: e69f25cb309bb551b4dc9e8e34f2eb95db9a76b1dca37efc626fb7cdb2a0c4cc
Opcode Fuzzy Hash: c3624006e03272c6ef30f71194d2ab06f431c64dc8aa9ac8507fd42bf820a5ac
Instruction Fuzzy Hash: F7A15975214B419FDB00DF15C481A2EB7E4BF99724F148458FD9AAB3A2CBB0ED14CB86

Function 0023687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0023688E
SysAllocString.OLEAUT32(00000000), ref: 00236937
VariantCopy.OLEAUT32 ref: 00236966
VariantClear.OLEAUT32(?), ref: 0023698D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 9b914341571557d0928ac21c6309d31c6abee59d8750c74a95cdcce7d1d35e38
Instruction ID: 9d64dd17fd4b11909069dfae1dcb316ec6919de6eb759d84377db90f04df26db
Opcode Fuzzy Hash: 9b914341571557d0928ac21c6309d31c6abee59d8750c74a95cdcce7d1d35e38
Instruction Fuzzy Hash: 6151A4B4630702AADB24AF65D49DA2EF3EDAF44310F20C81FE596DB291DB70D8608B11

Function 00239A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00239AD2
__itow.LIBCMT ref: 00239B03

Part of subcall function 00239D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00239DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00239B6C
__itow.LIBCMT ref: 00239BC3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c0012d2cf0a28d11bc3fb156352741928a93b51dc4c70a7d0273943881f43300
Instruction ID: 17a947e1ce9bc5466db0bf4b3a97d26257d85e96fa51c4bb54edc9ea67832611
Opcode Fuzzy Hash: c0012d2cf0a28d11bc3fb156352741928a93b51dc4c70a7d0273943881f43300
Instruction Fuzzy Hash: F841E5B0A10349ABDF11EF55D845BFEBBBAEF45714F000019F905A7291DBB09D94CB61

Function 002569AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 002569D1
WSAGetLastError.WSOCK32(00000000), ref: 002569E1

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00256A45
WSAGetLastError.WSOCK32(00000000), ref: 00256A51

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 89b35a299db55499cb8894f4421c73adc403749048fb05f3e4c71d1969bf5611
Instruction ID: 65c2951b3379af0f0acafbbed03b27178f48df0f89a5a652f05975d714c926aa
Opcode Fuzzy Hash: 89b35a299db55499cb8894f4421c73adc403749048fb05f3e4c71d1969bf5611
Instruction Fuzzy Hash: 7C41C3757006046FEB60AF65DC8AF6D77A4AF54B10F44C028FA599F2D2DBB09D008751

Function 0025641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0026F910), ref: 002564A7
_strlen.LIBCMT ref: 002564D9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 09da7327c312091057d6da554272e9ac38058e32e1eea42d925ffa21811ec13c
Instruction ID: b81ef0b5453e5d07fe5029072c68b0f8c2352c06e57e245ecd5ebc1da2bc5979
Opcode Fuzzy Hash: 09da7327c312091057d6da554272e9ac38058e32e1eea42d925ffa21811ec13c
Instruction Fuzzy Hash: 2541E631A10104AFCB14EBA5EC89FAEB7B9AF14310F948165FD1597292EB70AD14CB54

Function 0024B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0024B89E
GetLastError.KERNEL32(?,00000000), ref: 0024B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0024B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0024B915

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e1d10de68479116615f42a857dcbd5f3a89c6cb26c363a082f2c84025c18bb06
Instruction ID: 195027a610584fe80059e11da15d47c49261cd142baa4f457a5713f1b25963e7
Opcode Fuzzy Hash: e1d10de68479116615f42a857dcbd5f3a89c6cb26c363a082f2c84025c18bb06
Instruction Fuzzy Hash: 80411839600A55DFCB15EF15C584A5DBBE1AF9A310F098098ED4A9B372CB70FD01CB91

Function 002161C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002161FB
__isleadbyte_l.LIBCMT ref: 00216229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00216257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0021628D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 214a183e2b9121d0dec579ad46415a725a270b72841be1a3a2e7d697bfdda75f
Instruction ID: f67140b2ab0bd94aee1a008cb4683a467438406a511ccadcd44f47988b67d18b
Opcode Fuzzy Hash: 214a183e2b9121d0dec579ad46415a725a270b72841be1a3a2e7d697bfdda75f
Instruction Fuzzy Hash: 7831CE30610246AFEF228F64CC48BFE7BE9BF52310F154029E864871A1E771E9A0DB90

Function 00264EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00264F02

Part of subcall function 00243641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0024365B
Part of subcall function 00243641: GetCurrentThreadId.KERNEL32 ref: 00243662
Part of subcall function 00243641: AttachThreadInput.USER32(00000000,?,00245005), ref: 00243669

GetCaretPos.USER32(?), ref: 00264F13
ClientToScreen.USER32(00000000,?), ref: 00264F4E
GetForegroundWindow.USER32 ref: 00264F54

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: fc3c3fd6a5757e2c0fc34e67275571000207f790eae822dfcb38b474e1bfb5ad
Instruction ID: faa7bdff2feb9783b3e3cf693955bf80376126a65d3bea3f8cce3ccc62f90fa0
Opcode Fuzzy Hash: fc3c3fd6a5757e2c0fc34e67275571000207f790eae822dfcb38b474e1bfb5ad
Instruction Fuzzy Hash: DB312CB1D10148AFCB04EFA6D9859EFB7FDEF98300F10406AE415E7251DA719E458BA1

Function 00238656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0023810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00238121
Part of subcall function 0023810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0023812B
Part of subcall function 0023810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0023813A
Part of subcall function 0023810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00238141
Part of subcall function 0023810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00238157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002386A3
_memcmp.LIBCMT ref: 002386C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002386FC
HeapFree.KERNEL32(00000000), ref: 00238703

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 211b511acbec9d0dc7da1b66cd4d43003f8c2a0e5b52749dde3c1bf830606f26
Instruction ID: 0bdbe817dbba3f5082bf686470443f95eff8a2a36e8370ac2c190ebb8f426829
Opcode Fuzzy Hash: 211b511acbec9d0dc7da1b66cd4d43003f8c2a0e5b52749dde3c1bf830606f26
Instruction Fuzzy Hash: D4218EB1E10209EFDB10DFA4DA59BEEB7B8EF45304F158059E444AB241DB70AE15CF50

Function 0020098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 002009AE

Part of subcall function 001E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00247896,?,?,00000000), ref: 001E5A2C
Part of subcall function 001E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00247896,?,?,00000000,?,?), ref: 001E5A50

_fprintf.LIBCMT ref: 002009E5
OutputDebugStringW.KERNEL32(?), ref: 00235DBB

Part of subcall function 00204AAA: _flsall.LIBCMT ref: 00204AC3

__setmode.LIBCMT ref: 00200A1A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: b6f11946e4f3fa850065e0c600011512d4f730dfd085134b4d320d40af3b248c
Instruction ID: 0b8fbe6445012c0896471965d28bb781612a877a06884293f41024dae593d0b5
Opcode Fuzzy Hash: b6f11946e4f3fa850065e0c600011512d4f730dfd085134b4d320d40af3b248c
Instruction Fuzzy Hash: 8D1127B1A247486FDB04B6B5AC869BE77A99F55320F208015F205571D3EF6048629BA1

Function 00251767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002517A3

Part of subcall function 0025182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0025184C
Part of subcall function 0025182D: InternetCloseHandle.WININET(00000000), ref: 002518E9

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: e854caa33cf05ab89ed2eb51dae059ea7cecc72b616b0d104dfec5119bc5278c
Instruction ID: 887cf25374664fc8321618f18841ae85ab1e84293e2a33b806503e35b1907644
Opcode Fuzzy Hash: e854caa33cf05ab89ed2eb51dae059ea7cecc72b616b0d104dfec5119bc5278c
Instruction Fuzzy Hash: 5C21F935210601BFEB265F60DC04F7AB7E9FF48712F104029FD1196550D771D8389B94

Function 00243A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0026FAC0), ref: 00243A64
GetLastError.KERNEL32 ref: 00243A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00243A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0026FAC0), ref: 00243ADF

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 665425e25e02eb98be3252c66bbf997ff02849b32724693abd3a0ba9de9b0119
Instruction ID: 65512137b16783ac34b822a3b55fe2e2ebe062a4b289a7835e2f009dc90b8366
Opcode Fuzzy Hash: 665425e25e02eb98be3252c66bbf997ff02849b32724693abd3a0ba9de9b0119
Instruction Fuzzy Hash: 3F21F3701582028F8704DF28D8858AE77E8FE15328F104A2DF4D9C72E1D730DE55CB82

Function 002150E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00215101

Part of subcall function 0020571C: __FF_MSGBANNER.LIBCMT ref: 00205733
Part of subcall function 0020571C: __NMSG_WRITE.LIBCMT ref: 0020573A
Part of subcall function 0020571C: RtlAllocateHeap.NTDLL(00EC0000,00000000,00000001,00000000,?,?,?,00200DD3,?), ref: 0020575F

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 89ab504231f7c225cc47cdd800868a5d70cff3e72cb781d5599ee66fb79ba7a5
Instruction ID: 71a57912fca2da69bb5aa7cd43712cda1d6433e8c5ccb256624a2bcbdeb810a6
Opcode Fuzzy Hash: 89ab504231f7c225cc47cdd800868a5d70cff3e72cb781d5599ee66fb79ba7a5
Instruction Fuzzy Hash: F811E771530B22FFCF222F74BC4979E37D86F65361B1045A9F948D6292DE708CB08A90

Function 00256369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00247896,?,?,00000000), ref: 001E5A2C
Part of subcall function 001E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00247896,?,?,00000000,?,?), ref: 001E5A50

gethostbyname.WSOCK32(?,?,?), ref: 00256399
WSAGetLastError.WSOCK32(00000000), ref: 002563A4
_memmove.LIBCMT ref: 002563D1
inet_ntoa.WSOCK32(?), ref: 002563DC

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: b12e14740a44eabc36c00a80eb5811c2b982e2f2ad335e2bfed55131bca11f60
Instruction ID: e10958e80d28e37506cfb67d2cca12d30c8edb27988daad2a37adb27c24144fa
Opcode Fuzzy Hash: b12e14740a44eabc36c00a80eb5811c2b982e2f2ad335e2bfed55131bca11f60
Instruction Fuzzy Hash: E511B231510509AFCF00FFA5EE8ACEEB7B9AF58314B444075F906A7162DB30AE14CB61

Function 00238B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00238B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00238B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00238B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00238BA4

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e0fa544f84f987a806a279efb659b27e9b5f4ca706bf99eb04a31c44bc6ac033
Instruction ID: c66467b6b934bb72408f14116d99d7689a817150b53726edd31904f6f1401a69
Opcode Fuzzy Hash: e0fa544f84f987a806a279efb659b27e9b5f4ca706bf99eb04a31c44bc6ac033
Instruction Fuzzy Hash: 4C113AB9900219BFDB11DF95C884E9DFB79EB48310F204095EA00BB250DA716E11DB94

Function 001E1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

DefDlgProcW.USER32(?,00000020,?), ref: 001E12D8
GetClientRect.USER32(?,?), ref: 0021B5FB
GetCursorPos.USER32(?), ref: 0021B605
ScreenToClient.USER32(?,?), ref: 0021B610

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 6769049f15347c296852a5d948e7998d8fd91158cbd74e049a51505bd609b80d
Instruction ID: d8bb4752c9c9a7b225809f75317a4f60dd2784dad171098bf9d294b3d402ed4a
Opcode Fuzzy Hash: 6769049f15347c296852a5d948e7998d8fd91158cbd74e049a51505bd609b80d
Instruction Fuzzy Hash: 5E11283590085ABFCF04DFA9ED899EE77B8FB05300F604455FA12E7140C770AA518BA5

Function 0023D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0023D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0023D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0023D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0023D897

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 774c2c458a0f97b11d42e9e344a1b78ab4c012ef17f32183a8aa6f0b8db7e23e
Instruction ID: 97220e366ac1ad75dd6f8d60410f4bff2682117f7f225f2db3b5c5da8b8466cb
Opcode Fuzzy Hash: 774c2c458a0f97b11d42e9e344a1b78ab4c012ef17f32183a8aa6f0b8db7e23e
Instruction Fuzzy Hash: A3113CB5A16304DBE7208F51FD48F92BBA8EB00B00F108969A616D7450D7F0F55A9BA1

Function 00216FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00216FDB

Part of subcall function 002176C2: __fltout2.LIBCMT ref: 002176EB

__cftog_l.LIBCMT ref: 00217001
__cftoe_l.LIBCMT ref: 00217033

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a8240d36ddcbc143c28cd159fe444649e8eabc9e0bb76679df1090ff278b2869
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: CC014B7646824ABFCF165E84CC05CEE3FB6BB6C390F598415FE1858031D236CAB1AB81

Function 0026B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0026B2E4
ScreenToClient.USER32(?,?), ref: 0026B2FC
ScreenToClient.USER32(?,?), ref: 0026B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0026B33B

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a1a68e273ea85df54cb787cc01166e7c8d8b78c8b0795a518cabd6ca0f380103
Instruction ID: bb99a398531fffc2210d596b17cd3b5634d293219e97b1fde2e5b9b7300b33c9
Opcode Fuzzy Hash: a1a68e273ea85df54cb787cc01166e7c8d8b78c8b0795a518cabd6ca0f380103
Instruction Fuzzy Hash: 58114675D0020AEFDB41CF99D5449EEBBB9FB08310F108166E924E3220D775AA658F50

Function 00246BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00246BE6

Part of subcall function 002476C4: _memset.LIBCMT ref: 002476F9

_memmove.LIBCMT ref: 00246C09
_memset.LIBCMT ref: 00246C16
LeaveCriticalSection.KERNEL32(?), ref: 00246C26

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: e144e398c3176b3e646db10a7adbd56902d121db334943ff58250b8b3fe53bdd
Instruction ID: e1d81e586c51d60ac7960d4f5ccfb56318062cf9dd42ac1a6a1015889f4a728c
Opcode Fuzzy Hash: e144e398c3176b3e646db10a7adbd56902d121db334943ff58250b8b3fe53bdd
Instruction Fuzzy Hash: 1CF0543A100200ABCF456F55EC89A4ABB29EF45320F14C061FE085E267C771E821CFB4

Function 001E2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001E2231
SetTextColor.GDI32(?,000000FF), ref: 001E223B
SetBkMode.GDI32(?,00000001), ref: 001E2250
GetStockObject.GDI32(00000005), ref: 001E2258
GetWindowDC.USER32(?,00000000), ref: 0021BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0021BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0021BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0021BEC2
GetPixel.GDI32(00000000,?,?), ref: 0021BEE2
ReleaseDC.USER32(?,00000000), ref: 0021BEED

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 47eb7908ba5392bbe1540974c7e35bf519b3b621a1080250db3f9341a54b4c33
Instruction ID: 02dd10e14e4cd6d438c6de2f5e6e28ad61538d61c2fa57fe59c05bbb7cfa92a6
Opcode Fuzzy Hash: 47eb7908ba5392bbe1540974c7e35bf519b3b621a1080250db3f9341a54b4c33
Instruction Fuzzy Hash: 8BE03932504245AADF615F64FD4D7D83B21EB16336F00C3A6FA69880E187B14990DB12

Function 00238712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0023871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,002382E6), ref: 00238722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002382E6), ref: 0023872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,002382E6), ref: 00238736

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d5a53852a203e3e416d143685d7f7d49c8ac9340391ed72e1b571e9e429d7a05
Instruction ID: fe55d9c10d272e1668b49388e29843712d26ccbf34288d031b894cf524f9bf07
Opcode Fuzzy Hash: d5a53852a203e3e416d143685d7f7d49c8ac9340391ed72e1b571e9e429d7a05
Instruction Fuzzy Hash: C4E08677B29312ABDBA05FB07E0CB567BACEF50791F14C828F645CA040DA748451CB50

Function 001E6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%', xrefs: 001E624E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID: %'
API String ID: 0-2848518416
Opcode ID: c4c043ee26872f7163a0c987a5f5bc4d4dfa5931b50db0b0b1cdb6d6ea96436d
Instruction ID: e0922479eb238144e90f47eeb848006eb64f3b61fb7cb3e171fbd355fb785318
Opcode Fuzzy Hash: c4c043ee26872f7163a0c987a5f5bc4d4dfa5931b50db0b0b1cdb6d6ea96436d
Instruction Fuzzy Hash: F1B1A071C0098ADBCF14EF96C8859FEBBB5FF64390F944026E916A7191DB309E81CB91

Function 0025AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0025AFAE

Strings

xb*, xrefs: 0025AFE4
xb*, xrefs: 0025B010

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __itow_s
String ID: xb*$xb*
API String ID: 3653519197-1969494452
Opcode ID: 05ba425578c71256fc09de4dd1cb46896873a3c563d23ca8e359cb9ea39d26c8
Instruction ID: a1677dffae188ee67823cc378af17e00a71b2e1b6a4accd1d568d9970445961b
Opcode Fuzzy Hash: 05ba425578c71256fc09de4dd1cb46896873a3c563d23ca8e359cb9ea39d26c8
Instruction Fuzzy Hash: 9AB1CD70A1020AEFCB14DF54C895EAEBBB9FF59301F148059FD099B291EB70D994CBA4

Function 0024AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 001FFC86: _wcscpy.LIBCMT ref: 001FFCA9

Part of subcall function 001E9837: __itow.LIBCMT ref: 001E9862
Part of subcall function 001E9837: __swprintf.LIBCMT ref: 001E98AC

__wcsnicmp.LIBCMT ref: 0024B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0024B0F6

Strings

LPT, xrefs: 0024B027

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: d08b01ce6f13455262c29fa43d85339939b8886146e96de99d615eb7edfacf9f
Instruction ID: 643d384eb6a0f1ca2c064613e8543110b4fbf1a6ff71cc10de6e2d72684bd42f
Opcode Fuzzy Hash: d08b01ce6f13455262c29fa43d85339939b8886146e96de99d615eb7edfacf9f
Instruction Fuzzy Hash: 8F61B075A20219AFCB19DF94C891EAEB7B4EF18710F104069F95AAB3A1D770EE50CB50

Function 001F2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 001F2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 001F2981

Strings

@, xrefs: 001F2975

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dab0a166cce53ad373f4c59e07c9a54638600a8d37f5c5c82927232b05728e24
Instruction ID: 7bbbbd54e9aa60bebb1cb595e251b986f3fda943a6fab5587479489223a667f9
Opcode Fuzzy Hash: dab0a166cce53ad373f4c59e07c9a54638600a8d37f5c5c82927232b05728e24
Instruction Fuzzy Hash: 94514971408B889BD320EF11D886BAFBBE8FF95344F42885DF2D8410A1DB708529CB56

Function 00249734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 001E4F0B: __fread_nolock.LIBCMT ref: 001E4F29

_wcscmp.LIBCMT ref: 00249824
_wcscmp.LIBCMT ref: 00249837

Strings

FILE, xrefs: 00249770

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: edb1a74c7fbcc3a6ae1f81a8ccf1a13ccfad098379a6f9ae5b4568f5ca48953b
Instruction ID: 0e6b47f38deef047fd2e8464afdd0f14ec2ecfa11f1ee3df8b64ce52a9956208
Opcode Fuzzy Hash: edb1a74c7fbcc3a6ae1f81a8ccf1a13ccfad098379a6f9ae5b4568f5ca48953b
Instruction Fuzzy Hash: 0041A271A1021ABBDF249EA5CC45FEFBBBDEF86710F000469F904B7181DB71AA548B61

Function 00220574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0022057F

Strings

Dd*, xrefs: 001EA317
Dd*, xrefs: 001EA151

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ClearVariant
String ID: Dd*$Dd*
API String ID: 1473721057-3084226301
Opcode ID: 586781717a3f27afdabbf039ff5ca9d2c4d5522e83c1febceeb1094c4d6dd6d6
Instruction ID: a4cf325617683d25a7d948243ef3123df400e0b2e4d06e7e7125b2400469d6be
Opcode Fuzzy Hash: 586781717a3f27afdabbf039ff5ca9d2c4d5522e83c1febceeb1094c4d6dd6d6
Instruction Fuzzy Hash: 115103786147829FD754CF1AD488A1ABBF1BF99340F94881CE9858B361D731EC81CF82

Function 0025258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0025259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002525D4

Strings

|, xrefs: 002525A5

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: f5e91088d5ba817a02754ea61b18b0773328e9fb77be9de9cb051a5e66fb5fbd
Instruction ID: 97b7dac78d653e164839ff7bf5999d7496b133cea1373b5045fc19065da2ced3
Opcode Fuzzy Hash: f5e91088d5ba817a02754ea61b18b0773328e9fb77be9de9cb051a5e66fb5fbd
Instruction Fuzzy Hash: AF310771810159EBDF01AFA1CC89EEEBFB9FF18310F100059ED14A61A2EB315959DB60

Function 00266A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00266B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00266B53

Strings

static, xrefs: 00266AB3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b25bf04419935cdd0b9c0e2f18080ae0d456b3c1d97cdf3688bcecb3a975e5e8
Instruction ID: 3f0610b90cc3a6cc9d5357adb88f72e39ff671a95a52b4429d0e0bf6a59e7a42
Opcode Fuzzy Hash: b25bf04419935cdd0b9c0e2f18080ae0d456b3c1d97cdf3688bcecb3a975e5e8
Instruction Fuzzy Hash: 3331CF71220604AEDB109F65DC84BFB73ACFF48724F108619F9A5E3190DB30ACA1CB60

Function 002428A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00242911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0024294C

Strings

0, xrefs: 0024290A

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 7f9a8ebac278f06ac18c1d3c34302b56aacab184778c1628f82c629e6e7b001b
Instruction ID: d8378bf5b37cf8e235431d7f46927b23d22309065527e4cbaafcd88b8852dacb
Opcode Fuzzy Hash: 7f9a8ebac278f06ac18c1d3c34302b56aacab184778c1628f82c629e6e7b001b
Instruction Fuzzy Hash: 19310631620306DFEF2CCF4AC885BAEBBF8EF45350F640019F881A61A1D7709968CB11

Function 001E16DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

Part of subcall function 001E25DB: GetWindowLongW.USER32(?,000000EB), ref: 001E25EC

GetParent.USER32(?), ref: 0021B7BA
DefDlgProcW.USER32(?,00000133,?,?,?,?,?,?,?,?,001E19B3,?,?,?,00000006,?), ref: 0021B834

Strings

xM, xrefs: 001E172A, 0021B7D9, 0021B800

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: xM
API String ID: 2181805148-315438632
Opcode ID: 54f9ba8adc123f7c74adfe6cae724168f92eb1c115818742c67298af4cbd4ef7
Instruction ID: 38eeddbc493cc88848854d16694e9b15d5caaf7d21f48fb4f748b9c858bba290
Opcode Fuzzy Hash: 54f9ba8adc123f7c74adfe6cae724168f92eb1c115818742c67298af4cbd4ef7
Instruction Fuzzy Hash: 1E21F234600994BFCB218F29DC89DEE3BE6AF1A720F544250F5265B2F1CB309D62DB50

Function 002666D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00266761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0026676C

Strings

Combobox, xrefs: 0026672E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 65ef6f8673327690fc48bd7a6645b11cabcd15aee095c6ef27a8fb05d9dec10e
Instruction ID: f46d34e7d974fc164eb2d45983eca55602bb0a6482690831b78b741685c5db04
Opcode Fuzzy Hash: 65ef6f8673327690fc48bd7a6645b11cabcd15aee095c6ef27a8fb05d9dec10e
Instruction Fuzzy Hash: B511B271220209BFEF128F54DC88EBBB76EEB48368F104129F91497290D675DCA18BA0

Function 002696F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

xM, xrefs: 0026971B

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID: xM
API String ID: 0-315438632
Opcode ID: 2360b20f20f0433be0876ccabf44572c03ecb17db97150bfa0b97036a66cd7fb
Instruction ID: 6d197c2c7c9d161a99d4797ee4faddb456b8d1051d2f5478c96f8cccd83b5abb
Opcode Fuzzy Hash: 2360b20f20f0433be0876ccabf44572c03ecb17db97150bfa0b97036a66cd7fb
Instruction Fuzzy Hash: 5721A2B1134119BFDB128F54CC45FBAB7ACEB09310F404155FA12DA1E0CAB1E9E0DB60

Function 00266C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 001E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001E1D73
Part of subcall function 001E1D35: GetStockObject.GDI32(00000011), ref: 001E1D87
Part of subcall function 001E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001E1D91

GetWindowRect.USER32(00000000,?), ref: 00266C71
GetSysColor.USER32(00000012), ref: 00266C8B

Strings

static, xrefs: 00266C4E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9eab076e3ebe46923ddea3fab6f97882351d58632b2d83ae2842dc62d8995db5
Instruction ID: d4328c5679bf65aba58846e05aca3f777f372da158eebf1b35c7d7167e001618
Opcode Fuzzy Hash: 9eab076e3ebe46923ddea3fab6f97882351d58632b2d83ae2842dc62d8995db5
Instruction Fuzzy Hash: A521297252060AAFDF04DFA8DD49AEA7BA8FB08314F004629FD95D2250D775E8A0DB60

Function 0026678B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 002667AA
CreatePopupMenu.USER32 ref: 00266828

Strings

xM, xrefs: 00266802, 0026683D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CreateMenuPopup
String ID: xM
API String ID: 3826294624-315438632
Opcode ID: 827fdf879aeef0a31fde759a3e2ade06be79c1e1e23fb8d35e47b21c51e67f56
Instruction ID: bca13f190558d2adc65aacfaa59965f1deb7a55b8fff4d0380d3b5b2785568dc
Opcode Fuzzy Hash: 827fdf879aeef0a31fde759a3e2ade06be79c1e1e23fb8d35e47b21c51e67f56
Instruction Fuzzy Hash: 8121907851060ADFDB11CF28D448BD6B7E2FB0A325F088169E8598B391C731ACA6CF51

Function 00266920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002669A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002669B1

Strings

edit, xrefs: 00266986

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ab90623e7aa6e86263791b8ccb09c7faa6bb78b9de5e4f36745bfad7a458e725
Instruction ID: ec2d71b751748e4f80c9cdd41ecea9f87bf42155d85764fde9e69ce15f46759d
Opcode Fuzzy Hash: ab90623e7aa6e86263791b8ccb09c7faa6bb78b9de5e4f36745bfad7a458e725
Instruction Fuzzy Hash: 14114F71521105ABEF108E74EC49AEB3769EB05374F504724FDA5A71E0C771DCA19B60

Function 002429AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00242A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00242A41

Strings

0, xrefs: 00242A18

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f01cfd0a64e1af9863305280fb606fb62fcdef561e1e6671f6e492d792a7bcfd
Instruction ID: 818fddaf28950931772c3ce7f018a275df6c7ddbff0ec0c9944d5ac19e620044
Opcode Fuzzy Hash: f01cfd0a64e1af9863305280fb606fb62fcdef561e1e6671f6e492d792a7bcfd
Instruction Fuzzy Hash: F611B132921135EBCB38DE99D848B9AB3BCAB46304F944021FC55E7290D770AD5ECB91

Function 002521D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0025222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00252255

Strings

<local>, xrefs: 0025221D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 33bfeb3953337e9e7d66ece2c6ed5256c4dac540f30f59647c573fba1aa61f4b
Instruction ID: 855520a46ef3007bb220142960910bf63b6e55fe7939201c85b81de9d0295ebc
Opcode Fuzzy Hash: 33bfeb3953337e9e7d66ece2c6ed5256c4dac540f30f59647c573fba1aa61f4b
Instruction Fuzzy Hash: 2411C174521226FADB258F119C88EB7FBACFB17352F10822AFD1486080D2B0586CD6F4

Function 002684E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00268530

Strings

xM, xrefs: 00268509

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: MessageSend
String ID: xM
API String ID: 3850602802-315438632
Opcode ID: f054cb4668d30fa84c8805fa3cc0894909d5465dd036412f823b789db9ac8771
Instruction ID: 2cc0f25f4997f275588f52bd9a7a7a4ae3ddf644fd6cca91d052a5df2e2b096a
Opcode Fuzzy Hash: f054cb4668d30fa84c8805fa3cc0894909d5465dd036412f823b789db9ac8771
Instruction Fuzzy Hash: 1A21067561020AEFCB15CF94D8408AA7BB9FB4D340B414254FD12A7360DA31ADA1DBA0

Function 001E2327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

xM, xrefs: 0021BF21, 0021BF47

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID:
String ID: xM
API String ID: 0-315438632
Opcode ID: 335824fdc19228a31616b3baab0d3d7c6e17f83486231db80834e0c742d1d599
Instruction ID: 8557958e688558f422cb2c73d4350a9662b2935729439d7259ce54ea7ff10720
Opcode Fuzzy Hash: 335824fdc19228a31616b3baab0d3d7c6e17f83486231db80834e0c742d1d599
Instruction Fuzzy Hash: D3115834610605AFCB21DF29D844EA9BBF6BB59320F148219F9298B7A0C771ED91CF90

Function 001F092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001E3C14,002A52F8,?,?,?), ref: 001F096E

Part of subcall function 001E7BCC: _memmove.LIBCMT ref: 001E7C06

_wcscat.LIBCMT ref: 00224CB7

Strings

i, xrefs: 001F09AE

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: i
API String ID: 257928180-1498560215
Opcode ID: 1796d9b021eac5e417876a21cb6dc930d1bfedeb9daa6ee7593c839f3333c745
Instruction ID: de517500b053a7d6797b8f0160ab78f2e88f8b552f498a470478d2631ac273ff
Opcode Fuzzy Hash: 1796d9b021eac5e417876a21cb6dc930d1bfedeb9daa6ee7593c839f3333c745
Instruction Fuzzy Hash: D711A93191561DAB9F45FBA4DD05EDE73E8BF18340B0044A6FA48D3182EFF096944B10

Function 00238E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Part of subcall function 0023AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0023AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00238E73

Strings

ComboBox, xrefs: 00238E12
ListBox, xrefs: 00238E3D

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 263af0ef5ccedda3ef1883ed778c32d401a83e724e266b961ba53242311cb611
Instruction ID: bdfbd651f78e0ddc509d0ef4faa4c0d09c598f796f261602e5fed67fa559f1ca
Opcode Fuzzy Hash: 263af0ef5ccedda3ef1883ed778c32d401a83e724e266b961ba53242311cb611
Instruction Fuzzy Hash: B101F1B1A25219AB9F14EBA0CC458FE7369FF12320F000A19F8715B2E2DF315828D660

Function 00248D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00248DAC
__fread_nolock.LIBCMT ref: 00248DC1

Strings

EA06, xrefs: 00248DF3

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 5edf21a50e43938a5cb7466d787be385206b2ab884336459fdd106c249737ea5
Instruction ID: 5b63546168db998fbaa4f63efae50c2006b1b4e4f07b53eb230c2efc435708b2
Opcode Fuzzy Hash: 5edf21a50e43938a5cb7466d787be385206b2ab884336459fdd106c249737ea5
Instruction Fuzzy Hash: 9401B971D142187EDB18CAA8CC56EEE7BFCDB15311F00459AF552D21C1E975A6148B60

Function 00238CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Part of subcall function 0023AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0023AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00238D6B

Strings

ComboBox, xrefs: 00238D0A
ListBox, xrefs: 00238D35

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: ab47cba51dea0495c38736bf369d7c326b476c700747f30cd84cd2c21b14adbe
Instruction ID: 5677ed5a8e748ff19160e2a2c4404db467ae3906927a0cf78b0f8b67589dd541
Opcode Fuzzy Hash: ab47cba51dea0495c38736bf369d7c326b476c700747f30cd84cd2c21b14adbe
Instruction Fuzzy Hash: AB0124B1A2020DABDF14EBE0C942AFE73B8EF21300F100029B801672E2DF104E18D671

Function 00238D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7DE1: _memmove.LIBCMT ref: 001E7E22

Part of subcall function 0023AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0023AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00238DEE

Strings

ComboBox, xrefs: 00238D8F
ListBox, xrefs: 00238DBA

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 8f353f510e4e03e66de7169a2919a79123a8bb74f524809d9eb9e865d1e5e14b
Instruction ID: 69208b785c651e0e00aa898ef94b6c2ac3abe67a43f583a809e0f5d2fe1a2ac5
Opcode Fuzzy Hash: 8f353f510e4e03e66de7169a2919a79123a8bb74f524809d9eb9e865d1e5e14b
Instruction Fuzzy Hash: 0F01F7B1A6520DA7DF11EAA4C942AFE77ACEF21300F100025B805672D2DF114E28D671

Function 00209402 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002099AC: __getptd_noexit.LIBCMT ref: 002099AD

__lock.LIBCMT ref: 00209443
_free.LIBCMT ref: 00209470

Strings

`, xrefs: 00209476, 0020947E

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: __getptd_noexit__lock_free
String ID: `
API String ID: 1533244847-4168407445
Opcode ID: 63d4da09e552c68ff036cf1ba9d2090046d0ca057d3637ddbe4cb1399c716218
Instruction ID: de466e122c58aa7e9cfc6a881f2398a33f050e5cbd9fad1a1b788e1594887c68
Opcode Fuzzy Hash: 63d4da09e552c68ff036cf1ba9d2090046d0ca057d3637ddbe4cb1399c716218
Instruction Fuzzy Hash: F0118432D217269BCB21EF68940575DB3B0BB45B20B16411AE896A72D3CB705DE3CFC6

Function 0023C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0023C534

Part of subcall function 0023C816: _memmove.LIBCMT ref: 0023C860
Part of subcall function 0023C816: VariantInit.OLEAUT32(00000000), ref: 0023C882
Part of subcall function 0023C816: VariantCopy.OLEAUT32(00000000,?), ref: 0023C88C

VariantClear.OLEAUT32(?), ref: 0023C556

Strings

d}), xrefs: 0023C517

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d})
API String ID: 2932060187-1757160761
Opcode ID: 821e9d07ef37ef00d49ae89a1a116d441f59ad29c072da1340bf2c9aba315b7f
Instruction ID: e95afd9f2ab28b2aad0cd911f06f2028aac82395895ce9505aafdc9376836421
Opcode Fuzzy Hash: 821e9d07ef37ef00d49ae89a1a116d441f59ad29c072da1340bf2c9aba315b7f
Instruction Fuzzy Hash: 84111EB19007089FCB10DFAAD88489AF7F8FF18314B50862EE58AD7611E771AA45CF90

Function 0026C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E2612: GetWindowLongW.USER32(?,000000EB), ref: 001E2623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0021B93A,?,?,?), ref: 0026C5F1

Part of subcall function 001E25DB: GetWindowLongW.USER32(?,000000EB), ref: 001E25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0026C5D7

Strings

xM, xrefs: 0026C5B6

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: xM
API String ID: 982171247-315438632
Opcode ID: 5d7a10270c9d3f64765713071b811aed489453cde908c9378d5d277121a18037
Instruction ID: 9a654270484a3da6b12e834f8b2bf2547e883a74242d9272327711f564772dd9
Opcode Fuzzy Hash: 5d7a10270c9d3f64765713071b811aed489453cde908c9378d5d277121a18037
Instruction Fuzzy Hash: 9601B531210614ABCB216F14DC58E7B7BA6FF89360F644124F9662B2E0CB71ACA1DF91

Function 00244F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00244F46
_wcscmp.LIBCMT ref: 00244F58

Strings

#32770, xrefs: 00244F52

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: a0c00a6351a450ca9ab49e4161c4d4bffbd15c3afdd86b79f2591449275462d8
Instruction ID: 55809864073197668c4dc337d4cdd8ba3b6b093be9af106656b562fa6da8cbae
Opcode Fuzzy Hash: a0c00a6351a450ca9ab49e4161c4d4bffbd15c3afdd86b79f2591449275462d8
Instruction Fuzzy Hash: D0E0D13291432927D710EB55BC4DFA7F7ACDB45B70F410057FD04D3051D9609A5587D0

Function 0021B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0021B314: _memset.LIBCMT ref: 0021B321

Part of subcall function 00200940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0021B2F0,?,?,?,001E100A), ref: 00200945

IsDebuggerPresent.KERNEL32(?,?,?,001E100A), ref: 0021B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001E100A), ref: 0021B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0021B2FE

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 03a9603693b672e190aa2f1b534b1fd795a9a45e447c2050572c1d4d7f7511e2
Instruction ID: a3d5f6c4224ccb7caf400f491b60731deb64e793396e60fee528db76e22a2b20
Opcode Fuzzy Hash: 03a9603693b672e190aa2f1b534b1fd795a9a45e447c2050572c1d4d7f7511e2
Instruction Fuzzy Hash: 2DE06D74220751CBE761EF28E5087867AE4EF14704F0089ACE856C7681EBB4E4A8CFA1

Function 00265964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0026596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00265981

Part of subcall function 00245244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002452BC

Strings

Shell_TrayWnd, xrefs: 00265967

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: dd4634927e1524dd76ba47c7b2f17c6edfebb4e8e9f31295699f851801f91387
Instruction ID: b541f2b3ceee40f415589b72c08103f355bd5d394bc9204e51aa3237af1f4f2e
Opcode Fuzzy Hash: dd4634927e1524dd76ba47c7b2f17c6edfebb4e8e9f31295699f851801f91387
Instruction Fuzzy Hash: C8D0A931390311B7EAA8AB30BC0FFA22A14AB02B00F010826B64AAA0D0C8E09800CA90

Function 00265998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002659AE
PostMessageW.USER32(00000000), ref: 002659B5

Part of subcall function 00245244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002452BC

Strings

Shell_TrayWnd, xrefs: 002659A7

Memory Dump Source

Source File: 00000000.00000002.2246549404.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2246531073.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.000000000026F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246597083.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246673436.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246691233.00000000002A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_lExtvSjBgq.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5ce8f4b2f7670314e13d523c6dc29ce8849b77828621407995dd3e4c049cf8b7
Instruction ID: b248b4e2c3a173cf93724ae36d8ea75666f56a6ad3ceddd8ef6c883f9e05e6c6
Opcode Fuzzy Hash: 5ce8f4b2f7670314e13d523c6dc29ce8849b77828621407995dd3e4c049cf8b7
Instruction Fuzzy Hash: 58D0A9313803117BEAA8AB30BC0FF922614AB02B00F010826B646AA0D0C8E0A800CA94

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lExtvSjBgq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut2FF9.tmp

C:\Users\user\AppData\Local\Temp\hepatoduodenostomy

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
lExtvSjBgq.exe

Function 001E3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 001E49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 001E4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00249155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 001E708B Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Function 001E301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 001E3A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 001E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 001E3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 001E3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 001EF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 00F5CE28 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00209AE6 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Function 001E39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00F5CB78 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 171
fileCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre