Edit tour

Windows Analysis Report
uOCavrYu1y.exe

Overview

General Information

Sample name:	uOCavrYu1y.exe renamed because original name is a hash value
Original sample name:	7dd88bb379949c90207a5d476d7318ba98ccb6cb7853409c6d323febd28d318d.exe
Analysis ID:	1587805
MD5:	be37ea5702226bf6ed17a5031c2d75d0
SHA1:	c398fd238eb4c706ea7aff5c24cc0eaf93bcf077
SHA256:	7dd88bb379949c90207a5d476d7318ba98ccb6cb7853409c6d323febd28d318d
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

uOCavrYu1y.exe (PID: 5088 cmdline: "C:\Users\user\Desktop\uOCavrYu1y.exe" MD5: BE37EA5702226BF6ED17A5031C2D75D0)

RegSvcs.exe (PID: 4304 cmdline: "C:\Users\user\Desktop\uOCavrYu1y.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.3401369142.0000000002655000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: uOCavrYu1y.exe PID: 5088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: uOCavrYu1y.exe PID: 5088	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: uOCavrYu1y.exe PID: 5088	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4304	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.uOCavrYu1y.exe.3690000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.uOCavrYu1y.exe.3690000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.uOCavrYu1y.exe.3690000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.uOCavrYu1y.exe.3690000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.uOCavrYu1y.exe.3690000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.uOCavrYu1y.exe.3690000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.uOCavrYu1y.exe.3690000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.uOCavrYu1y.exe.3690000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32641:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x326b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3273d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32839:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x328ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32941:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.uOCavrYu1y.exe.3690000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f7d3:$s2: GetPrivateProfileString 0x2eea1:$s3: get_OSFullName 0x304d3:$s5: remove_Key 0x306aa:$s5: remove_Key 0x315db:$s6: FtpWebRequest 0x32623:$s7: logins 0x32b95:$s7: logins 0x358a6:$s7: logins 0x35958:$s7: logins 0x372ad:$s7: logins 0x364f2:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.600000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.600000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.uOCavrYu1y.exe.3690000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Multi AV Scanner detection for submitted file

Source: uOCavrYu1y.exe	Virustotal: Detection: 78%			Perma Link
Source: uOCavrYu1y.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: uOCavrYu1y.exe

Joe Sandbox ML: detected

Source: uOCavrYu1y.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: uOCavrYu1y.exe, 00000000.00000003.2165815098.0000000003870000.00000004.00001000.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2162638027.00000000036D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: uOCavrYu1y.exe, 00000000.00000003.2165815098.0000000003870000.00000004.00001000.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2162638027.00000000036D0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AF445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00AF445A
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFC6D1 FindFirstFileW,FindClose,	0_2_00AFC6D1
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00AFC75C
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AFEF95
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AFF0F2
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00AFF3F3
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AF37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AF37EF
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AF3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AF3B12
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00AFBCBC

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.uOCavrYu1y.exe.3690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.6:50169 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00B022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B022EE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.3401369142.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.00000000026FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.00000000026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: uOCavrYu1y.exe, 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.00000000026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.3400434024.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingk#k
Source: RegSvcs.exe, 00000002.00000002.3400434024.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting~#
Source: RegSvcs.exe, 00000002.00000002.3401369142.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.00000000026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: uOCavrYu1y.exe, 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00B04164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B04164

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00B04164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B04164

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00B03F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B03F66

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AF001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00AF001C

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00B1CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B1CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.uOCavrYu1y.exe.3690000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.uOCavrYu1y.exe.3690000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.uOCavrYu1y.exe.3690000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.uOCavrYu1y.exe.3690000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00A93B3A
Source: uOCavrYu1y.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: uOCavrYu1y.exe, 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7c643a5f-e
Source: uOCavrYu1y.exe, 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6e776df9-f

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A93633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00A93633
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00B1C1AC
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00B1C498
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00B1C5FE
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1C57D SendMessageW,NtdllDialogWndProc_W,	0_2_00B1C57D
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1C8BE NtdllDialogWndProc_W,	0_2_00B1C8BE
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1C88F NtdllDialogWndProc_W,	0_2_00B1C88F
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1C860 NtdllDialogWndProc_W,	0_2_00B1C860
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1C93E ClientToScreen,NtdllDialogWndProc_W,	0_2_00B1C93E
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1C909 NtdllDialogWndProc_W,	0_2_00B1C909
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00B1CABC
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1CA7C GetWindowLongW,NtdllDialogWndProc_W,	0_2_00B1CA7C
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A91287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74A3C8D0,NtdllDialogWndProc_W,	0_2_00A91287
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A91290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00A91290
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1D3B8 NtdllDialogWndProc_W,	0_2_00B1D3B8
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00B1D43E
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A916B5 NtdllDialogWndProc_W,	0_2_00A916B5
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A916DE GetParent,NtdllDialogWndProc_W,	0_2_00A916DE
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A9167D NtdllDialogWndProc_W,	0_2_00A9167D
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1D78C NtdllDialogWndProc_W,	0_2_00B1D78C
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A9189B NtdllDialogWndProc_W,	0_2_00A9189B
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1BC5D NtdllDialogWndProc_W,CallWindowProcW,	0_2_00B1BC5D
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_00B1BF8C
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B1BF30 NtdllDialogWndProc_W,	0_2_00B1BF30

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AFA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00AFA1EF

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AE8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74F75590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00AE8310

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AF51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00AF51BD

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A9E6A0	0_2_00A9E6A0
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00ABD975	0_2_00ABD975
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AB21C5	0_2_00AB21C5
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AC62D2	0_2_00AC62D2
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B103DA	0_2_00B103DA
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AC242E	0_2_00AC242E
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AB25FA	0_2_00AB25FA
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AA66E1	0_2_00AA66E1
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AEE616	0_2_00AEE616
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AC878F	0_2_00AC878F
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AF8889	0_2_00AF8889
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AA8808	0_2_00AA8808
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B10857	0_2_00B10857
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AC6844	0_2_00AC6844
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00ABCB21	0_2_00ABCB21
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AC6DB6	0_2_00AC6DB6
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AA6F9E	0_2_00AA6F9E
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AA3030	0_2_00AA3030
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AB3187	0_2_00AB3187
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00ABF1D9	0_2_00ABF1D9
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A91287	0_2_00A91287
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AB1484	0_2_00AB1484
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AA5520	0_2_00AA5520
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AB7696	0_2_00AB7696
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AA5760	0_2_00AA5760
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AB1978	0_2_00AB1978
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AC9AB5	0_2_00AC9AB5
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A9FCE0	0_2_00A9FCE0
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00ABBDA6	0_2_00ABBDA6
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AB1D90	0_2_00AB1D90
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B17DDB	0_2_00B17DDB
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AA3FE0	0_2_00AA3FE0
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A9DF00	0_2_00A9DF00
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_036835F0	0_2_036835F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0243A6E0	2_2_0243A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02434A80	2_2_02434A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02433E68	2_2_02433E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_024341B0	2_2_024341B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0243FA33	2_2_0243FA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB1288	2_2_05CB1288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB3BD8	2_2_05CB3BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB34F0	2_2_05CB34F0

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: String function: 00AB0AE3 appears 70 times
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: String function: 00AB8900 appears 42 times
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: String function: 00A97DE1 appears 36 times

Source: uOCavrYu1y.exe, 00000000.00000003.2168323162.00000000039ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs uOCavrYu1y.exe
Source: uOCavrYu1y.exe, 00000000.00000003.2164048414.00000000037F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs uOCavrYu1y.exe
Source: uOCavrYu1y.exe, 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs uOCavrYu1y.exe

Source: uOCavrYu1y.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.uOCavrYu1y.exe.3690000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.uOCavrYu1y.exe.3690000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.uOCavrYu1y.exe.3690000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.uOCavrYu1y.exe.3690000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AFA06A GetLastError,FormatMessageW,

0_2_00AFA06A

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AE81CB AdjustTokenPrivileges,CloseHandle,		0_2_00AE81CB
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AE87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00AE87E1

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AFB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00AFB3FB

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00B0EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B0EE0D

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00B083BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00B083BB

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00A94E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A94E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

File created: C:\Users\user\AppData\Local\Temp\aut10F5.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3401369142.0000000002719000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.000000000272B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: uOCavrYu1y.exe	Virustotal: Detection: 78%
Source: uOCavrYu1y.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\uOCavrYu1y.exe "C:\Users\user\Desktop\uOCavrYu1y.exe"
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\uOCavrYu1y.exe"
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\uOCavrYu1y.exe"	Jump to behavior

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: uOCavrYu1y.exe, 00000000.00000003.2165815098.0000000003870000.00000004.00001000.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2162638027.00000000036D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: uOCavrYu1y.exe, 00000000.00000003.2165815098.0000000003870000.00000004.00001000.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2162638027.00000000036D0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00B989C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00B989C0

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AB8945 push ecx; ret	0_2_00AB8958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBB5AF push 3805CDDAh; retf	2_2_05CBB5D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBF771 push cs; iretd	2_2_05CBF772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBF6D1 push cs; iretd	2_2_05CBF6D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBF6A1 push cs; iretd	2_2_05CBF6A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB1FF7 push esi; retf	2_2_05CB2002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBFF18 push ss; iretd	2_2_05CBFF1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBFEAB push ss; iretd	2_2_05CBFEB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBFEA8 push ss; iretd	2_2_05CBFEAA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00A948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A948D7
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B15376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B15376

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AB3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00AB3187

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: uOCavrYu1y.exe PID: 5088, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

API/Special instruction interceptor: Address: 3683214

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: uOCavrYu1y.exe, 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.0000000002655000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.00000000026FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: uOCavrYu1y.exe, 00000000.00000003.2152355578.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2153734807.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2153432583.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2152750625.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000002.2178757415.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2152306418.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2155609997.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2153357880.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2176564300.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp, uOCavrYu1y.exe, 00000000.00000003.2153816653.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE^

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-107318

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AF445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00AF445A
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFC6D1 FindFirstFileW,FindClose,	0_2_00AFC6D1
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00AFC75C
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AFEF95
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AFF0F2
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00AFF3F3
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AF37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AF37EF
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AF3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AF3B12
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00AFBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00AFBCBC

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00A949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A949A0

Source: RegSvcs.exe, 00000002.00000002.3401369142.00000000026FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.3402240113.00000000057F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	API call chain: ExitProcess graph end node			graph_0-104866
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	API call chain: ExitProcess graph end node			graph_0-106691

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_02437068 CheckRemoteDebuggerPresent,

2_2_02437068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00B03F09 BlockInput,

0_2_00B03F09

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00A93B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A93B3A

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AC5A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00AC5A7C

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00B989C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00B989C0

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_036834E0 mov eax, dword ptr fs:[00000030h]	0_2_036834E0
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_03683480 mov eax, dword ptr fs:[00000030h]	0_2_03683480
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_03681E70 mov eax, dword ptr fs:[00000030h]	0_2_03681E70

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AE80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

0_2_00AE80A9

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00ABA124 SetUnhandledExceptionFilter,		0_2_00ABA124
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00ABA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00ABA155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 513008

Jump to behavior

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AE87B1 LogonUserW,

0_2_00AE87B1

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00A93B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A93B3A

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00A948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00A948D7

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AF4C27 mouse_event,

0_2_00AF4C27

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\uOCavrYu1y.exe"

Jump to behavior

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AE7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00AE7CAF

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AE874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00AE874B

Source: uOCavrYu1y.exe, 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: uOCavrYu1y.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AB862B cpuid

0_2_00AB862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AC4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00AC4E87

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AD1E06 GetUserNameW,

0_2_00AD1E06

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00AC3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00AC3F3A

Source: C:\Users\user\Desktop\uOCavrYu1y.exe

Code function: 0_2_00A949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A949A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.uOCavrYu1y.exe.3690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uOCavrYu1y.exe.3690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uOCavrYu1y.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4304, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: uOCavrYu1y.exe	Binary or memory string: WIN_81
Source: uOCavrYu1y.exe	Binary or memory string: WIN_XP
Source: uOCavrYu1y.exe	Binary or memory string: WIN_XPe
Source: uOCavrYu1y.exe	Binary or memory string: WIN_VISTA
Source: uOCavrYu1y.exe	Binary or memory string: WIN_7
Source: uOCavrYu1y.exe	Binary or memory string: WIN_8
Source: uOCavrYu1y.exe, 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.uOCavrYu1y.exe.3690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uOCavrYu1y.exe.3690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3401369142.0000000002655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uOCavrYu1y.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4304, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.uOCavrYu1y.exe.3690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uOCavrYu1y.exe.3690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uOCavrYu1y.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4304, type: MEMORYSTR

Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B06283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00B06283
Source: C:\Users\user\Desktop\uOCavrYu1y.exe	Code function: 0_2_00B06747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00B06747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	138 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	651 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
uOCavrYu1y.exe	79%	Virustotal		Browse
uOCavrYu1y.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject
uOCavrYu1y.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	uOCavrYu1y.exe, 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3401369142.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.00000000026E0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com/line/?fields=hostingk#k	RegSvcs.exe, 00000002.00000002.3400434024.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ip-api.com	RegSvcs.exe, 00000002.00000002.3401369142.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.00000000026FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3401369142.00000000026E0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com/line/?fields=hosting~#	RegSvcs.exe, 00000002.00000002.3400434024.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587805
Start date and time:	2025-01-10 18:09:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	uOCavrYu1y.exe renamed because original name is a hash value
Original Sample Name:	7dd88bb379949c90207a5d476d7318ba98ccb6cb7853409c6d323febd28d318d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	2HCwqwLg1G.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	CdbVaYf8jC.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	H9YFiQB7o3.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	lFlw40OH6u.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Pago devuelto #.Documentos#9787565789678675645767856843.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2HCwqwLg1G.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	CdbVaYf8jC.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	H9YFiQB7o3.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	lFlw40OH6u.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Pago devuelto #.Documentos#9787565789678675645767856843.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2HCwqwLg1G.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	CdbVaYf8jC.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	H9YFiQB7o3.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	lFlw40OH6u.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Pago devuelto #.Documentos#9787565789678675645767856843.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\uOCavrYu1y.exe
File Type:	data
Category:	dropped
Size (bytes):	145778
Entropy (8bit):	7.743783484328225
Encrypted:	false
SSDEEP:	3072:d7SluJ2x+0K+PQDf+s0fUk5EZMb8KvAi51KSze5h3d3aQgjAaYpCXgkVU:d2UZ0mfqfUk54K951KikZgjAaYKgR
MD5:	EBB2252F43E163F6ED5E728DAEFA9B70
SHA1:	037F0BC820A5F09389F275601E57817F07AB1DED
SHA-256:	8B2AC072F9543C19574F38F9AAB76ABEC30C0A1F679013C513395326D9F56A1A
SHA-512:	D43DE6EE2E35A02483296CFBF52A7B8876B5EA9B96105630763E64D9667322D5EA7F8C46E4BF9DCDB10DADC5D2785DB57AA1A224D3191E17FEDDDCEA95E5C2A1
Malicious:	false
Reputation:	low
Preview:	EA06.....E.T."k0...3...cL..T......(t..2..!.x......+.?E.m...m.....n..'.....'.P...NE!.....-:.W...B...['.9..1E.N.`....jT..&m0..w.P..u..y...R.P..eF....".0.....eD.@..).p...1.U@$3K....M.R.(1A..y5.e..6...4.......0..i8:.6.. ..S.-(...Sg@ .P....@R..;G..!`........%.h.....Z...=c..e....U..!4 ..^. R........R&....y\.K&4....1.S....d...@...p.........8..4.Az..o..4.S....>cJ.....3L.~.._.....Y.R.G........+..m...t.C.w...t.......I....c.PoF..F.j?....T......kaw..4.=.w~...r.6....^(.8&..?..>.........6W..\v.....;..y}).{.2...uy.....2Yu.K.j)....o..y.{n..i....s.u.!.z;.......{........`.0....`B...`..?..)........" ....@.........A.d.?..;2Y..Z.!^....&E....z..3..O.2{\......H7.%0........}..4....Gy..".)...i..)UjD.1...U{..m....................D&.I...9S.......i....mH..9...:..ki.nF.a...R.TFq>.H%.Y=f...l.x.Fy#..p1F........A.R..:}.....,..#YX.0&S..faG...7...=M.Q.3KOvg2.STz\.....dt:\|.S.U..jD...M...:..L..g.....2.L........Mf.P1..O.V...&.ob..'.z.....Tb`..{.1..n4....Q.T).......F.5.-..L.R.1y

C:\Users\user\AppData\Local\Temp\aut1154.tmp

Download File

Process:	C:\Users\user\Desktop\uOCavrYu1y.exe
File Type:	data
Category:	dropped
Size (bytes):	9746
Entropy (8bit):	7.623388652781833
Encrypted:	false
SSDEEP:	192:EndJI2/lyEAZDgmFVZYQl/sumysD8X7WYkS/9hkOSAGfMFTyvcvl:EnPZNyVDgaLEPD86ZSVhmBayvm
MD5:	52DF0C5F3F41ED1C446B3D6A65D1A573
SHA1:	F4D751FB875BEF97C0EA570D60111E839A93C525
SHA-256:	76D473C11AF81126FC6F199CF8831DE5597B4799E5141374A55158C78CC1ED10
SHA-512:	F336B9B03BCB2A697F07CA67AA8F0B8999FC3AE8466C7A9546940B8274DE7C6F0DD2866455C36256589B330CF780C61D95D1E935B3DF3C812B316DE44E395E6B
Malicious:	false
Reputation:	low
Preview:	EA06..p..L..Y..p...o3i...f.NfVk%..1..@.I..m8..f.0..c1...3...s5...`...@.K..f.%...r.lY........d...@.o..c..&...Lls....f.Y...b..-vm6.M@......7.l,........X..K ........g6Y......l..].M..p...9\|....r.1..... ..$h.c.....#@...H,....`..m1.H.f.0...<zm6....!:.B...S..n..Y..s8.t.,.0....5....p....9.... ....d....`....1.....0..Y......./Z..-zu6...js8...zn........V)...#...Nf...N.^.:.....8.:..w.......8...}3.#..qd...g.`./....J.v.6.X.{......)....b..g.....`.Y..`...&.......x...u\| ......l`=.%.f....f.9...,sp./..9....`..%.......;$..#..l.0./.m6.M@4.;$..K..4\|.K..g.d....d.Nf.y....x.g.{ ..d..gSi...@}.<..3.....33+..uf..g6PC`..s....f.,..j........Y.......Y.,.r.Y. .f.e...8...@.2....;2.X.b..Lg@...... ....38...[........9e..,vf.....k3........#.0.....3b.Y.6pj.....Bvh.....@R...o9.4@9..NM..;4.X.n.:M.@..........c.P....3)..f.... ......8.a...g...B)..'f......j.b.X.@..u6..Bvl......).;...N@.;7.X...Cv0}.....g <..L..8.....g..@.@....`...f..!..Lf....l....B;8.X...c3.%..:...!...Gg ....,d..Yg..........c.....

C:\Users\user\AppData\Local\Temp\dews

Download File

Process:	C:\Users\user\Desktop\uOCavrYu1y.exe
File Type:	ASCII text, with very long lines (28696), with no line terminators
Category:	dropped
Size (bytes):	28696
Entropy (8bit):	3.578385471745518
Encrypted:	false
SSDEEP:	192:GIU0YzxURqp0m5Y+25yeDE49yry+a9ydKKqQl8Ep1zMHPLD1LXVBvbcENwwZUU1s:fYzxrp0FwaI4EYVLXDXZZRdDZ8d4509
MD5:	94BBDD15E8682D8B44EB09A6C71EF84C
SHA1:	093924580CFA6ACC343039AA7779A56EBFD9AAAA
SHA-256:	6513C00568442A6F80DFB0A2EA2D1A9B9695CE924D9DBB4499673A97786B3DEB
SHA-512:	82C86FD4B1F72F5D8268E79E2D15F630440245507C2AD02A38BEA2DA1EBAC4DF558931969C5443B4F2EA827C70F6474A2B39F231EB57EF51420EBBC82C165B92
Malicious:	false
Reputation:	low
Preview:	625522888881y669cfd92fddd1311116768c97c111111779:5695c:76111111779:5e97cb83111111779:6699c97f111111779:569bc:76111111779:5e9dcb7d111111779:669fc944111111779:56:1c:43111111779:5e:3cb3f111111779:66:5c975111111779:56:7c:7d111111779:5e:9cb7d111111779:66:b44d1779:56:dc:7f111111779:9e55ggggggcb85111111779::657ggggggc975111111779:9659ggggggc:7d111111779:9e5bggggggcb7d111111779::65dggggggc93f111111779:965fggggggc:75111111779:9e61ggggggcb7d111111779::663ggggggc97d111111779:9665gggggg44d:779:9e67ggggggcb86111111779:66e1c984111111779:56e3c:76111111779:5ee5cb83111111779:66e7c944111111779:56e9c:43111111779:5eebcb3f111111779:66edc975111111779:56efc:7d111111779:5ef1cb7d111111779:66f344d1779:56f5c:72111111779:9e79ggggggcb75111111779::67bggggggc987111111779:967dggggggc:72111111779:9e7fggggggcb81111111779::681ggggggc97:111111779:9683ggggggc:44111111779:9e85ggggggcb43111111779::687ggggggc93f111111779:9689ggggggc:75111111779:9e8bggggggcb7d111111779::68dggggggc97d111111779:968fgggggg44d:779:5e91cb841111117

C:\Users\user\AppData\Local\Temp\savager

Download File

Process:	C:\Users\user\Desktop\uOCavrYu1y.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.616525222907074
Encrypted:	false
SSDEEP:	6144:oRQZaeR1kLHrln/makr1m7KPC+pLWeHnpHIZgx:oRIaeYLHriUKPCOZpoZgx
MD5:	7CA597B9B54DD1F10415A926448A28F8
SHA1:	D4AFF9DF2DFE8E46AD5537C330BF692698E73873
SHA-256:	7A7FC7743F2ED9D5896D269053AA8D6A48ED2DB9388479DC4699027F2C519BC2
SHA-512:	C58801697BC75CB9465B8D4281E5E2ACE9E88597406C6C01E92EB2A58BB159F9976C3521BFEC65433D7528A010D769FB036C8CC967EAB30843FE57E28D913384
Malicious:	false
Reputation:	low
Preview:	...M5H50KGY0..1L.LRM6H50.GY0CO1LQLRM6H50OGY0CO1LQLRM6H50OGY0.O1L_S.C6.<.n.X\|.ne$8?r=D'RB.yS"!_#%l0(.:@^o.7...bl<#6(.E8:kGY0CO1L..RMzI60...UCO1LQLRM.H71DFR0C.2LQDRM6H50!.Z0Co1LQ.QM6Hu0OgY0CM1LULRM6H50KGY0CO1LQlVM6J50OGY0AOq.QLBM6X50OGI0C_1LQLRM&H50OGY0CO1LI.QMeH50O.Z0.J1LQLRM6H50OGY0CO1LQLVM:H50OGY0CO1LQLRM6H50OGY0CO1LQLRM6H50OGY0CO1LQLRM6H50OgY0KO1LQLRM6H50GgY0.O1LQLRM6H50a3<H7O1L%.QM6h50O.Z0CM1LQLRM6H50OGY0cO1,.>!?UH50.BY0C.2LQJRM6.60OGY0CO1LQLRMvH5pa5<\,,1L]LRM6H10OEY0C.2LQLRM6H50OGY0.O1.QLRM6H50OGY0CO1L..QM6H50.GY0AO4L..PM.}40LGY0BO1JQLRM6H50OGY0CO1LQLRM6H50OGY0CO1LQLRM6H50OGY0CO1LL.....}..:g:!H.j.+.N..&..>..L.$.X.}.8.....d:7..L.B...F...:.DT5S.....w'RAM'b;~C3.+.l.zxD...J?.(..K..)_..f...jq..y?;....;..2#?cW8E\i.Q%.C%.N.L6H50........84...K:.{U!f...e^.....1GY0'O1L#LRMWH50.GY0,O1L?LRMHH501GY0.O1L.LRM.H50jGY0.O1LuLRMHH50.:V?...%".M6H50z....".....z....>.'k!w.(....0c.H1.4.}...\..#y.X.26`.iKPJVH4O13CzW{...mSHVH4O13CzW{...m.j....>....5.0QLRM6H.0O.Y0C.L.LRM.H.0..Y0C..L.L.M..0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.921841957003964
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	uOCavrYu1y.exe
File size:	551'936 bytes
MD5:	be37ea5702226bf6ed17a5031c2d75d0
SHA1:	c398fd238eb4c706ea7aff5c24cc0eaf93bcf077
SHA256:	7dd88bb379949c90207a5d476d7318ba98ccb6cb7853409c6d323febd28d318d
SHA512:	dbccef3070c62d1fa2fad4f81e1a8cf8d8a86e3a3e4b81a7dffa928110f7d2f1dc426141c28a52be70a0beaaed1d9d8cfc0079294fc85b06089d0c5e584e8906
SSDEEP:	12288:LquErHF6xC9D6DmR1J98w4oknqOOCyQfDp0ZOJovZNf9t7:Srl6kD68JmlotQfaZz7f7
TLSH:	F4C412894D85D862D6286776C079CC981A767872CD88776EC728F55FFC30387A81EB2C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x5089c0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67655EAD [Fri Dec 20 12:10:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004B3000h
lea edi, dword ptr [esi-000B2000h]
push edi
jmp 00007F3C34C004EDh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F3C34C004E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F3C34C004CFh
mov eax, 00000001h
add ebx, ebx
jne 00007F3C34C004E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F3C34C004EDh
jne 00007F3C34C0050Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F3C34C00501h
dec eax
add ebx, ebx
jne 00007F3C34C004E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F3C34C004B6h
add ebx, ebx
jne 00007F3C34C004E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F3C34C00534h
xor ecx, ecx
sub eax, 03h
jc 00007F3C34C004F3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F3C34C00557h
sar eax, 1
mov ebp, eax
jmp 00007F3C34C004EDh
add ebx, ebx
jne 00007F3C34C004E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F3C34C004AEh
inc ecx
add ebx, ebx
jne 00007F3C34C004E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F3C34C004A0h
add ebx, ebx
jne 00007F3C34C004E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F3C34C004D1h
jne 00007F3C34C004EBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F3C34C004C6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F3C34C004F0h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13961c	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x109000	0x3061c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x139a40	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x108ba4	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xb2000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xb3000	0x56000	0x55c00	584e3129925ba56e8c320bdfb53e420e	False	0.9884349945335277	data	7.936841013942489	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x109000	0x31000	0x30c00	03b2ad3bd065a400a6b236067fa7be2b	False	0.8944661458333333	data	7.815697256785348	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1095ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x1096d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x109804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x109930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x109c1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x109d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x10abf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x10b4a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x10ba0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x10dfb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x10f064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	1.1375
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xcda84	0x68a	data	English	Great Britain	1.0065710872162486
RT_STRING	0xce110	0x490	data	English	Great Britain	1.009417808219178
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	1.0067567567567568
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	1.0097690941385435
RT_STRING	0xcf660	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x10f4d0	0x29bb2	data			1.0003568712338384
RT_GROUP_ICON	0x139088	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x139104	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x13911c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x139134	0x14	data	English	Great Britain	1.25
RT_VERSION	0x13914c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x13922c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:10:35.860451937 CET	49710	80	192.168.2.6	208.95.112.1
Jan 10, 2025 18:10:35.865371943 CET	80	49710	208.95.112.1	192.168.2.6
Jan 10, 2025 18:10:35.865454912 CET	49710	80	192.168.2.6	208.95.112.1
Jan 10, 2025 18:10:35.896445036 CET	49710	80	192.168.2.6	208.95.112.1
Jan 10, 2025 18:10:35.901381969 CET	80	49710	208.95.112.1	192.168.2.6
Jan 10, 2025 18:10:36.329173088 CET	80	49710	208.95.112.1	192.168.2.6
Jan 10, 2025 18:10:36.377748013 CET	49710	80	192.168.2.6	208.95.112.1
Jan 10, 2025 18:10:51.181996107 CET	50169	53	192.168.2.6	1.1.1.1
Jan 10, 2025 18:10:51.186851025 CET	53	50169	1.1.1.1	192.168.2.6
Jan 10, 2025 18:10:51.186919928 CET	50169	53	192.168.2.6	1.1.1.1
Jan 10, 2025 18:10:51.191814899 CET	53	50169	1.1.1.1	192.168.2.6
Jan 10, 2025 18:10:51.660765886 CET	50169	53	192.168.2.6	1.1.1.1
Jan 10, 2025 18:10:51.666090012 CET	53	50169	1.1.1.1	192.168.2.6
Jan 10, 2025 18:10:51.666223049 CET	50169	53	192.168.2.6	1.1.1.1
Jan 10, 2025 18:11:24.645874977 CET	80	49710	208.95.112.1	192.168.2.6
Jan 10, 2025 18:11:24.645922899 CET	49710	80	192.168.2.6	208.95.112.1
Jan 10, 2025 18:12:16.368067980 CET	49710	80	192.168.2.6	208.95.112.1
Jan 10, 2025 18:12:16.373069048 CET	80	49710	208.95.112.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:10:35.846036911 CET	62081	53	192.168.2.6	1.1.1.1
Jan 10, 2025 18:10:35.853756905 CET	53	62081	1.1.1.1	192.168.2.6
Jan 10, 2025 18:10:51.181595087 CET	53	56959	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:10:35.846036911 CET	192.168.2.6	1.1.1.1	0x95da	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:10:35.853756905 CET	1.1.1.1	192.168.2.6	0x95da	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	208.95.112.1	80	4304	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:10:35.896445036 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 10, 2025 18:10:36.329173088 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:10:35 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	12:10:32
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\uOCavrYu1y.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\uOCavrYu1y.exe"
Imagebase:	0xa90000
File size:	551'936 bytes
MD5 hash:	BE37EA5702226BF6ED17A5031C2D75D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.2179718615.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:10:33
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\uOCavrYu1y.exe"
Imagebase:	0x200000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3401369142.0000000002655000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3400114367.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	6.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	46

Executed Functions

Function 00A93B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A93B68
IsDebuggerPresent.KERNEL32 ref: 00A93B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00B552F8,00B552E0,?,?), ref: 00A93BEB

Part of subcall function 00A97BCC: _memmove.LIBCMT ref: 00A97C06

Part of subcall function 00AA092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A93C14,00B552F8,?,?,?), ref: 00AA096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00A93C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B47770,00000010), ref: 00ACD281
SetCurrentDirectoryW.KERNEL32(?,00B552F8,?,?,?), ref: 00ACD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B44260,00B552F8,?,?,?), ref: 00ACD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00ACD346

Part of subcall function 00A93A46: GetSysColorBrush.USER32(0000000F), ref: 00A93A50
Part of subcall function 00A93A46: LoadCursorW.USER32(00000000,00007F00), ref: 00A93A5F
Part of subcall function 00A93A46: LoadIconW.USER32(00000063), ref: 00A93A76
Part of subcall function 00A93A46: LoadIconW.USER32(000000A4), ref: 00A93A88
Part of subcall function 00A93A46: LoadIconW.USER32(000000A2), ref: 00A93A9A
Part of subcall function 00A93A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A93AC0
Part of subcall function 00A93A46: RegisterClassExW.USER32(?), ref: 00A93B16

Part of subcall function 00A939D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A93A03
Part of subcall function 00A939D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A93A24
Part of subcall function 00A939D5: ShowWindow.USER32(00000000,?,?), ref: 00A93A38
Part of subcall function 00A939D5: ShowWindow.USER32(00000000,?,?), ref: 00A93A41

Part of subcall function 00A9434A: _memset.LIBCMT ref: 00A94370
Part of subcall function 00A9434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A94415

Strings

runas, xrefs: 00ACD33A
This is a third-party compiled AutoIt script., xrefs: 00ACD279

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 1170e20327682cc8c97ddc5b6040a710edf545ee3806e07071406d7c21367143
Instruction ID: ce50fc6822f324df07dec887966036ffb41bc1251de28c220c16701a7c3ca4e9
Opcode Fuzzy Hash: 1170e20327682cc8c97ddc5b6040a710edf545ee3806e07071406d7c21367143
Instruction Fuzzy Hash: 9D51E471A04649AACF11EBB4DD16FFD7BF8AF09702F4040E9F411A71A1DE715A49CB21

Function 00A93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00A936D2
KillTimer.USER32(?,00000001), ref: 00A936FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A9371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A9372A
CreatePopupMenu.USER32 ref: 00A9373E
PostQuitMessage.USER32(00000000), ref: 00A9374D

Strings

TaskbarCreated, xrefs: 00A93725

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 80e111d9caf80a2ce3d843e9cc2bb48c80a3fb3b9851dc60c1e5a2a851570b03
Instruction ID: afe0a87a9b8974862d112ea67cc7d70bdee6f15a7818a6a5b94643ae9f9479b2
Opcode Fuzzy Hash: 80e111d9caf80a2ce3d843e9cc2bb48c80a3fb3b9851dc60c1e5a2a851570b03
Instruction Fuzzy Hash: 9F4126B3300605BBDF209FA8DD59BBA37F4EB05302F540169FB02972E1DE619E459762

Function 00A949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A949CD

Part of subcall function 00A97BCC: _memmove.LIBCMT ref: 00A97C06

GetCurrentProcess.KERNEL32(?,00B1FAEC,00000000,00000000,?), ref: 00A94A9A
IsWow64Process.KERNEL32(00000000), ref: 00A94AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A94AE7
FreeLibrary.KERNEL32(00000000), ref: 00A94AF2
GetSystemInfo.KERNEL32(00000000), ref: 00A94B23
GetSystemInfo.KERNEL32(00000000), ref: 00A94B2F

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: d38df35ea18602228e4e61cae7e127e78d07ae29a2017a4bd1e303b50fb11b0a
Instruction ID: 029ca7f843f18a23055143638b851227c73145a2d32546611d92d5b732902705
Opcode Fuzzy Hash: d38df35ea18602228e4e61cae7e127e78d07ae29a2017a4bd1e303b50fb11b0a
Instruction Fuzzy Hash: FE91C631A897C1DECB31DB788550AAAFFF5AF2E300B4449ADD0CB93A41D630A509C769

Function 00A94E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00A94E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A94D8E,?,?,00000000,00000000), ref: 00A94EB0
LoadResource.KERNEL32(?,00000000,?,?,00A94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A94E2F), ref: 00ACD937
SizeofResource.KERNEL32(?,00000000,?,?,00A94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A94E2F), ref: 00ACD94C
LockResource.KERNEL32(00A94D8E,?,?,00A94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A94E2F,00000000), ref: 00ACD95F

Strings

SCRIPT, xrefs: 00A94EA6

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 48d7f975022bcb6452d112a8763a0d76f48da68557edfb3f83377dd4345d91be
Instruction ID: 12823ba753df2796f62a554a860e4505b4b64b3fc9d01defed31deab2eb50212
Opcode Fuzzy Hash: 48d7f975022bcb6452d112a8763a0d76f48da68557edfb3f83377dd4345d91be
Instruction Fuzzy Hash: C9111C75244701ABDB218B65EC48FA77BBAEBC9B55F208268F40596260DB71EC01C660

Function 00B989C0 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 00B98AFA
GetProcAddress.KERNEL32(?,00B91FF9), ref: 00B98B18
ExitProcess.KERNEL32(?,00B91FF9), ref: 00B98B29
VirtualProtect.KERNELBASE(00A90000,00001000,00000004,?,00000000), ref: 00B98B77
VirtualProtect.KERNELBASE(00A90000,00001000), ref: 00B98B8C

Memory Dump Source

Source File: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: ef7908e473b318f07746c9270bc2a2b508fc49b775a785d9eacc27ba32ed99d4
Instruction ID: 11d9f69de865b3f2b2466bd43555c1ebd8d6e522237773898cd7d71c14623e24
Opcode Fuzzy Hash: ef7908e473b318f07746c9270bc2a2b508fc49b775a785d9eacc27ba32ed99d4
Instruction Fuzzy Hash: D25107B2A453524BDF218AB8DCC067577D5EB5332072C07BAD5E6C73C6EFA4580687A0

Function 00AF445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00ACE398), ref: 00AF446A
FindFirstFileW.KERNELBASE(?,?), ref: 00AF447B
FindClose.KERNEL32(00000000), ref: 00AF448B

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: ce3a568d6417bc7f6cd48552fa2486dd2f9bc92549a7fb05c0b2450dae54333e
Instruction ID: 75808163cc2d6f34a5bddd7f98e5b3710015d76636182f88a38ad2e39d872e9c
Opcode Fuzzy Hash: ce3a568d6417bc7f6cd48552fa2486dd2f9bc92549a7fb05c0b2450dae54333e
Instruction Fuzzy Hash: 48E0D8324109056752106B78EC0D4FA775C9E09336F508725F935D20D0EB745900D5D5

Function 00A9E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00AD3E62

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 5e312fa4f5b5a5b6fc99e838ff85d7d008115d2a37464e2763c0392bbd791505
Instruction ID: 31bf97bd6a5332ec4d8db31e47fb87612da0d09e85c0d98898d777621063cf05
Opcode Fuzzy Hash: 5e312fa4f5b5a5b6fc99e838ff85d7d008115d2a37464e2763c0392bbd791505
Instruction Fuzzy Hash: 9CA25875B00205DFCF24CF98C480AAAB7F2FB58314F64856AE906AB352D775ED42CB91

Function 00AA09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AA0A5B
timeGetTime.WINMM ref: 00AA0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AA0E53
Sleep.KERNEL32(0000000A), ref: 00AA0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00AA0EFA
DestroyWindow.USER32 ref: 00AA0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AA0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00AD4E83
TranslateMessage.USER32(?), ref: 00AD5C60
DispatchMessageW.USER32(?), ref: 00AD5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AD5C82

Strings

@GUI_CTRLID, xrefs: 00AD4F3A
@GUI_WINHANDLE, xrefs: 00AD4F8F
@GUI_CTRLHANDLE, xrefs: 00AD4FE4
@TRAY_ID, xrefs: 00AD578F
@COM_EVENTOBJ, xrefs: 00AD54F0

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 34795f37b93b6fab1daca9b260d6fb01c0111ef3d14dffab21635c0ece3285b8
Instruction ID: 3464e2ac54b1a1d2e2dcf5587ea3227d0c68c6cc2c4332f004f3ba9412724cf6
Opcode Fuzzy Hash: 34795f37b93b6fab1daca9b260d6fb01c0111ef3d14dffab21635c0ece3285b8
Instruction Fuzzy Hash: F4B2B070A08741DFDB24DF24C984FAAB7E5BF85304F14891EE49A973A1DB71E844CB92

Function 00AF9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AF8F5F: __time64.LIBCMT ref: 00AF8F69

Part of subcall function 00A94EE5: _fseek.LIBCMT ref: 00A94EFD

__wsplitpath.LIBCMT ref: 00AF9234

Part of subcall function 00AB40FB: __wsplitpath_helper.LIBCMT ref: 00AB413B

_wcscpy.LIBCMT ref: 00AF9247
_wcscat.LIBCMT ref: 00AF925A
__wsplitpath.LIBCMT ref: 00AF927F
_wcscat.LIBCMT ref: 00AF9295
_wcscat.LIBCMT ref: 00AF92A8

Part of subcall function 00AF8FA5: _memmove.LIBCMT ref: 00AF8FDE
Part of subcall function 00AF8FA5: _memmove.LIBCMT ref: 00AF8FED

_wcscmp.LIBCMT ref: 00AF91EF

Part of subcall function 00AF9734: _wcscmp.LIBCMT ref: 00AF9824
Part of subcall function 00AF9734: _wcscmp.LIBCMT ref: 00AF9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AF9452
_wcsncpy.LIBCMT ref: 00AF94C5
DeleteFileW.KERNEL32(?,?), ref: 00AF94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AF9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AF9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AF9534

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: d1139379e840d0f3ea9824845edca422224c2a10a9de6f270a866ba3fe956ae0
Instruction ID: d5c17e01e47c1248c683fa4ad3e7939a0ed864661d279c65e0f5223b7e27ba85
Opcode Fuzzy Hash: d1139379e840d0f3ea9824845edca422224c2a10a9de6f270a866ba3fe956ae0
Instruction Fuzzy Hash: FDC12BB1E0021DAADF21DF95CD85EEEBBBDAF49310F0040AAF609E7151DB309A458F65

Function 00A9708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A94706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B552F8,?,00A937AE,?), ref: 00A94724

Part of subcall function 00AB050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A97165), ref: 00AB052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A971A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00ACE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00ACE909
RegCloseKey.ADVAPI32(?), ref: 00ACE947
_wcscat.LIBCMT ref: 00ACE9A0

Strings

Include, xrefs: 00ACE8BF, 00ACE900
Software\AutoIt v3\AutoIt, xrefs: 00A9719E
\, xrefs: 00ACE9C3
\Include\, xrefs: 00A97165

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: d575f006efe0ab58d81fe830657e31f398a0cf197cb655f743796c4068278d16
Instruction ID: 779d64fb287ff998fa97eb905a2369dccd0ee217c0c8f65d33c3a995db155913
Opcode Fuzzy Hash: d575f006efe0ab58d81fe830657e31f398a0cf197cb655f743796c4068278d16
Instruction Fuzzy Hash: 36715B716083019ED704EF65E941AAFBBE8FF88350F80496EF445871B1EF729948CB62

Function 00A93A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A93A50
LoadCursorW.USER32(00000000,00007F00), ref: 00A93A5F
LoadIconW.USER32(00000063), ref: 00A93A76
LoadIconW.USER32(000000A4), ref: 00A93A88
LoadIconW.USER32(000000A2), ref: 00A93A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A93AC0
RegisterClassExW.USER32(?), ref: 00A93B16

Part of subcall function 00A93041: GetSysColorBrush.USER32(0000000F), ref: 00A93074
Part of subcall function 00A93041: RegisterClassExW.USER32(00000030), ref: 00A9309E
Part of subcall function 00A93041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A930AF
Part of subcall function 00A93041: LoadIconW.USER32(000000A9), ref: 00A930F2

Strings

AutoIt v3, xrefs: 00A93B05
#, xrefs: 00A93AFB
0, xrefs: 00A93AF4

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 0c3b189af30e237bd096fd06ead5da04eb02695ca745bfcc6f2983917e16aa83
Instruction ID: d0befdd350e239d4acd1fef99451a94e18bc8a5a4ea4733a8b0028aacacca2d0
Opcode Fuzzy Hash: 0c3b189af30e237bd096fd06ead5da04eb02695ca745bfcc6f2983917e16aa83
Instruction Fuzzy Hash: BB212A71E10705AFEF20DFA4EC19B9D7BB4EB08712F0041AAE504A72A1DBB65A40CF84

Function 00A93766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 00A938A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00A937AE
CMDLINE, xrefs: 00A93822
CMDLINERAW, xrefs: 00A937FB
/AutoIt3ExecuteScript, xrefs: 00A938BC
/AutoIt3OutputDebug, xrefs: 00A93892
/ErrorStdOut, xrefs: 00A9387D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 0edba0d4ae524df05f0729a97cea0dcb6c356b6328de5b5afd5063f461bbac52
Instruction ID: 92fd3c0ff5e921ecc3b7ad4b87cab983aabbdf61e82d0b5954bfd487d5335540
Opcode Fuzzy Hash: 0edba0d4ae524df05f0729a97cea0dcb6c356b6328de5b5afd5063f461bbac52
Instruction Fuzzy Hash: 59A16C72A1021DAADF14EBA4DD92EFEB7F8BF14300F440429F416A7191EF749A08CB60

Function 00A93015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A93074
RegisterClassExW.USER32(00000030), ref: 00A9309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A930AF
LoadIconW.USER32(000000A9), ref: 00A930F2

Strings

AutoIt v3 GUI, xrefs: 00A93090
+, xrefs: 00A9305D
TaskbarCreated, xrefs: 00A930A4
0, xrefs: 00A93056

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 037c7b169898aeca4f82c51429e754153c18f66f7dad11626d7c2ac0b3e9c824
Instruction ID: 2ccf389d9965120a9a25fbe3ce34c66ade09169e77718e017b1bbcd78cc114a4
Opcode Fuzzy Hash: 037c7b169898aeca4f82c51429e754153c18f66f7dad11626d7c2ac0b3e9c824
Instruction Fuzzy Hash: 5A3147B180034AAFDB11CFA4E889BD9BBF4FB08312F14856EE580A72A1DBB50585CF50

Function 00A93041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A93074
RegisterClassExW.USER32(00000030), ref: 00A9309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A930AF
LoadIconW.USER32(000000A9), ref: 00A930F2

Strings

AutoIt v3 GUI, xrefs: 00A93090
+, xrefs: 00A9305D
TaskbarCreated, xrefs: 00A930A4
0, xrefs: 00A93056

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: a17c3e4aef71cf370abc8348dece5fd815f0bc6171bd5dac4bf0cb578a85b895
Instruction ID: b1c7fcc574c39e8eda70853dacca336e923c715ae803787e8c96058a702bf5cf
Opcode Fuzzy Hash: a17c3e4aef71cf370abc8348dece5fd815f0bc6171bd5dac4bf0cb578a85b895
Instruction Fuzzy Hash: F421E5B1911309AFDB10DFA4E848BEDBBF4FB08702F50816AF510A72A0DBB14544CF91

Function 036825D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 036826A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 036828C7

Memory Dump Source

Source File: 00000000.00000002.2179690556.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_uOCavrYu1y.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: d2a5d4c4f6a7f53289f6e3459bc944d9f10758ff14bda7bc789724286b3dbc8e
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 3BA12874E00209EBDF14DFA4C9A8BEEB7B5BF48704F248A59E501BB280C7759A85CB54

Function 00A939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A93A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A93A24
ShowWindow.USER32(00000000,?,?), ref: 00A93A38
ShowWindow.USER32(00000000,?,?), ref: 00A93A41

Strings

AutoIt v3, xrefs: 00A939FB, 00A93A00, 00A93A01
edit, xrefs: 00A93A1E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b3273b66c66c8ca6afb2a953ebf2ce7052d4ab718af8c35ea578a46d093a112b
Instruction ID: 6b7992234e1993b53f3e921ece3b1443d162fe2603b2c6fda5b6b3fedc355e98
Opcode Fuzzy Hash: b3273b66c66c8ca6afb2a953ebf2ce7052d4ab718af8c35ea578a46d093a112b
Instruction Fuzzy Hash: 38F03A71540790BEEA315B23AC18F7B2E7DD7C6F52F0040AAB908A31B0CAA21840CBB0

Function 036823B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 036822A0: Sleep.KERNELBASE(000001F4), ref: 036822B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 036824BF

Strings

QLRM6H50OGY0CO1L, xrefs: 03682522, 03682525

Memory Dump Source

Source File: 00000000.00000002.2179690556.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_uOCavrYu1y.jbxd

Similarity

API ID: CreateFileSleep
String ID: QLRM6H50OGY0CO1L
API String ID: 2694422964-3201667348
Opcode ID: 4ad0f2e4f054389717c0eb06c60b179421f15463e29bb194c2cfb7a7790ec514
Instruction ID: 62ddd587630fd03046ec3aadfbe68cb4f24925f30fa5432ebc60e65355792e2c
Opcode Fuzzy Hash: 4ad0f2e4f054389717c0eb06c60b179421f15463e29bb194c2cfb7a7790ec514
Instruction Fuzzy Hash: 23517471D54249DBEF11EBA4C814BEFBBB9AF09300F004599E6097B2C0D7B91B45CB65

Function 00A9407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00ACD3D7

Part of subcall function 00A97BCC: _memmove.LIBCMT ref: 00A97C06

_memset.LIBCMT ref: 00A940FC
_wcscpy.LIBCMT ref: 00A94150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A94160

Strings

Line: , xrefs: 00ACD400

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: fc9ce52ca9be50aa66a26b8da6acca9c3f6e4b5a443cee61f3148d3f6b677a17
Instruction ID: d50e5983ad406207afd9e8b2b5d63f187e69b65ac47fecdc7e789af677c193dc
Opcode Fuzzy Hash: fc9ce52ca9be50aa66a26b8da6acca9c3f6e4b5a443cee61f3148d3f6b677a17
Instruction Fuzzy Hash: 6331DE71208300AAEB31EB60DD46FEF77E8AF44301F10461EF585920A1EF74A649CB92

Function 00AB541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AB547B
_memcpy_s.LIBCMT ref: 00AB54ED
__read_nolock.LIBCMT ref: 00AB554B
__filbuf.LIBCMT ref: 00AB556E
_memset.LIBCMT ref: 00AB55B2

Part of subcall function 00AB8B28: __getptd_noexit.LIBCMT ref: 00AB8B28

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: b088b9157ae2c45c6a403958be0abb0af956f383015854b29423b07f05be2ffb
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 39519270E00B05DBDB249F79D9807EE77BAAF45322F248729F825962D2D771DE908B40

Function 00A9686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00A94DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A94E0F

_free.LIBCMT ref: 00ACE263
_free.LIBCMT ref: 00ACE2AA

Part of subcall function 00A96A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A96BAD

Strings

Bad directive syntax error, xrefs: 00ACE292
>>>AUTOIT SCRIPT<<<, xrefs: 00ACE039

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 0a12ad5930594539ab93f9fe2f0daa74f2224981b27a817b74d7725fafe04d88
Instruction ID: c89fa62d12b0e0b299a6496737e4bb64e2444aa50116c4b94eb0fd495982d119
Opcode Fuzzy Hash: 0a12ad5930594539ab93f9fe2f0daa74f2224981b27a817b74d7725fafe04d88
Instruction Fuzzy Hash: 1E918D71A10219AFCF04EFA4CD81EEEB7B8FF18310B14456EF815AB2A1DB70A915CB50

Function 00A935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A935A1,SwapMouseButtons,00000004,?), ref: 00A935D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A935A1,SwapMouseButtons,00000004,?,?,?,?,00A92754), ref: 00A935F5
RegCloseKey.KERNELBASE(00000000,?,?,00A935A1,SwapMouseButtons,00000004,?,?,?,?,00A92754), ref: 00A93617

Strings

Control Panel\Mouse, xrefs: 00A935D2

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 85b20eeb2f669870a2ce311bee1f12481918257c74a1dae26bc8775c4ee2d96f
Instruction ID: 6f5f44e19259b12508cb06f2e2692baaa716902c0dfb3e50f06d67333444f0a5
Opcode Fuzzy Hash: 85b20eeb2f669870a2ce311bee1f12481918257c74a1dae26bc8775c4ee2d96f
Instruction Fuzzy Hash: 47113372610208BADF208FA8D884AEBBBB8EF04740F008469EA05D7210E6719E409BA0

Function 036812A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03681ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03681AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03681B13

Memory Dump Source

Source File: 00000000.00000002.2179690556.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_uOCavrYu1y.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 99ff7f62c7c0315fa1339eff959a02870827681df0665961f4f58c830292e5bf
Instruction ID: 0af0cb1a8bb0da3677fba15caa21c9e1cd7008649442ef79421631c53f1525bc
Opcode Fuzzy Hash: 99ff7f62c7c0315fa1339eff959a02870827681df0665961f4f58c830292e5bf
Instruction Fuzzy Hash: C6621934A14218DBEB24DFA4C854BDEB376EF58300F1091A9D10DEB390E77A9E81CB59

Function 00AF955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00A94EE5: _fseek.LIBCMT ref: 00A94EFD

Part of subcall function 00AF9734: _wcscmp.LIBCMT ref: 00AF9824
Part of subcall function 00AF9734: _wcscmp.LIBCMT ref: 00AF9837

_free.LIBCMT ref: 00AF96A2
_free.LIBCMT ref: 00AF96A9
_free.LIBCMT ref: 00AF9714

Part of subcall function 00AB2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00AB9A24), ref: 00AB2D69
Part of subcall function 00AB2D55: GetLastError.KERNEL32(00000000,?,00AB9A24), ref: 00AB2D7B

_free.LIBCMT ref: 00AF971C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 99d6c06c233ec92fe9fc1174e35969bf30f803f1a403c61ccf98500b1a9c1837
Instruction ID: 7b7ecef0ff141ecfab421df20d5f2e753c3198d9f5b54af06a0665c6ef0770be
Opcode Fuzzy Hash: 99d6c06c233ec92fe9fc1174e35969bf30f803f1a403c61ccf98500b1a9c1837
Instruction Fuzzy Hash: E25152B1D14218AFDF249FA4CC81BAEBBB9EF48300F10449EF209A7241DB715981CF58

Function 00AB470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AB47A0
__flush.LIBCMT ref: 00AB47C0
__write.LIBCMT ref: 00AB47F3
__flsbuf.LIBCMT ref: 00AB4821

Part of subcall function 00AB8B28: __getptd_noexit.LIBCMT ref: 00AB8B28

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 1f4db738438c5a181c91238d2fc541912ffd42d7b56e570ad9a4b3ccd61b5201
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 7541B375A007459BDB18CFA9C9909EE7BBDEF4A360B24813DE85587643DB70DD81CB40

Function 00A97285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ACEA39
75D3D0D0.COMDLG32(?), ref: 00ACEA83

Part of subcall function 00A94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A94743,?,?,00A937AE,?), ref: 00A94770

Part of subcall function 00AB0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AB07B0

Strings

X, xrefs: 00ACEA51

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: NamePath$FullLong_memset
String ID: X
API String ID: 3051022977-3081909835
Opcode ID: 5d03fe8e809a2eab0bba29d81f18525109fbc3b3133b1224dbecbf56762a179f
Instruction ID: caf924300286d4a81cca4e1ef510708e9af70a4e0bb9ae3d0f4d5e36c3f4ac1a
Opcode Fuzzy Hash: 5d03fe8e809a2eab0bba29d81f18525109fbc3b3133b1224dbecbf56762a179f
Instruction Fuzzy Hash: 9521C031A10248AFCF41DF94C845BEE7BF8AF49714F00805AE408AB242DFB45A89DFA1

Function 00AF8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AF8DAC
__fread_nolock.LIBCMT ref: 00AF8DC1

Strings

EA06, xrefs: 00AF8DF3

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: e92063ce5da8e81c7e009c6ca82e79c751a2321e463fb0415ac54a28ebf00930
Instruction ID: 6e3dc4e3d1078bae124666979a34443d3c723c2c6345343db6185875d76be55a
Opcode Fuzzy Hash: e92063ce5da8e81c7e009c6ca82e79c751a2321e463fb0415ac54a28ebf00930
Instruction Fuzzy Hash: 5201B971D042187EDB28CBA8CC56EFE7BFCDF15311F00459AF552D2181E979E6048760

Function 00AB0DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AB571C: __FF_MSGBANNER.LIBCMT ref: 00AB5733
Part of subcall function 00AB571C: __NMSG_WRITE.LIBCMT ref: 00AB573A
Part of subcall function 00AB571C: RtlAllocateHeap.NTDLL(00C70000,00000000,00000001), ref: 00AB575F

std::exception::exception.LIBCMT ref: 00AB0DEC
__CxxThrowException@8.LIBCMT ref: 00AB0E01

Part of subcall function 00AB859B: RaiseException.KERNEL32(?,?,00000000,00B49E78,?,00000001,?,?,?,00AB0E06,00000000,00B49E78,00A99E8C,00000001), ref: 00AB85F0

Strings

bad allocation, xrefs: 00AB0DE1

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: 51e10145b1984d0b3d425e533989577d82e026a4fdecc93ba216c0ce841278c6
Instruction ID: 107b5a995cdc4c39632b7bad9a7485632acb0096bc96f9343e7a1b3bc15d747f
Opcode Fuzzy Hash: 51e10145b1984d0b3d425e533989577d82e026a4fdecc93ba216c0ce841278c6
Instruction Fuzzy Hash: D8F0A43290021D76DB10ABA8ED069DF77EC9F01351F504569F908D6193DF719A90D2D1

Function 00AF98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00AF98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00AF990F

Strings

aut, xrefs: 00AF9909

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 062a7cd27cd48e241706b1d52b1e74de7d634eafab87b918aa36aa682e6c6163
Instruction ID: ff7d359bc6ecee7c8d841ad7b9347722c9aaee968770f35ea77e9b7252a69ca9
Opcode Fuzzy Hash: 062a7cd27cd48e241706b1d52b1e74de7d634eafab87b918aa36aa682e6c6163
Instruction Fuzzy Hash: A2D05E7994030EABDB509BA0DC0EFEA777CE704700F4042B1BA94920A1EEB09698CBD1

Function 00B0CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7202a28d302c79915cd1dbf868482f0f64e1eea29d96cab8daf15abb6121c67
Instruction ID: 4b486fe977722bfe40791e7f9dc1f021ac4846969bafedf1f71270d19dab8c34
Opcode Fuzzy Hash: a7202a28d302c79915cd1dbf868482f0f64e1eea29d96cab8daf15abb6121c67
Instruction Fuzzy Hash: 42F15A716083059FCB14DF28C580A6ABBE5FF89314F548A6EF8999B391D730E945CF82

Function 00A9F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AB0193
Part of subcall function 00AB0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AB019B
Part of subcall function 00AB0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AB01A6
Part of subcall function 00AB0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AB01B1
Part of subcall function 00AB0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AB01B9
Part of subcall function 00AB0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AB01C1

Part of subcall function 00AA60F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00AA6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A9F9CD
OleInitialize.OLE32(00000000), ref: 00A9FA4A
CloseHandle.KERNEL32(00000000), ref: 00AD45C8

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 3094916012-0
Opcode ID: 1d9b04951d5bafe3391c893f07a4514583930ae5604422a489302c9b880d4b61
Instruction ID: 3626204f58803498f490a082f699a68654c57a7fa9ce66db038205d62c2c2967
Opcode Fuzzy Hash: 1d9b04951d5bafe3391c893f07a4514583930ae5604422a489302c9b880d4b61
Instruction Fuzzy Hash: 3481DBB0911B40CFC7A4DF29A9607287BE5FB98307B9081EA9409CB379EFB01485CF24

Function 00A9434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A94370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A94415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A94432

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: ed4120bae469645976e06c19e60ed561a9c2644c8853b266dce457340cb2e71b
Instruction ID: 9e7caa1da5752bc4c8a33f5473b46d3d13f012ba602d9da232cc8e6440a236b9
Opcode Fuzzy Hash: ed4120bae469645976e06c19e60ed561a9c2644c8853b266dce457340cb2e71b
Instruction Fuzzy Hash: 5D3161706047019FDB21DF34D884B9BBBF8FB4830AF00096EE69A87251DB71A945CB52

Function 00AB571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00AB5733

Part of subcall function 00ABA16B: __NMSG_WRITE.LIBCMT ref: 00ABA192
Part of subcall function 00ABA16B: __NMSG_WRITE.LIBCMT ref: 00ABA19C

__NMSG_WRITE.LIBCMT ref: 00AB573A

Part of subcall function 00ABA1C8: GetModuleFileNameW.KERNEL32(00000000,00B533BA,00000104,00000000,00000001,00000000), ref: 00ABA25A
Part of subcall function 00ABA1C8: ___crtMessageBoxW.LIBCMT ref: 00ABA308

Part of subcall function 00AB309F: ___crtCorExitProcess.LIBCMT ref: 00AB30A5
Part of subcall function 00AB309F: ExitProcess.KERNEL32 ref: 00AB30AE

Part of subcall function 00AB8B28: __getptd_noexit.LIBCMT ref: 00AB8B28

RtlAllocateHeap.NTDLL(00C70000,00000000,00000001), ref: 00AB575F

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 7561b11b170e3b49ee85609c1abc8b63b71ed3e3988c1d2125ab9d22068bd83d
Instruction ID: 8c6e22696d197af68eda741d14f5ee0c9dfb4ae5f05fd11543319f5820e9cd3b
Opcode Fuzzy Hash: 7561b11b170e3b49ee85609c1abc8b63b71ed3e3988c1d2125ab9d22068bd83d
Instruction Fuzzy Hash: 6001F536B00B01EEDA112B79ED42BEE779CCF42762F100925F5059B283DE70CC808660

Function 00AF98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00AF9548,?,?,?,?,?,00000004), ref: 00AF98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00AF9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00AF98D1
CloseHandle.KERNEL32(00000000,?,00AF9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AF98D8

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 7e036aae9124999dd578d5defc79ca34fd00821b68ba32a4ea83782a3bd5240e
Instruction ID: 2f62534a758d0f137647d7bd52159a8a2ce6d1104e46b97bd2c68fe743161300
Opcode Fuzzy Hash: 7e036aae9124999dd578d5defc79ca34fd00821b68ba32a4ea83782a3bd5240e
Instruction Fuzzy Hash: 2EE08632180619B7D7211B94EC09FEA7B59AB06760F108220FB24BA0E0CBB11921D7D8

Function 00AF8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AF8D1B

Part of subcall function 00AB2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00AB9A24), ref: 00AB2D69
Part of subcall function 00AB2D55: GetLastError.KERNEL32(00000000,?,00AB9A24), ref: 00AB2D7B

_free.LIBCMT ref: 00AF8D2C
_free.LIBCMT ref: 00AF8D3E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction ID: 39f1008a09b0b4bb5f00aaaca7928a68709009f03de967cf14be776795c7288f
Opcode Fuzzy Hash: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction Fuzzy Hash: BBE017B161160547CB24A7B8AA40BEB23EC4F98752B14091EB60DD7187CE68F8828228

Function 00A9A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00ACFC01

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: a55b89c65e0f30fef1df7330aa75893acd3af973e8a0145bdec09e605b0bdbf6
Instruction ID: 3a5dfa316915f5939d1671d1f014124ef4a489aefa9e64d3d4657aeb14bd05ce
Opcode Fuzzy Hash: a55b89c65e0f30fef1df7330aa75893acd3af973e8a0145bdec09e605b0bdbf6
Instruction Fuzzy Hash: 13223670608201DFCB24DF14C594B6ABBF1BF95304F15896EE89A9B362DB31EC45CB82

Function 00A94C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A94CBA

Strings

EA06, xrefs: 00ACD8CC

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 2dd9e5cf4436e31fe34ce185dfc251aae918e4c34a4ad0036eb801ab2bf3cdcc
Instruction ID: ff8b13128daa9f49100a70a43310cab18be143896e1b6b796ecd254d0c48782e
Opcode Fuzzy Hash: 2dd9e5cf4436e31fe34ce185dfc251aae918e4c34a4ad0036eb801ab2bf3cdcc
Instruction Fuzzy Hash: 35415B35B041586BDF269B6489A1FBF7FF2DB4D300F284575EC829B286D6209D4683A1

Function 00A947D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

74A3C8D0.UXTHEME ref: 00A94834

Part of subcall function 00AB336C: __lock.LIBCMT ref: 00AB3372
Part of subcall function 00AB336C: RtlDecodePointer.NTDLL(00000001), ref: 00AB337E
Part of subcall function 00AB336C: RtlEncodePointer.NTDLL(?), ref: 00AB3389

Part of subcall function 00A948FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A94915
Part of subcall function 00A948FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A9492A

Part of subcall function 00A93B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A93B68
Part of subcall function 00A93B3A: IsDebuggerPresent.KERNEL32 ref: 00A93B7A
Part of subcall function 00A93B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B552F8,00B552E0,?,?), ref: 00A93BEB
Part of subcall function 00A93B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00A93C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A94874

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: 1202ed8208bbcbfa49545dfc0f21a42fc3b9c759abd27d94d4268eac92e5f518
Instruction ID: 27493fcd1d6eb5ced1b4f05f93e97bbf8852047ccaba2aa9ec0dd045ea21330f
Opcode Fuzzy Hash: 1202ed8208bbcbfa49545dfc0f21a42fc3b9c759abd27d94d4268eac92e5f518
Instruction Fuzzy Hash: F1119D72A183419BCB10DF29D905A4EBBE8EF88751F10895EF044872B1DFB19945CB92

Function 00A95C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00A95821,?,?,?,?), ref: 00A95CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00A95821,?,?,?,?), ref: 00ACDD73

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b26eaa65f3d0501c714995f6c787242cb499288a6be7d0eaacb4bb4843d2a3f5
Instruction ID: a92ed504bd8a13fb89a6182d2cfc7da8a159087b92da4749e3539c2a202b5017
Opcode Fuzzy Hash: b26eaa65f3d0501c714995f6c787242cb499288a6be7d0eaacb4bb4843d2a3f5
Instruction Fuzzy Hash: 3E018470684708BEF7210F24CC8AFB636DCAB01768F108719BAD5AA1E0C6B41C54CB54

Function 00AB55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AB562C
__lock_file.LIBCMT ref: 00AB564D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: b017ab22c9b60d688c7b3678271a460659cfc950fbbc456b6f070c48e290f171
Instruction ID: 39f7de074b7273bec63410d7fe9eb3ece050fb663e2f917db528f2d3025e3ce1
Opcode Fuzzy Hash: b017ab22c9b60d688c7b3678271a460659cfc950fbbc456b6f070c48e290f171
Instruction Fuzzy Hash: 9B018471C00608ABCF22BF789D026DE7F69AF51361F584115F8141B193EB358A51EF91

Function 00AB53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AB8B28: __getptd_noexit.LIBCMT ref: 00AB8B28

__lock_file.LIBCMT ref: 00AB53EB

Part of subcall function 00AB6C11: __lock.LIBCMT ref: 00AB6C34

__fclose_nolock.LIBCMT ref: 00AB53F6

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 1e39983eaef3810da423695e24f11d702c472969b0690feffa3428c242c9172d
Instruction ID: f7754bd96af8966c967ed897b75a8f989bc5d4f8e075fdbc8e37e7d1628473cc
Opcode Fuzzy Hash: 1e39983eaef3810da423695e24f11d702c472969b0690feffa3428c242c9172d
Instruction Fuzzy Hash: FEF09631C00A049ADB206F7999017ED6BEC6F41374F248105A424AF2C3CBBC8941AF51

Function 0368129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03681ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03681AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03681B13

Memory Dump Source

Source File: 00000000.00000002.2179690556.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_uOCavrYu1y.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 01bf33f9578c0bf5df8ea33d3c1a840251e2a5ef4d8a7ecd3176681f8ec139dc
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: 0912DD24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4E81CF5A

Function 00AA1FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6831a760d2e4ac4232d1d758c220dea0b533ae102c3cb4a7163890f1990134c9
Instruction ID: 3e8e2263673cf9017c5bf0f4620e6e460bb4b975d221175a06bdb249046dad4c
Opcode Fuzzy Hash: 6831a760d2e4ac4232d1d758c220dea0b533ae102c3cb4a7163890f1990134c9
Instruction Fuzzy Hash: E6514E31B00604AFCF15EB68CA92FAE77E6AF45310F158569F906AB392DB31ED01CB51

Function 00A95AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00A95B96

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f156d5204ebceddbe9a4c4c7dafa322759a324392ab8e8b2032fb9e81702a4a
Instruction ID: 731de71242b706edccfa91d57a634998d59623f20df3333a0e55dc631f375d43
Opcode Fuzzy Hash: 3f156d5204ebceddbe9a4c4c7dafa322759a324392ab8e8b2032fb9e81702a4a
Instruction Fuzzy Hash: D2313931B00A09ABCF19DF6DC485AADB7F5FF48310F158629E81997710E770A9A0CB90

Function 00ACFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00ACFCB7

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8d16c7f75faa389a532c88668b226ada7a7d6cb2b337b0988c94ed4fe5c27552
Instruction ID: 86a63e0ba803596ffdf33929d9d73ce6bd817d69ec1f770ee19f1b5d3cc08e42
Opcode Fuzzy Hash: 8d16c7f75faa389a532c88668b226ada7a7d6cb2b337b0988c94ed4fe5c27552
Instruction Fuzzy Hash: 6D410674604341DFDB24DF18C544F1ABBE1BF45318F0988ADE89A8B362C731E845CB92

Function 00A959B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A95A01

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: bb80fbf6219a989719f6379534b1973ca8658fdf07f2445397d2de76dbf00265
Instruction ID: d4ff7ee03ce929f8d76b34ff2f4aab73e7433a55389a0129e05e8c7ab7902bbc
Opcode Fuzzy Hash: bb80fbf6219a989719f6379534b1973ca8658fdf07f2445397d2de76dbf00265
Instruction Fuzzy Hash: E221C371A08A08EBDF109F76E881BAA7BF8FB05350F22846EE489D6511EB70D5D0D745

Function 00A94DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A94BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00A94BEF

Part of subcall function 00AB525B: __wfsopen.LIBCMT ref: 00AB5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A94E0F

Part of subcall function 00A94B6A: FreeLibrary.KERNEL32(00000000), ref: 00A94BA4

Part of subcall function 00A94C70: _memmove.LIBCMT ref: 00A94CBA

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 0eddacc46c70d49df304ac3e3d9fdf3b2082e6daea2abb791884992f1c4371f3
Instruction ID: bd8afc04a4dcd6006d4086fb7de41c5b723eda1a3756d401a542bc220dc12975
Opcode Fuzzy Hash: 0eddacc46c70d49df304ac3e3d9fdf3b2082e6daea2abb791884992f1c4371f3
Instruction Fuzzy Hash: 1411A331700206ABCF15BF74C956FEE77E9AF48710F10892DF541A7181DA719A029B51

Function 00ACFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00ACFD91

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1fa5a6e069a90bb0bfaf59ac70434f5f888a6d9fb37e99b56abbb122d1f105e9
Instruction ID: e6daeec4262b60df6e51ace8a2e3069d7f384735c676204bde625771cd5a7756
Opcode Fuzzy Hash: 1fa5a6e069a90bb0bfaf59ac70434f5f888a6d9fb37e99b56abbb122d1f105e9
Instruction Fuzzy Hash: 6621F0B4A08341DFCB24DF64C544F5ABBE1BF89314F05896DE88A9B762D731E805CB92

Function 00A95BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00A956A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00A95C16

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d1f308be23f9b4aa9bb197434ee90995eec32cfc9b0c5ef2a774c4d4b749729f
Instruction ID: f9dbc70f1efb84c8c8a75f4ac7b60cb6ae2b32a923a534fb7cc0074cc88deb69
Opcode Fuzzy Hash: d1f308be23f9b4aa9bb197434ee90995eec32cfc9b0c5ef2a774c4d4b749729f
Instruction Fuzzy Hash: 57113A71600B059FDB228F29D881B62B7F5EF44760F10C92DE99A8AA51E770E844CB60

Function 00A95A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ACDD18

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
Instruction ID: e8fb4b055817b1f0fa26586f6c249b582a604815f17939abd8a63e81ae764bf0
Opcode Fuzzy Hash: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
Instruction Fuzzy Hash: BA018FB9700942AFC705EB29C552D2AF7A9FF8A3107148569E869C7702DB31FC21CBE0

Function 00AB4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00AB48A6

Part of subcall function 00AB8B28: __getptd_noexit.LIBCMT ref: 00AB8B28

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 7f97470b994a8f6a1622cea8356bd91056d76c131ce2e9369606ab98ed4611ee
Instruction ID: ffa34f7d70a8ed069882df8e51bbb78410d2cae0aa6a2803f6273d95bdcaca34
Opcode Fuzzy Hash: 7f97470b994a8f6a1622cea8356bd91056d76c131ce2e9369606ab98ed4611ee
Instruction Fuzzy Hash: 7AF0AF31900649ABEF11AFF88D067EE3AADAF05325F158414F4249A193CB7C8A51DB51

Function 00A94E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00B552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A94E7E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ce0013b4d3869418989e1cc6ba67f11450165c3908bf28d0ebe170542b210a83
Instruction ID: c948ef655181690ccc7e8b56eb65470c3067e5a8fe0b248eb064811012cbfa84
Opcode Fuzzy Hash: ce0013b4d3869418989e1cc6ba67f11450165c3908bf28d0ebe170542b210a83
Instruction Fuzzy Hash: 68F03975601712CFDF349F64E494CA6BBF5BF183293208A3EE1D682620C7329881DF40

Function 00AB0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AB07B0

Part of subcall function 00A97BCC: _memmove.LIBCMT ref: 00A97C06

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: d2eddb97ea4d7d876badde7c316b770ba3560158ea04f84c1fcc11b332528d76
Instruction ID: 8dcab9c511875b083177501698d959bcda95299507ff1142a2309feb876ff6f2
Opcode Fuzzy Hash: d2eddb97ea4d7d876badde7c316b770ba3560158ea04f84c1fcc11b332528d76
Instruction Fuzzy Hash: 9CE08636A0422857C72096589C05FEA77DDDB896A0F0541B5FC08D7205DD709C8086D0

Function 00AF8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00AF8EC1

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: a0e69def4cfdbdb58c25f00657123b087ec4bcf0bbdbc477cccc868c44b0494c
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 3AE092B1504B045BDB388B24D800BE373E1AB09305F00091DF2AA83242EB62B8418759

Function 00A95C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00ACDD42,?,?,00000000), ref: 00A95C5F

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: dfb507258c0c906be35aa4bae35762212715f43d851f2cdc5c687a7a443e238e
Instruction ID: 02130b9493ffb0bd1688ce086d079d205171a09e753cd0c9b4ab75dff8dcf013
Opcode Fuzzy Hash: dfb507258c0c906be35aa4bae35762212715f43d851f2cdc5c687a7a443e238e
Instruction Fuzzy Hash: F4D0C77464020CBFE710DB80DC46FA9777CD705710F500194FD04A7290D6B27D508795

Function 00AB525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00AB5266

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 782a5231137238dbbd8e9e1c9e11678a4d68d1871c8a3d6b5fb2e80aa385acf4
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 48B092B684020C77CE022A92EC02B893B1D9B41764F408020FB0C18163A673AA649A89

Function 00AFD07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00AFD1FF

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 93d38b317c8e4f511ebbbf641b7ac889aa550bafa65fef23545d5dc58d5f3e29
Instruction ID: b24a2da49db2643904139948b883cd3d3d330c01f6af388a281cfda0d13a08b6
Opcode Fuzzy Hash: 93d38b317c8e4f511ebbbf641b7ac889aa550bafa65fef23545d5dc58d5f3e29
Instruction Fuzzy Hash: 177181306043058FDB05EFA4C591ABEB7E5AF89354F04492DF9969B3A2DB30ED05CB92

Function 00AB0C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00AB0CB7

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e09431aef5720d4269a29dc50746e0ba0cffe10d16bd19d4995aa55b8770f4ca
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7231B570A001059FC718DF59C4849AAFBBAFB5A300B6497A5E84ACB356DB31EDC1DBC0

Function 0368229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 036822B1

Memory Dump Source

Source File: 00000000.00000002.2179690556.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_uOCavrYu1y.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 3fe06a8c6a06104a4d349d71fb37181cc46484585c49c11f7372b200ef471b2d
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: FCE0BF7494010EEFDB00EFA8D5496DE7BB4EF04711F1006A1FD05D7680DB309E548A66

Function 036822A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 036822B1

Memory Dump Source

Source File: 00000000.00000002.2179690556.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_uOCavrYu1y.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 13c3d2728d670d4dac60050ea7ae45c6119e82cb2fbd58be1612d48666da727d
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 84E0E67494010EDFDB00EFB8D54969E7FB4EF04701F1006A1FD01D2280D6309D508A72

Non-executed Functions

Function 00B1CABC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00B1CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B1CB95
GetWindowLongW.USER32(?,000000F0), ref: 00B1CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B1CC00
SendMessageW.USER32 ref: 00B1CC29
_wcsncpy.LIBCMT ref: 00B1CC95
GetKeyState.USER32(00000011), ref: 00B1CCB6
GetKeyState.USER32(00000009), ref: 00B1CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B1CCD9
GetKeyState.USER32(00000010), ref: 00B1CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B1CD0C
SendMessageW.USER32 ref: 00B1CD33
SendMessageW.USER32(?,00001030,?,00B1B348), ref: 00B1CE37
SetCapture.USER32(?), ref: 00B1CE69
ClientToScreen.USER32(?,?), ref: 00B1CECE
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B1CEF5
ReleaseCapture.USER32 ref: 00B1CF00
GetCursorPos.USER32(?), ref: 00B1CF3A
ScreenToClient.USER32(?,?), ref: 00B1CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B1CFA3
SendMessageW.USER32 ref: 00B1CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B1D00E
SendMessageW.USER32 ref: 00B1D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B1D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B1D06D
GetCursorPos.USER32(?), ref: 00B1D08D
ScreenToClient.USER32(?,?), ref: 00B1D09A
GetParent.USER32(?), ref: 00B1D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B1D123
SendMessageW.USER32 ref: 00B1D154
ClientToScreen.USER32(?,?), ref: 00B1D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B1D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B1D20C
SendMessageW.USER32 ref: 00B1D22F
ClientToScreen.USER32(?,?), ref: 00B1D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B1D2B5

Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC

GetWindowLongW.USER32(?,000000F0), ref: 00B1D351

Strings

F, xrefs: 00B1D235
@GUI_DRAGID, xrefs: 00B1CE9C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 302779176-4164748364
Opcode ID: c705f37dca09463f29e00dc1edfc9229cdc50c83776474351be30531b1f0d665
Instruction ID: a6566b386314e3f62037aa10e87165f6982bdea51153363978954b0d8c0c532b
Opcode Fuzzy Hash: c705f37dca09463f29e00dc1edfc9229cdc50c83776474351be30531b1f0d665
Instruction Fuzzy Hash: 72429A34208345AFDB20CF24D884BAABFE5FF49311F9445A9F595C72A0CB31E895DB92

Function 00AA6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA71C3
_memset.LIBCMT ref: 00AA7539
_memmove.LIBCMT ref: 00AA76AC

Strings

\b(?<=\w), xrefs: 00AE3773
[:<:]], xrefs: 00AA7479
[:>:]], xrefs: 00AA7492
DEFINE, xrefs: 00AE2103
\b(?=\w), xrefs: 00AE3769
Q\E, xrefs: 00AA7FCB

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 99e7c1ceed70d85ef4950e65709b909442f08e22562d1abc840aa718c728c6a9
Instruction ID: 40934e22589abfe1ba4d0dd2880d10964bbfef9c79b4f7b5dbb469d41ba0c88a
Opcode Fuzzy Hash: 99e7c1ceed70d85ef4950e65709b909442f08e22562d1abc840aa718c728c6a9
Instruction Fuzzy Hash: F2939F72E00259DFDF24CF99C885BADB7B1FF48310F25816AE945AB281E7749E81CB50

Function 00A948D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00A948DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ACD665
IsIconic.USER32(?), ref: 00ACD66E
ShowWindow.USER32(?,00000009), ref: 00ACD67B
SetForegroundWindow.USER32(?), ref: 00ACD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ACD69B
GetCurrentThreadId.KERNEL32 ref: 00ACD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ACD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ACD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00ACD6CF
SetForegroundWindow.USER32(?), ref: 00ACD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACD6E7
keybd_event.USER32(00000012,00000000), ref: 00ACD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACD6FC
keybd_event.USER32(00000012,00000000), ref: 00ACD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACD70A
keybd_event.USER32(00000012,00000000), ref: 00ACD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACD719
keybd_event.USER32(00000012,00000000), ref: 00ACD71E
SetForegroundWindow.USER32(?), ref: 00ACD721
AttachThreadInput.USER32(?,?,00000000), ref: 00ACD748

Strings

Shell_TrayWnd, xrefs: 00ACD660

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 231e1de89e3a17fb164d0f0f9c8d651e2979a99c94e8a7a12686641e81d67098
Instruction ID: 261e101cc079f88e48cd22ced164917a9ce06c2c4a893021dc9fa0f59550dd4b
Opcode Fuzzy Hash: 231e1de89e3a17fb164d0f0f9c8d651e2979a99c94e8a7a12686641e81d67098
Instruction Fuzzy Hash: 8D317571A40318BAEB205F619C49FBF7E6DEB44B50F518035FA04EB1D1DAB05D01EBA0

Function 00AE8310 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00AE87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE882B
Part of subcall function 00AE87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE8858
Part of subcall function 00AE87E1: GetLastError.KERNEL32 ref: 00AE8865

_memset.LIBCMT ref: 00AE8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00AE83A5
CloseHandle.KERNEL32(?), ref: 00AE83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AE83CD
GetProcessWindowStation.USER32 ref: 00AE83E6
SetProcessWindowStation.USER32(00000000), ref: 00AE83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AE840A

Part of subcall function 00AE81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AE8309), ref: 00AE81E0
Part of subcall function 00AE81CB: CloseHandle.KERNEL32(?,?,00AE8309), ref: 00AE81F2

Strings

default, xrefs: 00AE8405
, xrefs: 00AE8362
winsta0, xrefs: 00AE83C8

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: d320a5fa8847c5f08f4c86aa606af9cd4d1e2d8d0bb0535fb16b349f19d335c3
Instruction ID: b878456ac6fd0769697d2c7e2faf7798e4fff762dfd45073efa66b9ad179c5cb
Opcode Fuzzy Hash: d320a5fa8847c5f08f4c86aa606af9cd4d1e2d8d0bb0535fb16b349f19d335c3
Instruction Fuzzy Hash: B5816971900289AFDF11DFA5CD45AFEBBB9EF04304F148169F919A62A1DF398E14DB20

Function 00AFC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AFC78D
FindClose.KERNEL32(00000000), ref: 00AFC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AFC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AFC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00AFC844
__swprintf.LIBCMT ref: 00AFC890
__swprintf.LIBCMT ref: 00AFC8D3

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

__swprintf.LIBCMT ref: 00AFC927

Part of subcall function 00AB3698: __woutput_l.LIBCMT ref: 00AB36F1

__swprintf.LIBCMT ref: 00AFC975

Part of subcall function 00AB3698: __flsbuf.LIBCMT ref: 00AB3713
Part of subcall function 00AB3698: __flsbuf.LIBCMT ref: 00AB372B

__swprintf.LIBCMT ref: 00AFC9C4
__swprintf.LIBCMT ref: 00AFCA13
__swprintf.LIBCMT ref: 00AFCA62

Strings

%4d, xrefs: 00AFC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00AFC88A
%02d, xrefs: 00AFC91B, 00AFC925, 00AFC973, 00AFC9C2, 00AFCA11, 00AFCA60

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: a15de5484d9ff7fc68f5fe1deefc2af4ad83ff5a067e01c401a6dbad8a10596c
Instruction ID: 6e52945a9e3aebc6d63a5d27360fd4ec02a9f810ee2998239a14ec05b385131a
Opcode Fuzzy Hash: a15de5484d9ff7fc68f5fe1deefc2af4ad83ff5a067e01c401a6dbad8a10596c
Instruction Fuzzy Hash: 69A12FB2504205ABDB00EFA5CA96DBFB7ECEF95700F40491DF595C6152EA34EA08CB62

Function 00AFEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00AFEFB6
_wcscmp.LIBCMT ref: 00AFEFCB
_wcscmp.LIBCMT ref: 00AFEFE2
GetFileAttributesW.KERNEL32(?), ref: 00AFEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00AFF00E
FindNextFileW.KERNEL32(00000000,?), ref: 00AFF026
FindClose.KERNEL32(00000000), ref: 00AFF031
FindFirstFileW.KERNEL32(*.*,?), ref: 00AFF04D
_wcscmp.LIBCMT ref: 00AFF074
_wcscmp.LIBCMT ref: 00AFF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00AFF09D
SetCurrentDirectoryW.KERNEL32(00B48920), ref: 00AFF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AFF0C5
FindClose.KERNEL32(00000000), ref: 00AFF0D2
FindClose.KERNEL32(00000000), ref: 00AFF0E4

Strings

*.*, xrefs: 00AFF048

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 22448aaec53be03652f17e136bb04fbdf0d5e50eaa2e76c58c2e5f78e2d92504
Instruction ID: ac52ad29ef1d00cfa014a4dea20ad37bee07b2a49bcefbd7fe6359aa781e92ab
Opcode Fuzzy Hash: 22448aaec53be03652f17e136bb04fbdf0d5e50eaa2e76c58c2e5f78e2d92504
Instruction Fuzzy Hash: 3931803250161D7EDB24EBA4EC49AFE77AC9F48360F1441B5F904E30A2EF70DA44DA65

Function 00B10857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B10953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B1F910,00000000,?,00000000,?,?), ref: 00B109C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B10A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B10A92
RegCloseKey.ADVAPI32(?), ref: 00B10DB2
RegCloseKey.ADVAPI32(00000000), ref: 00B10DBF

Strings

REG_MULTI_SZ, xrefs: 00B10B7A
REG_QWORD, xrefs: 00B10D00
REG_BINARY, xrefs: 00B10D4D
REG_EXPAND_SZ, xrefs: 00B10A2F
REG_SZ, xrefs: 00B10AD0
REG_DWORD, xrefs: 00B10C83

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: cf65036a5a35af4cf67e43e7c79f1af622a974f857490dbdd63e79a1d3ab1837
Instruction ID: fe92212a35214441f5d0062ce7e133eff8c7809039fb24706b2e6b3a22fc58a5
Opcode Fuzzy Hash: cf65036a5a35af4cf67e43e7c79f1af622a974f857490dbdd63e79a1d3ab1837
Instruction Fuzzy Hash: 21026C75614601AFCB14EF28C985E6AB7E9FF89314F04845DF8899B362DB70ED81CB81

Function 00B1C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

DragQueryPoint.SHELL32(?,?), ref: 00B1C627

Part of subcall function 00B1AB37: ClientToScreen.USER32(?,?), ref: 00B1AB60
Part of subcall function 00B1AB37: GetWindowRect.USER32(?,?), ref: 00B1ABD6
Part of subcall function 00B1AB37: PtInRect.USER32(?,?,00B1C014), ref: 00B1ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00B1C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B1C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B1C6BE
_wcscat.LIBCMT ref: 00B1C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B1C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00B1C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B1C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00B1C757
DragFinish.SHELL32(?), ref: 00B1C75E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00B1C851

Strings

@GUI_DROPID, xrefs: 00B1C77E
@GUI_DRAGID, xrefs: 00B1C7C9
@GUI_DRAGFILE, xrefs: 00B1C800

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: eedbf8364dc409ae0a299e567e18900e19fbfb39da085fb43dfc028e3b1cbb1f
Instruction ID: 561c319587d4ce0c897fbb2905c625d7f0a6678464fa337f0770e1bfbe9d7859
Opcode Fuzzy Hash: eedbf8364dc409ae0a299e567e18900e19fbfb39da085fb43dfc028e3b1cbb1f
Instruction Fuzzy Hash: A9617E71208301AFCB01EF64DD85EAFBBE8EF89710F40496EF595931A1DB709A49CB52

Function 00AFF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00AFF113
_wcscmp.LIBCMT ref: 00AFF128
_wcscmp.LIBCMT ref: 00AFF13F

Part of subcall function 00AF4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AF43A0

FindNextFileW.KERNEL32(00000000,?), ref: 00AFF16E
FindClose.KERNEL32(00000000), ref: 00AFF179
FindFirstFileW.KERNEL32(*.*,?), ref: 00AFF195
_wcscmp.LIBCMT ref: 00AFF1BC
_wcscmp.LIBCMT ref: 00AFF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00AFF1E5
SetCurrentDirectoryW.KERNEL32(00B48920), ref: 00AFF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AFF20D
FindClose.KERNEL32(00000000), ref: 00AFF21A
FindClose.KERNEL32(00000000), ref: 00AFF22C

Strings

*.*, xrefs: 00AFF190

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: d9b827650f46bd4927d58c2467b0203893e3abe33b41ce69321fe71110f3026e
Instruction ID: d3c86749c080e4d1210cb279d987d47267e72adb35b51807876462c02375dd9f
Opcode Fuzzy Hash: d9b827650f46bd4927d58c2467b0203893e3abe33b41ce69321fe71110f3026e
Instruction Fuzzy Hash: 5B31A43650061E7EDF20AFA4EC49AFE77AC9F45360F1042B5FA14A30A1DB70DA45CA58

Function 00AFA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AFA20F
__swprintf.LIBCMT ref: 00AFA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AFA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AFA293
_memset.LIBCMT ref: 00AFA2B2
_wcsncpy.LIBCMT ref: 00AFA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AFA323
CloseHandle.KERNEL32(00000000), ref: 00AFA32E
RemoveDirectoryW.KERNEL32(?), ref: 00AFA337
CloseHandle.KERNEL32(00000000), ref: 00AFA341

Strings

\, xrefs: 00AFA247
:, xrefs: 00AFA252
\??\%s, xrefs: 00AFA22B

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: aab7a4e7062bf0b722eb8bfc263266e3146f740cea44fa18096b6d33ef760201
Instruction ID: 6120959cb1a10681f956d30e9ec2f8f3793733d06f90f1130e8ce6c3e6128f3d
Opcode Fuzzy Hash: aab7a4e7062bf0b722eb8bfc263266e3146f740cea44fa18096b6d33ef760201
Instruction Fuzzy Hash: EC31A0B550010AABDB209FA0DC49FFB37BCEF89700F5041B6FA08D6161EB709644CB65

Function 00B1C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B1C1FC
GetFocus.USER32 ref: 00B1C20C
GetDlgCtrlID.USER32(00000000), ref: 00B1C217
_memset.LIBCMT ref: 00B1C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B1C36D
GetMenuItemCount.USER32(?), ref: 00B1C38D
GetMenuItemID.USER32(?,00000000), ref: 00B1C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B1C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B1C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B1C454
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00B1C489

Strings

0, xrefs: 00B1C33A

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 9ac1a0669b33ae0374cee07c73ae0dcf14723b7c5d8c474b55f4a264610020a7
Instruction ID: 47b20eb9dc30e7b8d048bce05bd70862aca52b5992bafd3d3fa3a76dd666656a
Opcode Fuzzy Hash: 9ac1a0669b33ae0374cee07c73ae0dcf14723b7c5d8c474b55f4a264610020a7
Instruction Fuzzy Hash: 0E818E70248311AFDB10CF14D894ABBBFE9FB88714F5049ADF99597291DB30D944CB92

Function 00AE7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE821E
Part of subcall function 00AE8202: GetLastError.KERNEL32(?,00AE7CE2,?,?,?), ref: 00AE8228
Part of subcall function 00AE8202: GetProcessHeap.KERNEL32(00000008,?,?,00AE7CE2,?,?,?), ref: 00AE8237
Part of subcall function 00AE8202: RtlAllocateHeap.NTDLL(00000000,?,00AE7CE2), ref: 00AE823E
Part of subcall function 00AE8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE8255

Part of subcall function 00AE829F: GetProcessHeap.KERNEL32(00000008,00AE7CF8,00000000,00000000,?,00AE7CF8,?), ref: 00AE82AB
Part of subcall function 00AE829F: RtlAllocateHeap.NTDLL(00000000,?,00AE7CF8), ref: 00AE82B2
Part of subcall function 00AE829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AE7CF8,?), ref: 00AE82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AE7D13
_memset.LIBCMT ref: 00AE7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AE7D47
GetLengthSid.ADVAPI32(?), ref: 00AE7D58
GetAce.ADVAPI32(?,00000000,?), ref: 00AE7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AE7DB1
GetLengthSid.ADVAPI32(?), ref: 00AE7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AE7DDD
RtlAllocateHeap.NTDLL(00000000), ref: 00AE7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AE7E05
CopySid.ADVAPI32(00000000), ref: 00AE7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AE7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AE7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AE7E77

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: bab34ee641566527ab9a46205dc6c03498f470e9fac7e80e21f3ff7716a1c3cb
Instruction ID: dd140bddfe6e531445157ad988f512162e46e93c71a6ce4a40053ececaeddf33
Opcode Fuzzy Hash: bab34ee641566527ab9a46205dc6c03498f470e9fac7e80e21f3ff7716a1c3cb
Instruction Fuzzy Hash: DB612B7190424AAFDF00DFA5DC85AFEBBB9FF08300F148269E915A7291DB359E15CB60

Function 00AA66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

UTF), xrefs: 00AE10FA
LIMIT_MATCH=, xrefs: 00AE1170
BSR_UNICODE), xrefs: 00AE1338
NO_START_OPT), xrefs: 00AE114F
UTF16), xrefs: 00AE10CF
NO_AUTO_POSSESS), xrefs: 00AE112E
ANYCRLF), xrefs: 00AE12FB
CRLF), xrefs: 00AE12C1
CR), xrefs: 00AE1287
LF), xrefs: 00AE12A4
LIMIT_RECURSION=, xrefs: 00AE11FC
BSR_ANYCRLF), xrefs: 00AE131E
ANY), xrefs: 00AE12DE
UCP), xrefs: 00AE110D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: b4c7482da2e59d14247106b799976de3532ed7980c6be5bd32276f159402560d
Instruction ID: 008ff3aedb1f8585424379843b1634116edcdd13064cd09a937f6e02b6d7f211
Opcode Fuzzy Hash: b4c7482da2e59d14247106b799976de3532ed7980c6be5bd32276f159402560d
Instruction Fuzzy Hash: E4725FB5E00269DBDB14CF59C8807AEB7F5FF49710F14816AE905EB291EB349A81CF90

Function 00AF001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AF0097
SetKeyboardState.USER32(?), ref: 00AF0102
GetAsyncKeyState.USER32(000000A0), ref: 00AF0122
GetKeyState.USER32(000000A0), ref: 00AF0139
GetAsyncKeyState.USER32(000000A1), ref: 00AF0168
GetKeyState.USER32(000000A1), ref: 00AF0179
GetAsyncKeyState.USER32(00000011), ref: 00AF01A5
GetKeyState.USER32(00000011), ref: 00AF01B3
GetAsyncKeyState.USER32(00000012), ref: 00AF01DC
GetKeyState.USER32(00000012), ref: 00AF01EA
GetAsyncKeyState.USER32(0000005B), ref: 00AF0213
GetKeyState.USER32(0000005B), ref: 00AF0221

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 045098cb4b02804ace43eedfcf2c032bda5394d30ff2eeff9852216c17610668
Instruction ID: e2d7bba3d24eaea85262caf9fdebe7a0c84b99c0ea90e0507a60be06a6ca386d
Opcode Fuzzy Hash: 045098cb4b02804ace43eedfcf2c032bda5394d30ff2eeff9852216c17610668
Instruction Fuzzy Hash: D751EA2490478C19FB35DBE08954BFABFB49F11380F084699A7C1571C3DA649B8CC761

Function 00B103DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B10E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0FDAD,?,?), ref: 00B10E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B104AC

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B1054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B105E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B10822
RegCloseKey.ADVAPI32(00000000), ref: 00B1082F

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 460032181dd43081a7e0d2697de503df0db67c874439fb97aad6e3de89e2afe5
Instruction ID: 899d02310697fa9443032f51acb3bda086dc7b06563eef32a9edde333b541446
Opcode Fuzzy Hash: 460032181dd43081a7e0d2697de503df0db67c874439fb97aad6e3de89e2afe5
Instruction Fuzzy Hash: A1E14E31614200AFCB14EF28C995D6BBBE9EF89314F44C96DF449DB2A1DA70ED41CB91

Function 00B083BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

CoInitialize.OLE32 ref: 00B08403
CoUninitialize.COMBASE ref: 00B0840E
CoCreateInstance.COMBASE(?,00000000,00000017,00B22BEC,?), ref: 00B0846E
IIDFromString.COMBASE(?,?), ref: 00B084E1
VariantInit.OLEAUT32(?), ref: 00B0857B
VariantClear.OLEAUT32(?), ref: 00B085DC

Strings

Failed to create object, xrefs: 00B08479, 00B0852F
NULL Pointer assignment, xrefs: 00B084B3
Invalid parameter, xrefs: 00B084FA

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 218806b5b3c0d1d89003f9c33e2f3ef53fe517a6c600f366278f53986077dd67
Instruction ID: 9eb650581439f796c1b56a74497f8bd166b63ccd4d6a19a2c5decc490e8e6685
Opcode Fuzzy Hash: 218806b5b3c0d1d89003f9c33e2f3ef53fe517a6c600f366278f53986077dd67
Instruction Fuzzy Hash: 3B61AD70608312AFC710DF54D989B6EBBE8EF55754F00449DF9859B2A1CB70EE44CB92

Function 00B04164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B0418B
EmptyClipboard.USER32 ref: 00B04191
GlobalAlloc.KERNEL32(00000002,?), ref: 00B041A6
CloseClipboard.USER32 ref: 00B04245

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 263619c355b8033bd873a477cc303e50bac9ab539ffef6ec6ee0ca1483fa2580
Instruction ID: abc5e0ed61427b14ee46ddb0d6753958359b356de716c39e46efde4279bb288e
Opcode Fuzzy Hash: 263619c355b8033bd873a477cc303e50bac9ab539ffef6ec6ee0ca1483fa2580
Instruction Fuzzy Hash: D4218D75300211AFDB10AF24DC49BAA7BE8EF45751F10C06AFA46DB2A1DF70AC00CB94

Function 00AF37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A94743,?,?,00A937AE,?), ref: 00A94770

Part of subcall function 00AF4A31: GetFileAttributesW.KERNEL32(?,00AF370B), ref: 00AF4A32

FindFirstFileW.KERNEL32(?,?), ref: 00AF38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00AF394B
MoveFileW.KERNEL32(?,?), ref: 00AF395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00AF397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AF399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00AF39B9

Strings

\*.*, xrefs: 00AF384E, 00AF3857, 00AF386C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 2ee764b0c660ca59b31e71742fed3932d9d6a1675ec6bce2b39880c5db012b4a
Instruction ID: 104af4add1bb28aaa68258364fcbc1bc76a10d8a125e393225f2835726904451
Opcode Fuzzy Hash: 2ee764b0c660ca59b31e71742fed3932d9d6a1675ec6bce2b39880c5db012b4a
Instruction Fuzzy Hash: 95514A3290514DAACF05EBE0DA929FDB7B9AF14300F604069F50677191EF616F09CBA0

Function 00AFF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00AFF440
Sleep.KERNEL32(0000000A), ref: 00AFF470
_wcscmp.LIBCMT ref: 00AFF484
_wcscmp.LIBCMT ref: 00AFF49F
FindNextFileW.KERNEL32(?,?), ref: 00AFF53D
FindClose.KERNEL32(00000000), ref: 00AFF553

Strings

*.*, xrefs: 00AFF425

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: da457e5b9938ec7ca6de3aecab792c2022074b6bfe9bf7bd3a94a14229b093c2
Instruction ID: fcf92c496c678ff205df098dda6be4367d23f6cdfea35d6430984da280ea2abc
Opcode Fuzzy Hash: da457e5b9938ec7ca6de3aecab792c2022074b6bfe9bf7bd3a94a14229b093c2
Instruction Fuzzy Hash: 2041587194020EAFCF14DFA4CC45AFEBBB8EF05310F544566F919A71A1EB309A84CBA0

Function 00B1D43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

GetSystemMetrics.USER32(0000000F), ref: 00B1D47C
GetSystemMetrics.USER32(0000000F), ref: 00B1D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B1D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B1D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B1D716
ShowWindow.USER32(00000003,00000000), ref: 00B1D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00B1D75A
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00B1D77D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: b101fb5fd440e7c72fd9f0d71781cd98103e103c262de032573845c75f2c2e7c
Instruction ID: 0bdda60c6e77d7fa28bd911c48c6964629fd2707c3a78c9deeb0387e4781cb5c
Opcode Fuzzy Hash: b101fb5fd440e7c72fd9f0d71781cd98103e103c262de032573845c75f2c2e7c
Instruction Fuzzy Hash: FCB15775600226ABDF14CF68C9C57E97BF1FF04711F5881A9EC489B295DB34AD90CB90

Function 00AA5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA58A5
_memmove.LIBCMT ref: 00AA58F5
_memmove.LIBCMT ref: 00AA595B

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c6ba5f1cab27f4c891c9919760aee212f4d82c02c8a5b0a03bfba01e6e55614f
Instruction ID: 743d1254d129120a4c0416821cb01752bf0a68eae9ab75e137ff7d6976620546
Opcode Fuzzy Hash: c6ba5f1cab27f4c891c9919760aee212f4d82c02c8a5b0a03bfba01e6e55614f
Instruction Fuzzy Hash: 35129A70E00A09DFDF14DFA6DA81AEEB7F5FF48300F104529E806A7291EB75A951CB64

Function 00AF3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A94743,?,?,00A937AE,?), ref: 00A94770

Part of subcall function 00AF4A31: GetFileAttributesW.KERNEL32(?,00AF370B), ref: 00AF4A32

FindFirstFileW.KERNEL32(?,?), ref: 00AF3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00AF3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AF3BEA
FindClose.KERNEL32(00000000), ref: 00AF3C01
FindClose.KERNEL32(00000000), ref: 00AF3C0A

Strings

\*.*, xrefs: 00AF3B5B

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c18dbde0603a8e7bd540c3e55660087c57527ff22d01942d1194fea7bccb4ae2
Instruction ID: 07091748919f550e90144f8a334bf4fb520f09bfd986b19807eab9b6e0386578
Opcode Fuzzy Hash: c18dbde0603a8e7bd540c3e55660087c57527ff22d01942d1194fea7bccb4ae2
Instruction Fuzzy Hash: AD319E320083899BCB01EFA4D991CBFB7E8AE95304F404D2DF5D593191EB219A09C7A3

Function 00AF51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE882B
Part of subcall function 00AE87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE8858
Part of subcall function 00AE87E1: GetLastError.KERNEL32 ref: 00AE8865

ExitWindowsEx.USER32(?,00000000), ref: 00AF51F9

Strings

, xrefs: 00AF51E7
SeShutdownPrivilege, xrefs: 00AF51C9
@, xrefs: 00AF51EC

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 8212f21a156e9d39b84e5e73374ccb2d53a0a99df6a1de138ad7e35c416f8aab
Instruction ID: e08545434efd25b9f9e2e539495ae9ecce8166505b42b6801d581271a097aef2
Opcode Fuzzy Hash: 8212f21a156e9d39b84e5e73374ccb2d53a0a99df6a1de138ad7e35c416f8aab
Instruction Fuzzy Hash: 9D01F731E91A1A6BF72867F8DC9AFFA72A8EB05340F600624FB07E20D2DE611C018590

Function 00B06283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00B062DC
WSAGetLastError.WS2_32(00000000), ref: 00B062EB
bind.WS2_32(00000000,?,00000010), ref: 00B06307
listen.WS2_32(00000000,00000005), ref: 00B06316
WSAGetLastError.WS2_32(00000000), ref: 00B06330
closesocket.WS2_32(00000000), ref: 00B06344

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: c8ab1229974dbbbcc3bf4e16f5fd303e595fdfa7b190fee37743e6f5966a4525
Instruction ID: 2c54959a9bc89e3635a3f94c7004c5165a171f7589c08c93256efb29e4c935d6
Opcode Fuzzy Hash: c8ab1229974dbbbcc3bf4e16f5fd303e595fdfa7b190fee37743e6f5966a4525
Instruction Fuzzy Hash: E7219E71600205AFCB10EF68C985B7EBBE9EF49720F5481A9E816A72D1CB70AD01CB91

Function 00AA5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00AB0DB6: std::exception::exception.LIBCMT ref: 00AB0DEC
Part of subcall function 00AB0DB6: __CxxThrowException@8.LIBCMT ref: 00AB0E01

_memmove.LIBCMT ref: 00AE0258
_memmove.LIBCMT ref: 00AE036D
_memmove.LIBCMT ref: 00AE0414

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 14343b15a200c56422ab02cd79ca316e84493ad9f2615f9bb6b76887791f5b89
Instruction ID: 8f683fd5f517104a573b53650d1f2b9d6b605d599d06ce648f5ac5db8cc74122
Opcode Fuzzy Hash: 14343b15a200c56422ab02cd79ca316e84493ad9f2615f9bb6b76887791f5b89
Instruction Fuzzy Hash: 8E029D70E00209DFCF04DF65DA81AAEBBF5EF45300F148069E80AEB295EB75DA54CB95

Function 00A91287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00A919FA
GetSysColor.USER32(0000000F), ref: 00A91A4E
SetBkColor.GDI32(?,00000000), ref: 00A91A61

Part of subcall function 00A91290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00A912D8

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 39a993c3331e0253a773ae5fd632597b26a19a104611118665bf422c9f7863c7
Instruction ID: b22c1a51d53cd0a9310b0808444ef975c46f7856f121aff985d3866ed01d81b1
Opcode Fuzzy Hash: 39a993c3331e0253a773ae5fd632597b26a19a104611118665bf422c9f7863c7
Instruction Fuzzy Hash: 29A17671322546BEEE38AB288C55FBF29EDDB423C2F51011DF502D6592CB229D4192B2

Function 00AFBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AFBCE6
_wcscmp.LIBCMT ref: 00AFBD16
_wcscmp.LIBCMT ref: 00AFBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00AFBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00AFBD6C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 3981ecc97888b0c4805efb9487d6d78a5b46536de34113c672cff4511720bd2c
Instruction ID: c61cce4cd033eb8bace11605946703c371d6f7c54382c6f3fd1b59ebe92f25e0
Opcode Fuzzy Hash: 3981ecc97888b0c4805efb9487d6d78a5b46536de34113c672cff4511720bd2c
Instruction Fuzzy Hash: 3F519D356146069FDB14DF68C490EAAB3F8EF49320F14465DFA56873A1DB30ED04CBA2

Function 00B06747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B07D8B: inet_addr.WS2_32(00000000), ref: 00B07DB6

socket.WS2_32(00000002,00000002,00000011), ref: 00B0679E
WSAGetLastError.WS2_32(00000000), ref: 00B067C7
bind.WS2_32(00000000,?,00000010), ref: 00B06800
WSAGetLastError.WS2_32(00000000), ref: 00B0680D
closesocket.WS2_32(00000000), ref: 00B06821

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 5497609d2683fa13e6570c9b84067cf117fd14e24686e03e84b35405a08e28ac
Instruction ID: 3e1480dcc15fa71310a31cc1dffbc6b44104e3868206458215483a20441f325e
Opcode Fuzzy Hash: 5497609d2683fa13e6570c9b84067cf117fd14e24686e03e84b35405a08e28ac
Instruction Fuzzy Hash: 0F41AF75B00210AFDF10AF288D86F7E77E8DB05B54F44846CF919AB3D2DA749D018791

Function 00B15376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B153C5
IsWindowEnabled.USER32 ref: 00B153D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00B153E0
IsIconic.USER32 ref: 00B153EE
IsZoomed.USER32 ref: 00B153FC

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 5eb2b4ba1de4ef67f676c16c48111a0168a949fd9dccbbdb117824c1d0377447
Instruction ID: afadaad2cdfd5eec092ccc7dba5afee9fff225e9b18306d7083b8217e395e0e1
Opcode Fuzzy Hash: 5eb2b4ba1de4ef67f676c16c48111a0168a949fd9dccbbdb117824c1d0377447
Instruction Fuzzy Hash: A111B231700911ABDB315F26AC44AAABBD9EF857A1B808479F856D3241DB709D81C6A4

Function 00AE80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AE80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AE80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AE80D9
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00AE80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AE80F6

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 62093f91b38c99481f8df1311c53ae34f9bde96e4dd8ed7f70443b18e84395fe
Instruction ID: 96028d61d91fb6ee2dfd2313fd9cf25fd12447c3f14fb40f214a3eaf41d509d3
Opcode Fuzzy Hash: 62093f91b38c99481f8df1311c53ae34f9bde96e4dd8ed7f70443b18e84395fe
Instruction Fuzzy Hash: B8F0C270280205BFEB104FA5EC8CEB73BACEF49754B404129F909C3160CF609D01DA60

Function 00AA3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 8716f3d5283a311376e41ef0bc4a7371fc0ecccbbc40b9663633eb2390c9d3cd
Instruction ID: 57919dbfbc0d7a99b48090e0720fbfc2bf1f3a2474b5cc1d96e1acb2fb9c0d5b
Opcode Fuzzy Hash: 8716f3d5283a311376e41ef0bc4a7371fc0ecccbbc40b9663633eb2390c9d3cd
Instruction Fuzzy Hash: 01228C726083019FDB24DF24C981BAFB7E4AF8A710F14491DF89A97391DB71E944CB92

Function 00B0EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B0EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00B0EE4B

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Process32NextW.KERNEL32(00000000,?), ref: 00B0EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B0EF1A

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: db0f349aff534bab70e51d02aa7709c285c976061b0e213c1bebb8b64cfb95bf
Instruction ID: 20d80bcb9ce4294a542706461bbdfa23aee10dfb8f0fa6e7e7f197d27f2a49d9
Opcode Fuzzy Hash: db0f349aff534bab70e51d02aa7709c285c976061b0e213c1bebb8b64cfb95bf
Instruction Fuzzy Hash: 0A517E71604311AFD710EF24DC86EABBBE8EF94710F50492DF595972A1EB70E908CB92

Function 00B1C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

GetCursorPos.USER32(?), ref: 00B1C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ACB9AB,?,?,?,?,?), ref: 00B1C4E7
GetCursorPos.USER32(?), ref: 00B1C534
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ACB9AB,?,?,?), ref: 00B1C56E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 1d2c8e9ce5a546f56cb3224ed9751703148499add17168b47ad3167988f281dc
Instruction ID: a84e050910b1a30fbe841e515e1e790db7abfcb1e860bb8f3022212a48461645
Opcode Fuzzy Hash: 1d2c8e9ce5a546f56cb3224ed9751703148499add17168b47ad3167988f281dc
Instruction Fuzzy Hash: FC319535600418AFCB25CF58D855EFE7FF6EB09311F8440A5F9058B261CB316D90DBA4

Function 00A91290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00A912D8
GetClientRect.USER32(?,?), ref: 00ACB5FB
GetCursorPos.USER32(?), ref: 00ACB605
ScreenToClient.USER32(?,?), ref: 00ACB610

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: 06eca2fd7749f822dbda0cba7ca36a8c00d5124fe58f6cbfc41a4437e46a169d
Instruction ID: 13c81860088afed0a1d60a6cc76ddf61209db3fb0d6f46a181c5951a54cea8eb
Opcode Fuzzy Hash: 06eca2fd7749f822dbda0cba7ca36a8c00d5124fe58f6cbfc41a4437e46a169d
Instruction Fuzzy Hash: 7311283560011AABCF10EF98D9859FE77F9EB05301F9044A5FA01E7141CB30BA52CBA5

Function 00A9FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 8666bc60f0364977b6afb7ce103d155641c6579d1c6c53afab62cadfc54963c7
Instruction ID: e82692d2376f775b6feb81f4cc0858c0796d093d50308230d0c53d12ed64cb07
Opcode Fuzzy Hash: 8666bc60f0364977b6afb7ce103d155641c6579d1c6c53afab62cadfc54963c7
Instruction Fuzzy Hash: 0E925B706083419FDB20DF18C580B6BB7E5BF89304F14896DE89A9B392D775EC45CB92

Function 00AEE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AEE628

Strings

(, xrefs: 00AEE66E
|, xrefs: 00AEE658

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: c3ada084f56fb120bfaedb0d42fd5971650e8a4c60b1bd7a4ee7a92e6f26eb47
Instruction ID: d7ff9a4c0f73c883c2910820f3d30357c9a3e1e99678edab61cad81b4f344616
Opcode Fuzzy Hash: c3ada084f56fb120bfaedb0d42fd5971650e8a4c60b1bd7a4ee7a92e6f26eb47
Instruction Fuzzy Hash: 83323575A007459FDB28CF1AC4819AAB7F1FF48320B15C56EE89ADB3A1E770E941CB44

Function 00B022EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B0180A,00000000), ref: 00B023E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B02418

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 148bff6c364a6a8443393223f8987152239f0715a59247e8c6925916688f9df0
Instruction ID: b5b995569dff213e98062fbefee9ae6aec38331d036790dd019d0ba3c3252ddc
Opcode Fuzzy Hash: 148bff6c364a6a8443393223f8987152239f0715a59247e8c6925916688f9df0
Instruction Fuzzy Hash: B741E271904209BFEB209F95DCC9EBFBBECEB40314F1040AAF605A72C1DA749E499664

Function 00AFB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AFB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AFB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00AFB4B2

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5f531b3ab14822b6d605fbee939aaaeca3e0256adc12ed41e548c26ce04735d1
Instruction ID: e1e833b9dd0852a467b39c87f1e54516761738e6197964db56348b42d16206cc
Opcode Fuzzy Hash: 5f531b3ab14822b6d605fbee939aaaeca3e0256adc12ed41e548c26ce04735d1
Instruction Fuzzy Hash: 61215C35A10108EFCB00EFA5D981AFEBBF8FF49310F1480A9E905AB361DB319955CB51

Function 00AE87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00AB0DB6: std::exception::exception.LIBCMT ref: 00AB0DEC
Part of subcall function 00AB0DB6: __CxxThrowException@8.LIBCMT ref: 00AB0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE8858
GetLastError.KERNEL32 ref: 00AE8865

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: e6f8f5c7ec3084cd2d55066ce0e887f7effb1a4acdc8e92d529121fc9018ac97
Instruction ID: f6df0e4dbeb414791241e8e6f9691199b89885292030287f7a6bd231e0cf4286
Opcode Fuzzy Hash: e6f8f5c7ec3084cd2d55066ce0e887f7effb1a4acdc8e92d529121fc9018ac97
Instruction Fuzzy Hash: 76116DB2814205AFE718DFA5DC85D6BB7BCEB44750B60852EE89997251EA34AC408B60

Function 00AE874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AE8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AE878B
FreeSid.ADVAPI32(?), ref: 00AE879B

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7725c94d3dc56660f498a3822fde2e893949127cf8ea22b416a5173beedbc6de
Instruction ID: ecc5cd2a84c04f7963b17c4269c40ef6a850da9beb0ae37eb710a734e48cfde7
Opcode Fuzzy Hash: 7725c94d3dc56660f498a3822fde2e893949127cf8ea22b416a5173beedbc6de
Instruction Fuzzy Hash: C6F03775A11209BBDB00DFE49D89ABEBBB8EF08211F5084A9A901E2191EA756A448B50

Function 00A916DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC

GetParent.USER32(?), ref: 00ACB7BA
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00A919B3,?,?,?,00000006,?), ref: 00ACB834

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: cefe0409f6550ac846b1341720c0c25f674277296ac021498da8b2ce4b2731ff
Instruction ID: c459e40dce50d987366e21ccb7aed07771b928dfad9d950dbf6b3a564ea55d05
Opcode Fuzzy Hash: cefe0409f6550ac846b1341720c0c25f674277296ac021498da8b2ce4b2731ff
Instruction Fuzzy Hash: 1D21B434301106AFCF209F68D995FA93BE6EF49321F554294F9255B2F2CB319D12DB50

Function 00AFC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AFC6FB
FindClose.KERNEL32(00000000), ref: 00AFC72B

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 058e08ea8795282cbfd0787fb7de98a672863192eee528284355a85f4017aa39
Instruction ID: 2132a5daf9870ec1eadae07a352e74ea0d51aa3503c9b31387d32ff0d3982058
Opcode Fuzzy Hash: 058e08ea8795282cbfd0787fb7de98a672863192eee528284355a85f4017aa39
Instruction Fuzzy Hash: 17115E726106049FDB10EF29D945A6AF7E9EF85324F00C91DF9A997291DB30A805CF91

Function 00B1C57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00ACB93A,?,?,?), ref: 00B1C5F1

Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00B1C5D7

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: af38e0da2ea7be9737f48be65d3c304ae83571b66e4bcbb86c568c8870223f55
Instruction ID: cb31aa77d58cd509b75fbc35d03cea77ec628f03ab11af98043eeeaae85b8f9a
Opcode Fuzzy Hash: af38e0da2ea7be9737f48be65d3c304ae83571b66e4bcbb86c568c8870223f55
Instruction Fuzzy Hash: 5501B131240204ABCB219F14DC95FAA7FE7FB99365F5441A8FA415B2E1CB31B881DB90

Function 00B1C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B1C961
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00ACBA16,?,?,?,?,?), ref: 00B1C98A

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 224a8c87c9cd8abcf941e88fe322ff9fd4e9d7f9b690ec89d131737bb1094e85
Instruction ID: 73177f03ac4f0d954fcb7dfac3b0a6cc3ebdac17f09c53f7442e618979bac911
Opcode Fuzzy Hash: 224a8c87c9cd8abcf941e88fe322ff9fd4e9d7f9b690ec89d131737bb1094e85
Instruction Fuzzy Hash: 02F01772400218FFEB058F85DC09AFE7FB9FB48311F50416AF905A2161D7716A60EBA4

Function 00AFA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B09468,?,00B1FB84,?), ref: 00AFA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B09468,?,00B1FB84,?), ref: 00AFA0A9

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c19d2330b776a573a098b45c0006f9c29d8069343e5a954913862884c095a45d
Instruction ID: 8108153f51c95cdfcdd80eca93733e61ef6d51980fa6f51758479afe0439e267
Opcode Fuzzy Hash: c19d2330b776a573a098b45c0006f9c29d8069343e5a954913862884c095a45d
Instruction Fuzzy Hash: C7F0823560522EABDB219FA4DC48FFA776CBF09361F008165F919D7181DA309940CBE1

Function 00B1CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00B1CA84
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00ACB995,?,?,?,?), ref: 00B1CAB2

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 6ed6e4e5a4fe3d75861768832f271e512fedfe2341970d45809c77583180d3d3
Instruction ID: 7b2db21a4d9dac52554d559ddc4e1c8d31a86d0a49d28ed42781f4e9318ed7ba
Opcode Fuzzy Hash: 6ed6e4e5a4fe3d75861768832f271e512fedfe2341970d45809c77583180d3d3
Instruction Fuzzy Hash: 98E08670140219BFEB159F19DC0AFFA3F94EB04791F908219F956DA1E5CB709890D760

Function 00AE81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AE8309), ref: 00AE81E0
CloseHandle.KERNEL32(?,?,00AE8309), ref: 00AE81F2

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 33f5c7652503579adc505c623604bf014aaa7d33beea459c26d2c67c1e811872
Instruction ID: b003a96f64ce5bf28f4ac02b03b364aee151e3d7f046e5e821df371cfd1963fc
Opcode Fuzzy Hash: 33f5c7652503579adc505c623604bf014aaa7d33beea459c26d2c67c1e811872
Instruction Fuzzy Hash: 17E0EC72011611AFE7252B61FC09DB77BEEEF04350714C92DF8AA85471DB62AC91DB14

Function 00ABA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00B24178,00AB8D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00ABA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00ABA163

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 47ddd3af3bac6cede32b4aa29651ffe607db9678e72e806e6d5c86d0b4b2b118
Instruction ID: bf328d4bf9b1ef852f193c4a32385ad1d48be946d486de62f60a977f5abf9a9d
Opcode Fuzzy Hash: 47ddd3af3bac6cede32b4aa29651ffe607db9678e72e806e6d5c86d0b4b2b118
Instruction Fuzzy Hash: 39B0923105420AEBCA002B91FC09BE83F68FB44BA2F808020F61D86064CF625450CA99

Function 00ABF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b9a303dac2bb2e1d4fcd50f90eb3ef0143e090e42a387c64ab4d9e8807099c
Instruction ID: f010a53dc58f60afe5c3205cdad06d52ad2563f5dda65c44a912f8bf810edbf7
Opcode Fuzzy Hash: 38b9a303dac2bb2e1d4fcd50f90eb3ef0143e090e42a387c64ab4d9e8807099c
Instruction Fuzzy Hash: F132DF32D69F414DD7239639DC36366A24DAFA73C4F19D737E819B69AAEF2884834100

Function 00AC242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22029987f655aa4c15423483f6e50ded5dc1858e1f5698b15f4e1445bd2e5ffc
Instruction ID: 116fdc27f196e75b62b982a33e13ea3c0069b33a13c07da982605bcccc6f9b44
Opcode Fuzzy Hash: 22029987f655aa4c15423483f6e50ded5dc1858e1f5698b15f4e1445bd2e5ffc
Instruction Fuzzy Hash: E1B10221D2AF414ED723A6398831336BB5CAFBB2D5F52D71BFC2675D22EB2185834241

Function 00AF8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00AF889B

Part of subcall function 00AB520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00AF8F6E,00000000,?,?,?,?,00AF911F,00000000,?), ref: 00AB5213
Part of subcall function 00AB520A: __aulldiv.LIBCMT ref: 00AB5233

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 47cccfa1fc9c30df6d221a6d743f940413310f4c342e23516c4de0d3afd8ae97
Instruction ID: 01dacef431efe6def4e4fa4f6f3be323c087a8877bb3c8166843d4483901510b
Opcode Fuzzy Hash: 47cccfa1fc9c30df6d221a6d743f940413310f4c342e23516c4de0d3afd8ae97
Instruction Fuzzy Hash: 8E21A2326256148BC729CF75D841B62B3E1EBA5351B688E6CE1F5CB2C0DE34A905CB94

Function 00B1D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00B1D838

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 6a51dae5c9c7d35a8522c83a13ca08311c0251a6804781bac3f2177317af4402
Instruction ID: c23a2fae8af6c86e91689c2a1437bc9240495abfb16bd2124ff15237ed8d2062
Opcode Fuzzy Hash: 6a51dae5c9c7d35a8522c83a13ca08311c0251a6804781bac3f2177317af4402
Instruction Fuzzy Hash: F2110A35204215BBEB255A2CCD46FFA3BD4D741720FA043A4F9219B5E2CE60AD9093A5

Function 00B1D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00ACB952,?,?,?,?,00000000,?), ref: 00B1D432

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 834c43271845204d61db920b26a2766f4391c71d3bc798978141a9ba81fa66ab
Instruction ID: 79d1532b8e3b2febbf517cd75b09c4a59a8ef1aff9e82cc7401def814578b9bf
Opcode Fuzzy Hash: 834c43271845204d61db920b26a2766f4391c71d3bc798978141a9ba81fa66ab
Instruction Fuzzy Hash: F701B531600114ABDB149E29D849BFA3BD2EF46321F8441A5F9565B391C731BC9197A0

Function 00A9189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00A91B04,?,?,?,?,?), ref: 00A918E2

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: cc66ab1fb29c5d2177e375f5d5872e7a1f678365fbca706c22e4ff5d9b4fc72e
Instruction ID: 9352cc040790a51ca70ee31ce770d1c2506a06bf694e1d023affef60149fede5
Opcode Fuzzy Hash: cc66ab1fb29c5d2177e375f5d5872e7a1f678365fbca706c22e4ff5d9b4fc72e
Instruction Fuzzy Hash: E6F0BE30200216EFDF28DF04C860A763BE2EB04322F508168F9524B2A1CB31EC50EB50

Function 00B1C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00B1C8FE

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 1c4b385bc36361a9a2954bb7a1779e5449b6889c6675efbbb30dde4298cf1974
Instruction ID: edbed56e9a67a6407f2c598efa75d13ce803f38de899084a77035ae7543ae124
Opcode Fuzzy Hash: 1c4b385bc36361a9a2954bb7a1779e5449b6889c6675efbbb30dde4298cf1974
Instruction Fuzzy Hash: 6EF06D31240295BFDB21DF58DC45FD63F95EB19321F548098BA11672E2CBB07820D7A0

Function 00AF4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00AF4C4A

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e41421bb7f629e536bee8a56a18d99ecbf86adb38662f8d246a7b66fd8a026d7
Instruction ID: f23bc9489e40258abe6911229fa417143c2c353eda799cc0a9bd4afad7ff3e8e
Opcode Fuzzy Hash: e41421bb7f629e536bee8a56a18d99ecbf86adb38662f8d246a7b66fd8a026d7
Instruction Fuzzy Hash: 3AD05EA116520E78FC2C07A09E0FF7B0108E308782FD0A18973018A0D2EC855C429030

Function 00AE87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AE8389), ref: 00AE87D1

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 40cab0286a65f4b0ee8adfb488408b644f9adf0e2ad5cf5275e523db6a0a8d4d
Instruction ID: 030881f080c62d99adb495f5227e84a6c2ff9417ae2bc00839a9057d77fbb759
Opcode Fuzzy Hash: 40cab0286a65f4b0ee8adfb488408b644f9adf0e2ad5cf5275e523db6a0a8d4d
Instruction Fuzzy Hash: 20D09E3226450EABEF019EA4DD05EFE3B69EB04B01F808511FE15D61A1C775D935EB60

Function 00B1C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00ACB9BC,?,?,?,?,?,?), ref: 00B1C934

Part of subcall function 00B1B635: _memset.LIBCMT ref: 00B1B644
Part of subcall function 00B1B635: _memset.LIBCMT ref: 00B1B653
Part of subcall function 00B1B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B56F20,00B56F64), ref: 00B1B682
Part of subcall function 00B1B635: CloseHandle.KERNEL32 ref: 00B1B694

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: cb2de6e6c8192f58298bd436642cf4596b52263fcb9488fd361969f741f0a02b
Instruction ID: 3caa4b2ff4f969476a325cc7672e0f8b4b733e12bf0905ccc895cd1fca00bd8a
Opcode Fuzzy Hash: cb2de6e6c8192f58298bd436642cf4596b52263fcb9488fd361969f741f0a02b
Instruction Fuzzy Hash: 48E04632100208EFCB02AF44DC51E953BB2FB1C341F818094FA05072B2CB31A9A0EF50

Function 00A9167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00A91AEE,?,?,?), ref: 00A916AB

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: a2e97bf8606ff5e2172c208dc3644aada600ad9f397b8315e6b9784fae3ee8bc
Instruction ID: d3e3fd7ce1b2c8ccb4659a77ec5ef6d4a6dae8462637b836819f26f438a8e1d4
Opcode Fuzzy Hash: a2e97bf8606ff5e2172c208dc3644aada600ad9f397b8315e6b9784fae3ee8bc
Instruction Fuzzy Hash: 63E0EC35200208FBCF15AF90DC61F653F66FB58315F508468FA550B2A2CE32A921DB50

Function 00B1C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00B1C8B4

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 17e75602b859f34333b017f4a2e82337334769d452450aade9619e361d57951c
Instruction ID: 158ae4491a6d0a77cfe7e76b08cc752aacad1b6fb5f7a07af46bc6f96c403ec4
Opcode Fuzzy Hash: 17e75602b859f34333b017f4a2e82337334769d452450aade9619e361d57951c
Instruction Fuzzy Hash: E9E04275240249EFDB01DF88D955ED63BA5AB1D701F418094FA1547262CB71A860EBA1

Function 00B1C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00B1C885

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 82c7aa989db3b71f16f24c58f3e02cb54dc41035f6041c337b45a0bca8849635
Instruction ID: ccdf7fff78a71cfda5706f7c1214a6db7f204fb8bf8772e6cb6c6afe357714a4
Opcode Fuzzy Hash: 82c7aa989db3b71f16f24c58f3e02cb54dc41035f6041c337b45a0bca8849635
Instruction Fuzzy Hash: 81E04275244249EFDB01DF88D895E963BA5AB1D701F414094FA1557262CB71A820EB61

Function 00A916B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

Part of subcall function 00A9201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A920D3
Part of subcall function 00A9201B: KillTimer.USER32(-00000001,?,?,?,?,00A916CB,00000000,?,?,00A91AE2,?,?), ref: 00A9216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00A91AE2,?,?), ref: 00A916D4

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 70b1959add85bed700c2f2594b982f9074404b1a89b741fb3907d38cad45f646
Instruction ID: 96c2f34b828d6cb2b45ef60d822c2b6ddf51ed76c2db1c6f3d86608a2e9d6df9
Opcode Fuzzy Hash: 70b1959add85bed700c2f2594b982f9074404b1a89b741fb3907d38cad45f646
Instruction Fuzzy Hash: D0D01231240308BBDE202B51DD17F593E59DB18751F90C030BB04291D3CA716C10A658

Function 00ABA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00ABA12A

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2bab4f1528e17522c18b6164d927d73c506ada56235e849914017aac18fddb16
Instruction ID: 293fd1a20a23cb9df10f1c71044665f9bc9296a7f78a000cd9460fa4c6c4fe52
Opcode Fuzzy Hash: 2bab4f1528e17522c18b6164d927d73c506ada56235e849914017aac18fddb16
Instruction Fuzzy Hash: 79A0123000010DA78A001B41FC044947F5CE6002907408020F40C41021CB3254108584

Function 00AA8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8778ff8b67c660ffefef19e5b10bab3af3fe5bc0db0f4da0246fe7879cc544
Instruction ID: 8c91e8b91b1aa6f3da8c4f7f2ae262c6e631e78eb91985b09d1a6e9c5b9fa605
Opcode Fuzzy Hash: 2f8778ff8b67c660ffefef19e5b10bab3af3fe5bc0db0f4da0246fe7879cc544
Instruction Fuzzy Hash: D5225430A04696CBDF389B29D4947BDB7B1FF02388F29806BD9528B5D2DB389D91C741

Function 00AB21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: df16c8c731ff4d6972fa003c2088e0e3d35bee0ed09c4a6c09d4476611dcb9e7
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: CBC185322050930ADF2D473984741BEBFA99EA27B135A076ED4B3CF1D6EE24C965D720

Function 00AB25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: e3e417e40417380f7642b9494ba0390992cf1cdf5fe5fa784dbe551c1ea92b16
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 63C196322151930ADF2D473AC4341BEBFA99EA27B135A076ED4B3DB1D6EE10C925D720

Function 00AB1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 0569474a63626f21eb4d37dbc72165e99e9d570f142c3fa55290308108eb0d28
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: E3C1923231519309DF2D473AC4741BEBFA99EA27B139A076DD4B3CB1C6EE20D925D620

Function 00B07806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B0785B
DeleteObject.GDI32(00000000), ref: 00B0786D
DestroyWindow.USER32 ref: 00B0787B
GetDesktopWindow.USER32 ref: 00B07895
GetWindowRect.USER32(00000000), ref: 00B0789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B079DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B079ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07A35
GetClientRect.USER32(00000000,?), ref: 00B07A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B07A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07ABB
GlobalLock.KERNEL32(00000000), ref: 00B07AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07AD3
GlobalUnlock.KERNEL32(00000000), ref: 00B07ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07AE3
GlobalFree.KERNEL32(00000000), ref: 00B07AEE
CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00B07B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B22CAC,00000000), ref: 00B07B16
GlobalFree.KERNEL32(00000000), ref: 00B07B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B07B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B07B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07D7A

Strings

AutoIt v3, xrefs: 00B07A2D
, xrefs: 00B07D00
DISPLAY, xrefs: 00B07BDD
static, xrefs: 00B07A75, 00B07BCC

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 7118baf7e53fa81273918b9cb42da0df5926871ecbb4e192fe1d7912c647cce5
Instruction ID: 57d5c336596f70e5d4c6349975c15616734666ee6e427fedabd393484c371012
Opcode Fuzzy Hash: 7118baf7e53fa81273918b9cb42da0df5926871ecbb4e192fe1d7912c647cce5
Instruction Fuzzy Hash: FF025171900115EFDB14DFA8DD89EAEBBB9EF48310F548198F915AB2A1CF71AD01CB60

Function 00B1356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B1F910), ref: 00B13627
IsWindowVisible.USER32(?), ref: 00B1364B

Strings

GETLINECOUNT, xrefs: 00B138C6
ISVISIBLE, xrefs: 00B13637
ADDSTRING, xrefs: 00B13716
SHOWDROPDOWN, xrefs: 00B136E0
CURRENTTAB, xrefs: 00B136BD
SELECTSTRING, xrefs: 00B13806
SENDCOMMANDID, xrefs: 00B139DA
UNCHECK, xrefs: 00B13883
GETSELECTED, xrefs: 00B138A3
GETCURRENTLINE, xrefs: 00B138ED
GETCURRENTCOL, xrefs: 00B13928
SETCURRENTSELECTION, xrefs: 00B137B6
EDITPASTE, xrefs: 00B1395F
TABLEFT, xrefs: 00B13687
HIDEDROPDOWN, xrefs: 00B13700
TABRIGHT, xrefs: 00B1369D
CHECK, xrefs: 00B1386D
ISENABLED, xrefs: 00B1366B
DELSTRING, xrefs: 00B13749
GETLINE, xrefs: 00B1399B
GETCURRENTSELECTION, xrefs: 00B137E3
ISCHECKED, xrefs: 00B13839
FINDSTRING, xrefs: 00B13776

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: ccceb441cef9a6317556227c234b95a6576d5e2bee3cfafbf524ea2abfb30fc9
Instruction ID: 2ea9662dbaa9e5954ba14a6e51f79b68171709c37d7bf28233b4bcbe53e91dc6
Opcode Fuzzy Hash: ccceb441cef9a6317556227c234b95a6576d5e2bee3cfafbf524ea2abfb30fc9
Instruction Fuzzy Hash: DED17E312143019BCB04EF14C552EAF77E5EF95794F5448ACF8865B2A2EB31EE8ACB41

Function 00B1A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B1A630
GetSysColorBrush.USER32(0000000F), ref: 00B1A661
GetSysColor.USER32(0000000F), ref: 00B1A66D
SetBkColor.GDI32(?,000000FF), ref: 00B1A687
SelectObject.GDI32(?,00000000), ref: 00B1A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00B1A6C1
GetSysColor.USER32(00000010), ref: 00B1A6C9
CreateSolidBrush.GDI32(00000000), ref: 00B1A6D0
FrameRect.USER32(?,?,00000000), ref: 00B1A6DF
DeleteObject.GDI32(00000000), ref: 00B1A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00B1A731
FillRect.USER32(?,?,00000000), ref: 00B1A763
GetWindowLongW.USER32(?,000000F0), ref: 00B1A78E

Part of subcall function 00B1A8CA: GetSysColor.USER32(00000012), ref: 00B1A903
Part of subcall function 00B1A8CA: SetTextColor.GDI32(?,?), ref: 00B1A907
Part of subcall function 00B1A8CA: GetSysColorBrush.USER32(0000000F), ref: 00B1A91D
Part of subcall function 00B1A8CA: GetSysColor.USER32(0000000F), ref: 00B1A928
Part of subcall function 00B1A8CA: GetSysColor.USER32(00000011), ref: 00B1A945
Part of subcall function 00B1A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B1A953
Part of subcall function 00B1A8CA: SelectObject.GDI32(?,00000000), ref: 00B1A964
Part of subcall function 00B1A8CA: SetBkColor.GDI32(?,00000000), ref: 00B1A96D
Part of subcall function 00B1A8CA: SelectObject.GDI32(?,?), ref: 00B1A97A
Part of subcall function 00B1A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00B1A999
Part of subcall function 00B1A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B1A9B0
Part of subcall function 00B1A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00B1A9C5
Part of subcall function 00B1A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B1A9ED

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: db54211754253775ccae9c92cedbcc55914e3ef793c9e15f0ae6ccaed5b5d7aa
Instruction ID: 40e426f147441882b407b577fedfa83c29a09010e809f0a2437b67ebdec85470
Opcode Fuzzy Hash: db54211754253775ccae9c92cedbcc55914e3ef793c9e15f0ae6ccaed5b5d7aa
Instruction Fuzzy Hash: 68916D71409302FFC7109F64DC48AAB7BEAFB49321F904A29F966971E1DB31E944CB52

Function 00B074AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B074DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B0759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B075DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B075ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B07633
GetClientRect.USER32(00000000,?), ref: 00B0763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B07683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B07692
GetStockObject.GDI32(00000011), ref: 00B076A2
SelectObject.GDI32(00000000,00000000), ref: 00B076A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B076B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B076BF
DeleteDC.GDI32(00000000), ref: 00B076C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B076F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B0770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B07746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B0775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B0776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B0779B
GetStockObject.GDI32(00000011), ref: 00B077A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B077B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B077BB

Strings

AutoIt v3, xrefs: 00B0762B
DISPLAY, xrefs: 00B07688
static, xrefs: 00B0767D, 00B07795
msctls_progress32, xrefs: 00B0773C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 905d1e95592ac9f142fa2acbae92efb4cf1824932bf940fcc5eb5c86a882f940
Instruction ID: 556f9e866d97a1807b1cf8db26b09f4812943ff6343c317f072206d4fb2350a3
Opcode Fuzzy Hash: 905d1e95592ac9f142fa2acbae92efb4cf1824932bf940fcc5eb5c86a882f940
Instruction Fuzzy Hash: 10A15071A40619BFEB14DBA4DD4AFEEBBB9EB04711F008154FA15A72E0DB71AD40CB60

Function 00AFAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AFAD1E
GetDriveTypeW.KERNEL32(?,00B1FAC0,?,\\.\,00B1F910), ref: 00AFADFB
SetErrorMode.KERNEL32(00000000,00B1FAC0,?,\\.\,00B1F910), ref: 00AFAF59

Strings

Removable, xrefs: 00AFAE4D
RAID, xrefs: 00AFAEF7
USB, xrefs: 00AFAEF0
SSA, xrefs: 00AFAEE2
Fibre, xrefs: 00AFAEE9
SATA, xrefs: 00AFAF0C
Virtual, xrefs: 00AFAF21
Fixed, xrefs: 00AFAE43
\\.\, xrefs: 00AFAD70
FileBackedVirtual, xrefs: 00AFAF28
SAS, xrefs: 00AFAF05
ATAPI, xrefs: 00AFAECD
ATA, xrefs: 00AFAED4
PhysicalDrive, xrefs: 00AFADA7
Unknown, xrefs: 00AFAE1B, 00AFAEBF
RAMDisk, xrefs: 00AFAE25
Network, xrefs: 00AFAE39
SSD, xrefs: 00AFAE86
CDROM, xrefs: 00AFAE2F
1394, xrefs: 00AFAEDB
iSCSI, xrefs: 00AFAEFE
SCSI, xrefs: 00AFAEC6
MMC, xrefs: 00AFAF1A

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 22f6aa8994a273ae985c26ac84f116fe69c95aef85025d16b3b3340e8ad2bc5d
Instruction ID: 17472423aa20495d7a1e0a46c8f9c1553ca4bad141b620529a9122c8c1092355
Opcode Fuzzy Hash: 22f6aa8994a273ae985c26ac84f116fe69c95aef85025d16b3b3340e8ad2bc5d
Instruction Fuzzy Hash: F55166F074420DAB8B10DB94C942DFD73F1EB687107208496F60FAB2A1DA719E41EB63

Function 00A968DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A96931
__wcsnicmp.LIBCMT ref: 00A96949
__wcsnicmp.LIBCMT ref: 00A96961
__wcsnicmp.LIBCMT ref: 00A96979
__wcsnicmp.LIBCMT ref: 00A96991
__wcsnicmp.LIBCMT ref: 00A969A9
__wcsnicmp.LIBCMT ref: 00A969C1
__wcsnicmp.LIBCMT ref: 00A969D5
__wcsnicmp.LIBCMT ref: 00A96A16
__wcsnicmp.LIBCMT ref: 00A96A2A
__wcsnicmp.LIBCMT ref: 00A96A3E
__wcsnicmp.LIBCMT ref: 00A96A52

Strings

#pragma compile, xrefs: 00A9692B
Unterminated group of comments, xrefs: 00ACE403
#comments-end, xrefs: 00A96A38
Bad directive syntax error, xrefs: 00ACE31A
#cs, xrefs: 00A969CF, 00A96A24
#requireadmin, xrefs: 00A9695B
#ce, xrefs: 00A96A4C
#include-once, xrefs: 00A9698B
#notrayicon, xrefs: 00A96943
Cannot parse #include, xrefs: 00ACE3F0
#comments-start, xrefs: 00A969BB, 00A96A10
#include, xrefs: 00A969A3
#OnAutoItStartRegister, xrefs: 00A96973

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 81c6eca89ea654b821c7f07b0dc60af9e1c057e4f7c4616f03a725929c4a513d
Instruction ID: cbb58f3ea0d4d2db79a798c4a7a78e0491e7c8e00a5a3dfba8473261067611e8
Opcode Fuzzy Hash: 81c6eca89ea654b821c7f07b0dc60af9e1c057e4f7c4616f03a725929c4a513d
Instruction Fuzzy Hash: 9F81E2B1740205AADF21EB60EE43FFF37E8AF15740F444029F905AA192EF61DA85D6A1

Function 00B19A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00B19AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B19B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00B19BA7

Strings

0, xrefs: 00B19BE4

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 1fdb52387b1de6eec4ccf328406cee6f29c4098c4293010d66ec3e9507c1c786
Instruction ID: a5ba744df8f969ee0a99d5c563fa3f26141a3d2ca392cba9bbbeceb637c8cdd8
Opcode Fuzzy Hash: 1fdb52387b1de6eec4ccf328406cee6f29c4098c4293010d66ec3e9507c1c786
Instruction Fuzzy Hash: A702BD31104381AFD725CF24C8A8BEABBE5FF49310F8485ADF995972A1C734D985CB92

Function 00B1A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B1A903
SetTextColor.GDI32(?,?), ref: 00B1A907
GetSysColorBrush.USER32(0000000F), ref: 00B1A91D
GetSysColor.USER32(0000000F), ref: 00B1A928
CreateSolidBrush.GDI32(?), ref: 00B1A92D
GetSysColor.USER32(00000011), ref: 00B1A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B1A953
SelectObject.GDI32(?,00000000), ref: 00B1A964
SetBkColor.GDI32(?,00000000), ref: 00B1A96D
SelectObject.GDI32(?,?), ref: 00B1A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00B1A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B1A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B1A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B1A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B1AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00B1AA32
DrawFocusRect.USER32(?,?), ref: 00B1AA3D
GetSysColor.USER32(00000011), ref: 00B1AA4B
SetTextColor.GDI32(?,00000000), ref: 00B1AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B1AA67
SelectObject.GDI32(?,00B1A5FA), ref: 00B1AA7E
DeleteObject.GDI32(?), ref: 00B1AA89
SelectObject.GDI32(?,?), ref: 00B1AA8F
DeleteObject.GDI32(?), ref: 00B1AA94
SetTextColor.GDI32(?,?), ref: 00B1AA9A
SetBkColor.GDI32(?,?), ref: 00B1AAA4

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: a2ce117ef68bdcb9e04a045f136de18b396a212f530c686dfa0a8f63f549ec9e
Instruction ID: 196018a270ad1bb309ef9fb387000ee1e904fe894c5b825c994cbed211713fd5
Opcode Fuzzy Hash: a2ce117ef68bdcb9e04a045f136de18b396a212f530c686dfa0a8f63f549ec9e
Instruction Fuzzy Hash: 1B513E71901209FFDB119FA4DC48EEE7BB9EF08320F518265F915AB2A1DB719940DF50

Function 00B189D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B18AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B18AD2
CharNextW.USER32(0000014E), ref: 00B18B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B18B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B18B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B18B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B18B86
SetWindowTextW.USER32(?,0000014E), ref: 00B18BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B18BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B18C1F
_memset.LIBCMT ref: 00B18C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B18C8D
_memset.LIBCMT ref: 00B18CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B18D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B18D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00B18E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00B18E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B18E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B18EB4
DrawMenuBar.USER32(?), ref: 00B18EC3
SetWindowTextW.USER32(?,0000014E), ref: 00B18EEB

Strings

0, xrefs: 00B18E55

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 67b7424dae8ba841f85d8294eeec34722bd4fd54efae3de21b867055e6fc6546
Instruction ID: 896883dd15150895b45c09ea215c825f819f10d98e0b27f233405a796dc90558
Opcode Fuzzy Hash: 67b7424dae8ba841f85d8294eeec34722bd4fd54efae3de21b867055e6fc6546
Instruction Fuzzy Hash: 7FE15D71900209ABDB20DF60DC84EEE7BB9FF09710F90819AF915AB291DF709985DF60

Function 00B1488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B149CA
GetDesktopWindow.USER32 ref: 00B149DF
GetWindowRect.USER32(00000000), ref: 00B149E6
GetWindowLongW.USER32(?,000000F0), ref: 00B14A48
DestroyWindow.USER32(?), ref: 00B14A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B14A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B14ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B14AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00B14AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B14B09
IsWindowVisible.USER32(?), ref: 00B14B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B14B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B14B58
GetWindowRect.USER32(?,?), ref: 00B14B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00B14B96
GetMonitorInfoW.USER32(00000000,?), ref: 00B14BB0
CopyRect.USER32(?,?), ref: 00B14BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00B14C32

Strings

(, xrefs: 00B14BA3
tooltips_class32, xrefs: 00B14A96
0, xrefs: 00B14975

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2c630e0e40d092c6328277d031f48e0ce1f0a7b0ab6899b5f49f85855991dc3f
Instruction ID: 9598dfd33aab9b7afaeee06aedfcd2f597553eeeab673e58785b45350aa52535
Opcode Fuzzy Hash: 2c630e0e40d092c6328277d031f48e0ce1f0a7b0ab6899b5f49f85855991dc3f
Instruction Fuzzy Hash: ECB18970608341AFDB04DF68C985BABBBE4FF88310F40895CF5999B2A1DB71E845CB95

Function 00A927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A928BC
GetSystemMetrics.USER32(00000007), ref: 00A928C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A928EF
GetSystemMetrics.USER32(00000008), ref: 00A928F7
GetSystemMetrics.USER32(00000004), ref: 00A9291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A92939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A92949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A9297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A92990
GetClientRect.USER32(00000000,000000FF), ref: 00A929AE
GetStockObject.GDI32(00000011), ref: 00A929CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A929D5

Part of subcall function 00A92344: GetCursorPos.USER32(?), ref: 00A92357
Part of subcall function 00A92344: ScreenToClient.USER32(00B557B0,?), ref: 00A92374
Part of subcall function 00A92344: GetAsyncKeyState.USER32(00000001), ref: 00A92399
Part of subcall function 00A92344: GetAsyncKeyState.USER32(00000002), ref: 00A923A7

SetTimer.USER32(00000000,00000000,00000028,00A91256), ref: 00A929FC

Strings

AutoIt v3 GUI, xrefs: 00A92974

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 5797ec7aaafbf7f01d2efe2ad0286c5d8697be5ffe7a10f3551a3dc2b5b45c6f
Instruction ID: 567588e8672662e253c12ba207a6cf56030f22d7be0014c67bb35ff0da640111
Opcode Fuzzy Hash: 5797ec7aaafbf7f01d2efe2ad0286c5d8697be5ffe7a10f3551a3dc2b5b45c6f
Instruction Fuzzy Hash: 28B12B71A0020AEFDF14DFA8DD55BEE7BB5FB08311F518269FA15A72A0DB74A840CB50

Function 00AF449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00AF4500
_wcscmp.LIBCMT ref: 00AF450B
_wcscat.LIBCMT ref: 00AF4521
_wcsstr.LIBCMT ref: 00AF452C
751C1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AF4548
_wcscat.LIBCMT ref: 00AF4591
_wcscat.LIBCMT ref: 00AF4598
_wcsncpy.LIBCMT ref: 00AF45C3

Strings

DefaultLangCodepage, xrefs: 00AF45AB
\VarFileInfo\Translation, xrefs: 00AF4540
StringFileInfo\, xrefs: 00AF451B
%u.%u.%u.%u, xrefs: 00AF4626
04090000, xrefs: 00AF457E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _wcscat$C1560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 2258151342-1459072770
Opcode ID: 8414327c71c92ef82905e1271dd1653e4034223b7528304e3982f47eb707ab5e
Instruction ID: 04db8f8d4abf8d9abdc8b4e4e6b30e0b94c0b7e41cd6912aae10bf3965104872
Opcode Fuzzy Hash: 8414327c71c92ef82905e1271dd1653e4034223b7528304e3982f47eb707ab5e
Instruction Fuzzy Hash: CD41C032A402057BEB10BBB48D46EFF77BCDF46710F44016AFA05E6193EA35AA0196A5

Function 00AEA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00AEA47A
__swprintf.LIBCMT ref: 00AEA51B
_wcscmp.LIBCMT ref: 00AEA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AEA583
_wcscmp.LIBCMT ref: 00AEA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00AEA5F6
GetDlgCtrlID.USER32(?), ref: 00AEA648
GetWindowRect.USER32(?,?), ref: 00AEA67E
GetParent.USER32(?), ref: 00AEA69C
ScreenToClient.USER32(00000000), ref: 00AEA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00AEA71D
_wcscmp.LIBCMT ref: 00AEA731
GetWindowTextW.USER32(?,?,00000400), ref: 00AEA757
_wcscmp.LIBCMT ref: 00AEA76B

Part of subcall function 00AB362C: _iswctype.LIBCMT ref: 00AB3634

Strings

%s%u, xrefs: 00AEA515

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: b6c4e1771f228cb14f9ff94c83ff9975ab55401e6587d7172cefadde0d3af59e
Instruction ID: e925ee5903ecf5a9926a1dc973de9a5f15fba04563a7e595572ee4df1991bf78
Opcode Fuzzy Hash: b6c4e1771f228cb14f9ff94c83ff9975ab55401e6587d7172cefadde0d3af59e
Instruction Fuzzy Hash: 1FA1CF71204346AFDB14DF65C884BEAB7E8FF64314F008629F999D2190DB30F945CBA2

Function 00AEAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00AEAF18
_wcscmp.LIBCMT ref: 00AEAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00AEAF51
CharUpperBuffW.USER32(?,00000000), ref: 00AEAF6E
_wcscmp.LIBCMT ref: 00AEAF8C
_wcsstr.LIBCMT ref: 00AEAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00AEAFD5
_wcscmp.LIBCMT ref: 00AEAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00AEB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00AEB055
_wcscmp.LIBCMT ref: 00AEB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00AEB08D
GetWindowRect.USER32(00000004,?), ref: 00AEB0F6

Strings

ThumbnailClass, xrefs: 00AEAFE0, 00AEB060
@, xrefs: 00AEAEF9

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f7b17f9ef7b2c5ddb11c83f21c899213b0fe1c24cd0c10085b48bd42ad3c896a
Instruction ID: 98a0328cf3a474ed86d1b3e443fcd38f975679999f66db1447f5d5ffd1dfb244
Opcode Fuzzy Hash: f7b17f9ef7b2c5ddb11c83f21c899213b0fe1c24cd0c10085b48bd42ad3c896a
Instruction Fuzzy Hash: 0581CF711183869FDB01DF12C985BBB7BE8EF54314F048569FD858A0A6DB30ED49CBA1

Function 00AEABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AEAC33

Strings

ACTIVE, xrefs: 00AEAC0E
[LAST, xrefs: 00AEACE0
HANDLE=, xrefs: 00AEAC2C
[CLASS:, xrefs: 00AEAC83
[ALL, xrefs: 00AEACD9
LAST, xrefs: 00AEABF8
[REGEXPTITLE:, xrefs: 00AEAC5B
ALL, xrefs: 00AEACC7
[HANDLE:, xrefs: 00AEAC3F
[ACTIVE, xrefs: 00AEAC20
CLASSNAME=, xrefs: 00AEAC70
REGEXP=, xrefs: 00AEAC48

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 27efca6e77937728b86591985e9a7b827a1808ecf0001e21a3d3c0b38e20a717
Instruction ID: 5ac153d9085c3b882f0bf0df03d90f6dfd45a613af8d4f25caa595bb478a96bb
Opcode Fuzzy Hash: 27efca6e77937728b86591985e9a7b827a1808ecf0001e21a3d3c0b38e20a717
Instruction Fuzzy Hash: 98316231A88249AADE14EBA5DF43EFE77E4AF20710F600469F442710E2EF516F04D652

Function 00B04FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00B05013
LoadCursorW.USER32(00000000,00007F00), ref: 00B0501E
LoadCursorW.USER32(00000000,00007F03), ref: 00B05029
LoadCursorW.USER32(00000000,00007F8B), ref: 00B05034
LoadCursorW.USER32(00000000,00007F01), ref: 00B0503F
LoadCursorW.USER32(00000000,00007F81), ref: 00B0504A
LoadCursorW.USER32(00000000,00007F88), ref: 00B05055
LoadCursorW.USER32(00000000,00007F80), ref: 00B05060
LoadCursorW.USER32(00000000,00007F86), ref: 00B0506B
LoadCursorW.USER32(00000000,00007F83), ref: 00B05076
LoadCursorW.USER32(00000000,00007F85), ref: 00B05081
LoadCursorW.USER32(00000000,00007F82), ref: 00B0508C
LoadCursorW.USER32(00000000,00007F84), ref: 00B05097
LoadCursorW.USER32(00000000,00007F04), ref: 00B050A2
LoadCursorW.USER32(00000000,00007F02), ref: 00B050AD
LoadCursorW.USER32(00000000,00007F89), ref: 00B050B8
GetCursorInfo.USER32(?), ref: 00B050C8

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 76a1cd187b9584a0113161b03e950fc74bfcb0b9fe0a0bce30ad1cc07bb97586
Instruction ID: 38c3b8d2bf494184fba4a3cf71e839984012570ebf91e4d97463b3a13fa5c050
Opcode Fuzzy Hash: 76a1cd187b9584a0113161b03e950fc74bfcb0b9fe0a0bce30ad1cc07bb97586
Instruction Fuzzy Hash: A131E5B1D4831A6ADF209FB68C899AFBFE8FF04750F50456AA50DE7280DA786500CF95

Function 00B1A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1A259
DestroyWindow.USER32(?,?), ref: 00B1A2D3

Part of subcall function 00A97BCC: _memmove.LIBCMT ref: 00A97C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B1A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B1A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B1A382
DestroyWindow.USER32(00000000), ref: 00B1A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A90000,00000000), ref: 00B1A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B1A3F4
GetDesktopWindow.USER32 ref: 00B1A40D
GetWindowRect.USER32(00000000), ref: 00B1A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B1A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B1A444

Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC

Strings

tooltips_class32, xrefs: 00B1A346, 00B1A3D4
0, xrefs: 00B1A26F

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: ff9d502c432f823ad04e8288eae815c00b23fc540f0671e41584a01545a118c1
Instruction ID: 58e99991b2b012d1385b8fb97f58944388de4ab262a20e6ea161477b9319f806
Opcode Fuzzy Hash: ff9d502c432f823ad04e8288eae815c00b23fc540f0671e41584a01545a118c1
Instruction Fuzzy Hash: 2C718B71140305AFD721CF28CC59FAA7BE9FB88700F8445ADF985872A0DB70E946CB62

Function 00B14392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B14424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B1446F

Strings

EXISTS, xrefs: 00B144D8
GETTEXT, xrefs: 00B145C2
GETITEMCOUNT, xrefs: 00B14551
CHECK, xrefs: 00B1448F
UNCHECK, xrefs: 00B1464B
SELECT, xrefs: 00B14620
GETSELECTED, xrefs: 00B1457F
EXPAND, xrefs: 00B14521
COLLAPSE, xrefs: 00B144B5
ISCHECKED, xrefs: 00B145F2
GETTOTALCOUNT, xrefs: 00B14456

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 93b3d6edb7aa725d04b308afb945501c249ddeb5b33c0f80b5ec6d6e4cbd4a8b
Instruction ID: 3239366cd09fdd9351faca7cad6395f10d32ac9f8d96c3c2c0187ad500b194f8
Opcode Fuzzy Hash: 93b3d6edb7aa725d04b308afb945501c249ddeb5b33c0f80b5ec6d6e4cbd4a8b
Instruction Fuzzy Hash: B2916F712043019FCB04EF14C551AAFB7E5AF95394F5488ACF8965B3A2DB30ED49CB81

Function 00B1B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B1B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B191C2), ref: 00B1B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B1B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B1B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B1B9C3
FreeLibrary.KERNEL32(?), ref: 00B1B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B1B9DF
DestroyCursor.USER32(?), ref: 00B1B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B1BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B1BA17

Part of subcall function 00AB2EFD: __wcsicmp_l.LIBCMT ref: 00AB2F86

Strings

.exe, xrefs: 00B1B84A
.dll, xrefs: 00B1B86D
.icl, xrefs: 00B1B82A

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 40c30d1aa86923b0fc71cdcf63dbd0fd805941bb7960479d075e236d7bf3f263
Instruction ID: cd52d61afe0d5a228c351a309a222cfa14aff613166beb1afe8a4ada5118e152
Opcode Fuzzy Hash: 40c30d1aa86923b0fc71cdcf63dbd0fd805941bb7960479d075e236d7bf3f263
Instruction Fuzzy Hash: 4161FE71A00209BAEB14DF64CD42FFE7BACEB08B10F50825AF911D61D1DB749A81DBA0

Function 00AFA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

CharLowerBuffW.USER32(?,?), ref: 00AFA3CB
GetDriveTypeW.KERNEL32 ref: 00AFA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AFA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AFA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AFA4C5

Part of subcall function 00A97BCC: _memmove.LIBCMT ref: 00A97C06

Strings

close cd wait, xrefs: 00AFA4B0
closed, xrefs: 00AFA3DF, 00AFA3E8
type cdaudio alias cd wait, xrefs: 00AFA443
open, xrefs: 00AFA3F2
close, xrefs: 00AFA3D1
open , xrefs: 00AFA427
wait, xrefs: 00AFA482
set cd door , xrefs: 00AFA466

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 3f8c883815b7f616ac1c11f12f63edc22eeac6d997c56d5e0c018ac8c62fb338
Instruction ID: 3f95a3b320e4df0737ca0040483b15eb7f11f8d3cb162dc7546f26167075d9af
Opcode Fuzzy Hash: 3f8c883815b7f616ac1c11f12f63edc22eeac6d997c56d5e0c018ac8c62fb338
Instruction Fuzzy Hash: E3514B712142059FCB00EF24C9919AFB3E8FF94758F10886DF89A57261DB71AE09CB52

Function 00AEF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00ACE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00AEF8DF
LoadStringW.USER32(00000000,?,00ACE029,00000001), ref: 00AEF8E8

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

GetModuleHandleW.KERNEL32(00000000,00B55310,?,00000FFF,?,?,00ACE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00AEF90A
LoadStringW.USER32(00000000,?,00ACE029,00000001), ref: 00AEF90D
__swprintf.LIBCMT ref: 00AEF95D
__swprintf.LIBCMT ref: 00AEF96E
_wprintf.LIBCMT ref: 00AEFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AEFA2E

Strings

Line %d:, xrefs: 00AEF968
Line %d (File "%s"):, xrefs: 00AEF957
Error: , xrefs: 00AEF9E5
%s (%d) : ==> %s: %s %s, xrefs: 00AEFA12
^ ERROR, xrefs: 00AEF9C3

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: a1b0f4faeacd74f9f8dbdaf226b7339f78d942447a3e7392c374cd9090035e60
Instruction ID: eee7fad5b03a80ba40d0ed4a0692c4a38f6faa75fe8a09cfbd927ad5f80199f4
Opcode Fuzzy Hash: a1b0f4faeacd74f9f8dbdaf226b7339f78d942447a3e7392c374cd9090035e60
Instruction Fuzzy Hash: 5A412D72A04109AACF15FBE0DE46EEEB7B8EF18340F500065B506760A2EA316F49CB61

Function 00B1BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B19207,?,?), ref: 00B1BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B19207,?,?,00000000,?), ref: 00B1BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B19207,?,?,00000000,?), ref: 00B1BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00B19207,?,?,00000000,?), ref: 00B1BA85
GlobalLock.KERNEL32(00000000), ref: 00B1BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B19207,?,?,00000000,?), ref: 00B1BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00B1BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00B19207,?,?,00000000,?), ref: 00B1BAAD
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00B1BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B22CAC,?), ref: 00B1BAD7
GlobalFree.KERNEL32(00000000), ref: 00B1BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00B1BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00B1BB36
DeleteObject.GDI32(00000000), ref: 00B1BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B1BB74

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 74ae10738e16982d04af51f22acb462c3f28b73945b7a8e0c5daa1e49ffbe2d1
Instruction ID: 5a0cecd27c0eb484b0b48d049fb45066aad6fd137fa776946a35ddd4a8a61de8
Opcode Fuzzy Hash: 74ae10738e16982d04af51f22acb462c3f28b73945b7a8e0c5daa1e49ffbe2d1
Instruction Fuzzy Hash: 3C41F675600209AFDB119F65DC88EEBBBB9EF89711F5080A8F909D7260DB709A41CB60

Function 00AFD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00AFDA10
_wcscat.LIBCMT ref: 00AFDA28
_wcscat.LIBCMT ref: 00AFDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AFDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00AFDA63
GetFileAttributesW.KERNEL32(?), ref: 00AFDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00AFDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00AFDAA7

Strings

*.*, xrefs: 00AFDAE6

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: d235f5b909ad13f850172b99f9c7de5f5952fc64a4d7cf65a1a2bfbd9e65a38c
Instruction ID: 896771a81e982c40b528d3c3de6c603b37e265162c86271a28f953fdb4404550
Opcode Fuzzy Hash: d235f5b909ad13f850172b99f9c7de5f5952fc64a4d7cf65a1a2bfbd9e65a38c
Instruction Fuzzy Hash: 7F81B4726043099FCB21EFE4C884ABAB7E9BF89350F14882EF589D7211E670D944CB52

Function 00B0731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B0738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B0739B
CreateCompatibleDC.GDI32(?), ref: 00B073A7
SelectObject.GDI32(00000000,?), ref: 00B073B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B07408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B07444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B07468
SelectObject.GDI32(00000006,?), ref: 00B07470
DeleteObject.GDI32(?), ref: 00B07479
DeleteDC.GDI32(00000006), ref: 00B07480
ReleaseDC.USER32(00000000,?), ref: 00B0748B

Strings

(, xrefs: 00B07410

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 39fd28994df89920a82d7ae16d052c46ad490479e3c434dd9981c5c01ca3708b
Instruction ID: 13f622c434c47cafe520e731301b2d10310220ad95261e62510025358aace888
Opcode Fuzzy Hash: 39fd28994df89920a82d7ae16d052c46ad490479e3c434dd9981c5c01ca3708b
Instruction Fuzzy Hash: 52514871904209EFDB14CFA8DC89EAEBBF9EF48310F14846DF95A97251CB31A941CB50

Function 00A96A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00AB0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A96B0C,?,00008000), ref: 00AB0973

Part of subcall function 00A94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A94743,?,?,00A937AE,?), ref: 00A94770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A96BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00A96CFA

Part of subcall function 00A9586D: _wcscpy.LIBCMT ref: 00A958A5

Part of subcall function 00AB363D: _iswctype.LIBCMT ref: 00AB3645

Strings

AU3!, xrefs: 00A96B61
Error opening the file, xrefs: 00ACE43D, 00ACE4B8
Bad directive syntax error, xrefs: 00ACE79D
>>>AUTOIT SCRIPT<<<, xrefs: 00ACE496
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00ACE421
Unterminated string, xrefs: 00ACE7E4
EA06, xrefs: 00ACE452

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 0d2062af5cb2bf09e02a3885a976df2b0ab6b785d1d69f8012c9ff6af236b259
Instruction ID: 2e4bbb7d02019d91a852b5fca1b410be318b47f25fa9fe17539a2861dcb407d8
Opcode Fuzzy Hash: 0d2062af5cb2bf09e02a3885a976df2b0ab6b785d1d69f8012c9ff6af236b259
Instruction Fuzzy Hash: 1C028C316083419FCB25EF24C981EAFBBE5EF99314F10491DF499972A2DB30DA49CB52

Function 00AF2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00AF2DDD
GetMenuItemCount.USER32(00B55890), ref: 00AF2E66
DeleteMenu.USER32(00B55890,00000005,00000000,000000F5,?,?), ref: 00AF2EF6
DeleteMenu.USER32(00B55890,00000004,00000000), ref: 00AF2EFE
DeleteMenu.USER32(00B55890,00000006,00000000), ref: 00AF2F06
DeleteMenu.USER32(00B55890,00000003,00000000), ref: 00AF2F0E
GetMenuItemCount.USER32(00B55890), ref: 00AF2F16
SetMenuItemInfoW.USER32(00B55890,00000004,00000000,00000030), ref: 00AF2F4C
GetCursorPos.USER32(?), ref: 00AF2F56
SetForegroundWindow.USER32(00000000), ref: 00AF2F5F
TrackPopupMenuEx.USER32(00B55890,00000000,?,00000000,00000000,00000000), ref: 00AF2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AF2F7E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: ad103da02eb9945bd3fc7582a950339c16343900d88d8f03d96228243d5559c1
Instruction ID: 5e550c84351afce230aab8d31fc4431d0e055b3da5896959030cc5956944c025
Opcode Fuzzy Hash: ad103da02eb9945bd3fc7582a950339c16343900d88d8f03d96228243d5559c1
Instruction Fuzzy Hash: C271C27060020ABAEB219F94DC45FFABF65FB04364F244226F719AA1E1CB715820DB94

Function 00AE77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A97BCC: _memmove.LIBCMT ref: 00A97C06

_memset.LIBCMT ref: 00AE786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AE78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AE78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AE78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AE7902
CLSIDFromString.COMBASE(?,?), ref: 00AE792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AE7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AE793A

Strings

\CLSID, xrefs: 00AE7822
SOFTWARE\Classes\, xrefs: 00AE780C
\IPC$, xrefs: 00AE7882

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 67122529aff5d82dcdcc9088ae52d00ecfb8ac229da13883e4925cf2e9360a1c
Instruction ID: 1d17f250b04620dba36cca2230a6b5e40d79d7b37e20874d9dfe12f81c0c1545
Opcode Fuzzy Hash: 67122529aff5d82dcdcc9088ae52d00ecfb8ac229da13883e4925cf2e9360a1c
Instruction Fuzzy Hash: 3A41F772D14229ABDF15EFA4DD85DEDB7B8FF18710F444069E905A3261EB309E04CBA0

Function 00B10E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0FDAD,?,?), ref: 00B10E31

Strings

HKCU, xrefs: 00B10F21
HKCC, xrefs: 00B10EFF
HKEY_USERS, xrefs: 00B10F32
HKEY_CURRENT_USER, xrefs: 00B10F10
HKU, xrefs: 00B10F43
HKEY_CURRENT_CONFIG, xrefs: 00B10EEE
HKEY_CLASSES_ROOT, xrefs: 00B10EC4
HKCR, xrefs: 00B10ED9
HKEY_LOCAL_MACHINE, xrefs: 00B10E9A
HKLM, xrefs: 00B10EAF

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 9f6f470af181b86fef407fc83f0be99e80a7761f1042eb5842d68d16f4a07deb
Instruction ID: be43a269366e081d799c2f9f67eb159b2305fdc22edc6f93eea843b4fce8572e
Opcode Fuzzy Hash: 9f6f470af181b86fef407fc83f0be99e80a7761f1042eb5842d68d16f4a07deb
Instruction Fuzzy Hash: 8C414E3212424A8BDF20FF10D956AEF37A4FF11350FA444A9FC5517292DB70999AC760

Function 00AEF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00ACE2A0,00000010,?,Bad directive syntax error,00B1F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00AEF7C2
LoadStringW.USER32(00000000,?,00ACE2A0,00000010), ref: 00AEF7C9

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

_wprintf.LIBCMT ref: 00AEF7FC
__swprintf.LIBCMT ref: 00AEF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AEF88D

Strings

Line %d:, xrefs: 00AEF818
Line %d (File "%s"):, xrefs: 00AEF833
., xrefs: 00AEF873
%s (%d) : ==> %s.: %s %s, xrefs: 00AEF7F7
Error: , xrefs: 00AEF85B

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: cf21ab7031142c3f77a177f84c2d7e32fb593a99aef8a2debcb4ce8288b5e2fe
Instruction ID: 99e40cb57d42d9f95f3b98e98b6f889a591d87dd0223959896a2aaa90d727536
Opcode Fuzzy Hash: cf21ab7031142c3f77a177f84c2d7e32fb593a99aef8a2debcb4ce8288b5e2fe
Instruction Fuzzy Hash: F3215332A1021AEFCF11EFA0CD5AEFE77B9FF18300F044465F515660A2EA71A618DB51

Function 00AF52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00A97BCC: _memmove.LIBCMT ref: 00A97C06

Part of subcall function 00A97924: _memmove.LIBCMT ref: 00A979AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AF5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AF5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AF5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AF5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AF537A

Strings

alias PlayMe, xrefs: 00AF5309
play PlayMe, xrefs: 00AF5375
play PlayMe wait, xrefs: 00AF5364
status PlayMe mode, xrefs: 00AF532B
open , xrefs: 00AF52DF
close PlayMe, xrefs: 00AF5341, 00AF536E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 3e0214cca8ba7861c8944a3b5ca3960809ee9580b53f08805e4d516584d2b204
Instruction ID: b747e1feb6b4aae2beff835ba319eef538714472bfa3547753a94fe970083d6b
Opcode Fuzzy Hash: 3e0214cca8ba7861c8944a3b5ca3960809ee9580b53f08805e4d516584d2b204
Instruction Fuzzy Hash: C0116021EA412D79DB64B7B5DC5ADFF7AFCEB91B80F400469B505A60E1EEA00E04C5B1

Function 00AF46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00AF46D2
gethostname.WS2_32(?,00000100), ref: 00AF46EC
gethostbyname.WS2_32(?), ref: 00AF46F9
_wcscpy.LIBCMT ref: 00AF4721
_memmove.LIBCMT ref: 00AF4734
inet_ntoa.WS2_32(?), ref: 00AF473F
_strcat.LIBCMT ref: 00AF474D
_wcscpy.LIBCMT ref: 00AF4764
WSACleanup.WS2_32 ref: 00AF4772
_wcscpy.LIBCMT ref: 00AF4780

Strings

0.0.0.0, xrefs: 00AF471B

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 4da74996531c98596d85eb5146b12bfb628871e8bb6e5a234726642c5df749c2
Instruction ID: 8afe7423596a26f9daf10afd6519186cc317492f19c10247246a3f1eeaebaef3
Opcode Fuzzy Hash: 4da74996531c98596d85eb5146b12bfb628871e8bb6e5a234726642c5df749c2
Instruction Fuzzy Hash: E911C031904119AFDB20BBB49C4AEFB77BCEB06721F4441B6F645960A2EF719A81CA50

Function 00AF4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00AF4F7A

Part of subcall function 00AB049F: timeGetTime.WINMM(?,7694B400,00AA0E7B), ref: 00AB04A3

Sleep.KERNEL32(0000000A), ref: 00AF4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00AF4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00AF4FEC
SetActiveWindow.USER32 ref: 00AF500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AF5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00AF5038
Sleep.KERNEL32(000000FA), ref: 00AF5043
IsWindow.USER32 ref: 00AF504F
EndDialog.USER32(00000000), ref: 00AF5060

Strings

BUTTON, xrefs: 00AF4FDE

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: fc20641e08589676639b3b102231e1b46747659916424a421aac7812e02dcdcb
Instruction ID: 124ae0fec222fccc70a502338d78048629d6c1b67305c51a78f4ef448d191a4b
Opcode Fuzzy Hash: fc20641e08589676639b3b102231e1b46747659916424a421aac7812e02dcdcb
Instruction Fuzzy Hash: 3A21987064070AAFEB219FB0EC98B763B69EB28746B845028B305831B1EF318D10CB61

Function 00AFD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

CoInitialize.OLE32(00000000), ref: 00AFD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AFD67D
SHGetDesktopFolder.SHELL32(?), ref: 00AFD691
CoCreateInstance.COMBASE(00B22D7C,00000000,00000001,00B48C1C,?), ref: 00AFD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AFD74C
CoTaskMemFree.COMBASE(?), ref: 00AFD7A4
_memset.LIBCMT ref: 00AFD7E1
SHBrowseForFolderW.SHELL32(?), ref: 00AFD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AFD840
CoTaskMemFree.COMBASE(00000000), ref: 00AFD847
CoTaskMemFree.COMBASE(00000000), ref: 00AFD87E
CoUninitialize.COMBASE ref: 00AFD880

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 386666e935cf8b84b92c14f48e11be8bd7a89c1d3a9cd07f8152525695fe2299
Instruction ID: 81116e384e22997e9eeec845dc59dd2054fae1da34f4c3a5c8e69733dd0402d2
Opcode Fuzzy Hash: 386666e935cf8b84b92c14f48e11be8bd7a89c1d3a9cd07f8152525695fe2299
Instruction Fuzzy Hash: 35B1EA75A00109AFDB05DFA9C985DAEBBF9FF48314B1484A9F909EB261DB30ED41CB50

Function 00AEC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00AEC283
GetWindowRect.USER32(00000000,?), ref: 00AEC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00AEC2F3
GetDlgItem.USER32(?,00000002), ref: 00AEC2FE
GetWindowRect.USER32(00000000,?), ref: 00AEC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00AEC364
GetDlgItem.USER32(?,000003E9), ref: 00AEC372
GetWindowRect.USER32(00000000,?), ref: 00AEC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00AEC3C6
GetDlgItem.USER32(?,000003EA), ref: 00AEC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AEC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00AEC3FE

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: bf7467e7d2aec599f2f6a3b4f7ec1d99f2f71693af25827dc29f3f1edd8062e4
Instruction ID: 68d6c16da1295d0d5514e0faae3c6acbfb26598006d3dbc5d2299fdafdfde8b1
Opcode Fuzzy Hash: bf7467e7d2aec599f2f6a3b4f7ec1d99f2f71693af25827dc29f3f1edd8062e4
Instruction Fuzzy Hash: D4512E71B00206AFDB18CFA9DD99AAEBBBAFB88711F54812DF515D7290DB709D01CB10

Function 00A921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC

GetSysColor.USER32(0000000F), ref: 00A921D3

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c509111f6fe09ccc90e7e60cb272aca19b4d2eb51a97cdf1b1c94b359de8163c
Instruction ID: 93b9e94999b1af5aef3caa61acd7b71e932331f20dbdc044d62f34325d835c6a
Opcode Fuzzy Hash: c509111f6fe09ccc90e7e60cb272aca19b4d2eb51a97cdf1b1c94b359de8163c
Instruction Fuzzy Hash: 78419031204540FADF259F28EC89BF93BA6EB06731F548265FE659B1E1CB318C42DB61

Function 00AFA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00B1F910), ref: 00AFA90B
GetDriveTypeW.KERNEL32(00000061,00B489A0,00000061), ref: 00AFA9D5
_wcscpy.LIBCMT ref: 00AFA9FF

Strings

ramdisk, xrefs: 00AFA97F
removable, xrefs: 00AFA93D
all, xrefs: 00AFA911
cdrom, xrefs: 00AFA927
fixed, xrefs: 00AFA953
network, xrefs: 00AFA969
unknown, xrefs: 00AFA996

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: cbf5f82761a0e844dd458af51b4f4e53e92e31ff209d4edc2caba784a40fef87
Instruction ID: c21223391443d880dc69089a8ae52be76d1ea10a82f5297af9db6827d9abad5d
Opcode Fuzzy Hash: cbf5f82761a0e844dd458af51b4f4e53e92e31ff209d4edc2caba784a40fef87
Instruction Fuzzy Hash: 2051AC71218305ABC700EF54CA92ABFB7E9EF94380F50482DF699572A2DB71D909CA53

Function 00A99837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00A99862
__swprintf.LIBCMT ref: 00A998AC
__i64tow.LIBCMT ref: 00ACF5E6

Strings

0x%p, xrefs: 00ACF5C8
%.15g, xrefs: 00A998A6
True, xrefs: 00ACF5A7
False, xrefs: 00ACF5AE

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 82ae5ee998805c024167a6f3f28ba0c2b596dd7703be7a2bcc441ffd44da17e0
Instruction ID: 205ffaee9829d16f61246e0f5d84e46164bfd1ff518f5d79c430364175748c54
Opcode Fuzzy Hash: 82ae5ee998805c024167a6f3f28ba0c2b596dd7703be7a2bcc441ffd44da17e0
Instruction Fuzzy Hash: 5B41B471600209AFEF24DF78D942FBB73F9EF05300F2444AEE549DB292EA3299419B11

Function 00B17152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1716A
CreateMenu.USER32 ref: 00B17185
SetMenu.USER32(?,00000000), ref: 00B17194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B17221
IsMenu.USER32(?), ref: 00B17237
CreatePopupMenu.USER32 ref: 00B17241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B1726E
DrawMenuBar.USER32 ref: 00B17276

Strings

0, xrefs: 00B17160
F, xrefs: 00B17262

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 3836a5a283c1f016045cd366cff91a44bacfbcac4048154528596e4487b3ee5b
Instruction ID: e8347878f946910ef6b3e4c8160e94b5c12f198d9b5dbf89289363ff4f61eff6
Opcode Fuzzy Hash: 3836a5a283c1f016045cd366cff91a44bacfbcac4048154528596e4487b3ee5b
Instruction Fuzzy Hash: B3414774A01209EFDB20DF64D984EEA7BF5FF49311F6440A8F905A7361DB31A910CB90

Function 00B174BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B1755E
CreateCompatibleDC.GDI32(00000000), ref: 00B17565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B17578
SelectObject.GDI32(00000000,00000000), ref: 00B17580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B1758B
DeleteDC.GDI32(00000000), ref: 00B17594
GetWindowLongW.USER32(?,000000EC), ref: 00B1759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B175B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B175BE

Strings

static, xrefs: 00B174F6

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 657b1b3d705ae288df89fb7dead45e425988b446acad13bcd9790b8210a88e35
Instruction ID: 1503c2f8150fb48208e1beccc1ccc39b9fb9d630001c477ef0c7f5762c68f2cd
Opcode Fuzzy Hash: 657b1b3d705ae288df89fb7dead45e425988b446acad13bcd9790b8210a88e35
Instruction Fuzzy Hash: 9C318B32144216BBDF129F64DC09FEA3BBAFF19360F504264FA15A31A0CB31D961DBA0

Function 00AB6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AB6E3E

Part of subcall function 00AB8B28: __getptd_noexit.LIBCMT ref: 00AB8B28

__gmtime64_s.LIBCMT ref: 00AB6ED7
__gmtime64_s.LIBCMT ref: 00AB6F0D
__gmtime64_s.LIBCMT ref: 00AB6F2A
__allrem.LIBCMT ref: 00AB6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB6F9C
__allrem.LIBCMT ref: 00AB6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB6FD1
__allrem.LIBCMT ref: 00AB6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB7006
__invoke_watson.LIBCMT ref: 00AB7077

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: db38a5a6e71be9059f35c64bb6e550b61a6a7152e0927405e2798bb3241ac3c5
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 62710776A00716ABDB14AF78DD41BEAB7BCAF44364F14822EF514D7282E774DE008B90

Function 00AF2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF2542
GetMenuItemInfoW.USER32(00B55890,000000FF,00000000,00000030), ref: 00AF25A3
SetMenuItemInfoW.USER32(00B55890,00000004,00000000,00000030), ref: 00AF25D9
Sleep.KERNEL32(000001F4), ref: 00AF25EB
GetMenuItemCount.USER32(?), ref: 00AF262F
GetMenuItemID.USER32(?,00000000), ref: 00AF264B
GetMenuItemID.USER32(?,-00000001), ref: 00AF2675
GetMenuItemID.USER32(?,?), ref: 00AF26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AF2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF2735

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 32c63e4fa00ed020011cb398a74a94b28ebb3fda4df02279f7c4223bef4d2ef8
Instruction ID: 7fdae44606eaadad66f2445681d9deb553f0248c000f4bb8c2c5d48ab6b7c134
Opcode Fuzzy Hash: 32c63e4fa00ed020011cb398a74a94b28ebb3fda4df02279f7c4223bef4d2ef8
Instruction Fuzzy Hash: 30618AB090024EAFDB21DFA4CD98AFEBBB9EB41344F544059FA41A7251DB31AD05DB21

Function 00B16F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B16FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B16FA8
GetWindowLongW.USER32(?,000000F0), ref: 00B16FCC
_memset.LIBCMT ref: 00B16FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B16FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B17067

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 6e9838ed543566fde5fcf60559b3b9a192a4838794ecc0558a1279d275158f65
Instruction ID: 2a0db6d7ab6169b8236d58a8f3b58326f83a5966ba497cc25fde34a11c167454
Opcode Fuzzy Hash: 6e9838ed543566fde5fcf60559b3b9a192a4838794ecc0558a1279d275158f65
Instruction Fuzzy Hash: 02616C75940208AFDB21DFA4CC81FEE77F8EB09710F504199FA15AB2A1CB71AD85DB90

Function 00AE6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AE6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00AE6C18
VariantInit.OLEAUT32(?), ref: 00AE6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00AE6C4A
VariantCopy.OLEAUT32(?,?), ref: 00AE6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00AE6CB1
VariantClear.OLEAUT32(?), ref: 00AE6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00AE6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AE6CDC
VariantClear.OLEAUT32(?), ref: 00AE6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AE6CF9

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: dba62169256ff46f0b49354855c2f199ac5549c9a91343acd639f99fe946cb2f
Instruction ID: 35094f7e2f184b09ed195278d9d0de80d0f4cf9148989936c1859c89df75af38
Opcode Fuzzy Hash: dba62169256ff46f0b49354855c2f199ac5549c9a91343acd639f99fe946cb2f
Instruction Fuzzy Hash: 47415F71A0021AAFCF00DFA9D9449EEBBB9EF58354F00C469E955E7361DB30A945CB90

Function 00B05732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00B05793
inet_addr.WS2_32(?), ref: 00B057D8
gethostbyname.WS2_32(?), ref: 00B057E4
IcmpCreateFile.IPHLPAPI ref: 00B057F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B05862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B05878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B058ED
WSACleanup.WS2_32 ref: 00B058F3

Strings

Ping, xrefs: 00B05816

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6dfaf013b84410d45fe2e61726d2d17604e21aeceb4c291047b3605bc56e43ff
Instruction ID: c0276b077aff7492e212059eb6db90145a6db79b3a2ba42770202366f337ce5d
Opcode Fuzzy Hash: 6dfaf013b84410d45fe2e61726d2d17604e21aeceb4c291047b3605bc56e43ff
Instruction Fuzzy Hash: C2515C31604701AFDB219F25CD86B6A7BE4EB45720F048969F996DB6E1DB30E800DF51

Function 00AFB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AFB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AFB546
GetLastError.KERNEL32 ref: 00AFB550
SetErrorMode.KERNEL32(00000000,READY), ref: 00AFB5BD

Strings

READONLY, xrefs: 00AFB588
NOTREADY, xrefs: 00AFB57C
INVALID, xrefs: 00AFB58F
READY, xrefs: 00AFB596
UNKNOWN, xrefs: 00AFB575

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a772b5ac64c46e92e8215bd461781835a1a14c56dadf6401805222406a586ff9
Instruction ID: 062405860d60cb84a48ef9b63378e44acd304b3fe375b1b359432fb74f11c7e2
Opcode Fuzzy Hash: a772b5ac64c46e92e8215bd461781835a1a14c56dadf6401805222406a586ff9
Instruction Fuzzy Hash: BB318135A10209EFDB00EBA8C945ABE77B4FF09314F108169F60697291DB759A42CB61

Function 00AE8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Part of subcall function 00AEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AEAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AE9014
GetDlgCtrlID.USER32 ref: 00AE901F
GetParent.USER32 ref: 00AE903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE903E
GetDlgCtrlID.USER32(?), ref: 00AE9047
GetParent.USER32(?), ref: 00AE9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AE9066

Strings

ComboBox, xrefs: 00AE8F9C
ListBox, xrefs: 00AE8FD1

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a13ebb05b76fa87be7e34b13f6f5ef39d9bdda71627112188b6df416375711da
Instruction ID: 9b70c3a30e0f2585d99578efcb6addb6e4c4ae6a2b7b05d6021e11404645e514
Opcode Fuzzy Hash: a13ebb05b76fa87be7e34b13f6f5ef39d9bdda71627112188b6df416375711da
Instruction Fuzzy Hash: 4221D070A00209BBDF05ABA1CC85EFEBBB4EF49310F504169B921972B1DF755919DB20

Function 00AE907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Part of subcall function 00AEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AEAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AE90FD
GetDlgCtrlID.USER32 ref: 00AE9108
GetParent.USER32 ref: 00AE9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE9127
GetDlgCtrlID.USER32(?), ref: 00AE9130
GetParent.USER32(?), ref: 00AE914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AE914F

Strings

ComboBox, xrefs: 00AE9087
ListBox, xrefs: 00AE90BC

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 3658299ab535c5563188bf6a50e15d438a8bb848e41e7545598dba65cfe827b5
Instruction ID: d72b4fee30691bf92432d02c377842f5a79dc745004ca9a88d95955b1624516f
Opcode Fuzzy Hash: 3658299ab535c5563188bf6a50e15d438a8bb848e41e7545598dba65cfe827b5
Instruction Fuzzy Hash: 5521D774A00349BBDF11ABA5CC85EFEBBB4EF48300F504155F911972A1DF755915DB20

Function 00AE9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00AE916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00AE9184
_wcscmp.LIBCMT ref: 00AE9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AE9211

Strings

largeicons, xrefs: 00AE91A5
details, xrefs: 00AE91BF
smallicons, xrefs: 00AE91D9
SHELLDLL_DefView, xrefs: 00AE9190
list, xrefs: 00AE91F3

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 81b11ea69f8a147611413c0c79b0d7b6564fec3db62c174ab62648fcfe11997f
Instruction ID: 87ab88512ca821276cf4e5ad5dd4ebc1b6d100c6ebbf62c22f3b363665d01a8d
Opcode Fuzzy Hash: 81b11ea69f8a147611413c0c79b0d7b6564fec3db62c174ab62648fcfe11997f
Instruction Fuzzy Hash: 54112C3628C387BAFE112726DC1ADF73BDC9F15720F200166FA00A50E2FF629951A654

Function 00B088AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B088D7
CoInitialize.OLE32(00000000), ref: 00B08904
CoUninitialize.COMBASE ref: 00B0890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00B08A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B08B3B
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00B22C0C), ref: 00B08B6F
CoGetObject.OLE32(?,00000000,00B22C0C,?), ref: 00B08B92
SetErrorMode.KERNEL32(00000000), ref: 00B08BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B08C25
VariantClear.OLEAUT32(?), ref: 00B08C35

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 0918fe9494760f7c44ac9c7ee16234f21f540f7a905f9cc5afc72d2ae3ae18f2
Instruction ID: d2a13c29c55e5d99e049161cc0abd28715cb34697c6884da4a4cd0cbcc3a24ae
Opcode Fuzzy Hash: 0918fe9494760f7c44ac9c7ee16234f21f540f7a905f9cc5afc72d2ae3ae18f2
Instruction Fuzzy Hash: 76C119B1608305AFD700DF68C88496BBBE9FF89358F00495DF5899B2A1DB71EE05CB52

Function 00AF7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00AF7A6C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 9b9cff4687d8da3da5763adb08219575d915645c6440a9d2cc1d4bdfd1a2e13b
Instruction ID: f21b98cf632ddf48c9cc9116db91825c09365146e5dad102ddd28288ba34cbb7
Opcode Fuzzy Hash: 9b9cff4687d8da3da5763adb08219575d915645c6440a9d2cc1d4bdfd1a2e13b
Instruction Fuzzy Hash: B2B16B7190421E9FDB00DFE8D885BBEB7B4EF09321F244469FA51E7291D774A942CBA0

Function 00A9FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A9FAA6
OleUninitialize.OLE32(?,00000000), ref: 00A9FB45
UnregisterHotKey.USER32(?), ref: 00A9FC9C
DestroyWindow.USER32(?), ref: 00AD45D6
FreeLibrary.KERNEL32(?), ref: 00AD463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AD4668

Strings

close all, xrefs: 00A9FAA1

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7eb01572f2172173415ce5743c5d9d7f9352af34c9548ec890643502b6f02c94
Instruction ID: 377a4134e54c1fa430aa537923a71575981e06f7d42a6a2186139ae95f3ad9d9
Opcode Fuzzy Hash: 7eb01572f2172173415ce5743c5d9d7f9352af34c9548ec890643502b6f02c94
Instruction Fuzzy Hash: DEA16E31701212CFDF19EF24C695A69F7A4AF19710F5442ADE80BAB261DB30ED16CF50

Function 00AEA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00AEA439), ref: 00AEA377

Strings

CLASS, xrefs: 00AEA0F6
TEXT, xrefs: 00AEA2AE
INSTANCE, xrefs: 00AEA285
CLASSNN, xrefs: 00AEA119
REGEXPCLASS, xrefs: 00AEA13C
NAME, xrefs: 00AEA1A9

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: a3a78ec109c211efffc15e182c65840713d4d012352b301d80f82dd8db6e3108
Instruction ID: 32cda0cd7865bf62743c91fed0f72bb4f2b07c41875a2515466627e71a5ba948
Opcode Fuzzy Hash: a3a78ec109c211efffc15e182c65840713d4d012352b301d80f82dd8db6e3108
Instruction Fuzzy Hash: CD91E731A00646ABCF08EFA1C542BEEFBB8FF14300F548519E949A7151DF307A99DBA1

Function 00A92E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A92EAE

Part of subcall function 00A91DB3: GetClientRect.USER32(?,?), ref: 00A91DDC
Part of subcall function 00A91DB3: GetWindowRect.USER32(?,?), ref: 00A91E1D
Part of subcall function 00A91DB3: ScreenToClient.USER32(?,?), ref: 00A91E45

GetDC.USER32 ref: 00ACCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ACCD45
SelectObject.GDI32(00000000,00000000), ref: 00ACCD53
SelectObject.GDI32(00000000,00000000), ref: 00ACCD68
ReleaseDC.USER32(?,00000000), ref: 00ACCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00ACCDFB

Strings

U, xrefs: 00ACCCD0

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2572da404f2ffcef170391e21bc40e5a1cbba5d3cc6e27b4dfb49ef92967c91f
Instruction ID: 660a8dda69689a31970272a7e725ac05cd7693e9de72712fcbc8ac7d0e22732a
Opcode Fuzzy Hash: 2572da404f2ffcef170391e21bc40e5a1cbba5d3cc6e27b4dfb49ef92967c91f
Instruction Fuzzy Hash: D271AE31500205EFCF228F64C894FEA7FB5FF49325F15426AED5A5A2A6D7308C91DB60

Function 00B01A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B01A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B01A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00B01ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B01AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B01AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00B01B10
InternetCloseHandle.WININET(00000000), ref: 00B01B57

Part of subcall function 00B02483: GetLastError.KERNEL32(?,?,00B01817,00000000,00000000,00000001), ref: 00B02498
Part of subcall function 00B02483: SetEvent.KERNEL32(?,?,00B01817,00000000,00000000,00000001), ref: 00B024AD

Strings

, xrefs: 00B01B01

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 9de2040619a130d4b43da18880ad7365b5618efe80cbc19021c8eaa84b8cf1e3
Instruction ID: af101969ade275ca03144ef0ffc8c67ba85cebefeeb0d8c341919a0b3a54bee9
Opcode Fuzzy Hash: 9de2040619a130d4b43da18880ad7365b5618efe80cbc19021c8eaa84b8cf1e3
Instruction Fuzzy Hash: 4B4150B1501219BFEB169F54CC89FFB7BACFF08354F008566FA059A181EB749E449BA0

Function 00B08C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B1F910), ref: 00B08D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B1F910), ref: 00B08D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B08ED6
SysFreeString.OLEAUT32(?), ref: 00B08F00

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 20b6db9ecd95c28e31d594c5e559337026eeaba84cad0dd84215fc3e38274343
Instruction ID: 2da0bf54d5e3fa4e5282377cfabb4d7ca6635b81b142c310576bcba25150ab59
Opcode Fuzzy Hash: 20b6db9ecd95c28e31d594c5e559337026eeaba84cad0dd84215fc3e38274343
Instruction Fuzzy Hash: 23F12B71A00209EFDF14DF94C884EAEBBB9FF49314F108598F945AB291DB31AE46CB50

Function 00B0F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B0F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B0F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B0F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B0F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B0F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B0FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B0FA7C
CloseHandle.KERNEL32(?), ref: 00B0FAAB
CloseHandle.KERNEL32(?), ref: 00B0FB22

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 37aee184f38af8f216e96dbde2b24de39d655aec57d351d98fda4b015665fa50
Instruction ID: 469e580efcf614ed7b338dc548d1a5808812ee47a461e53137ba7b5194ecb05b
Opcode Fuzzy Hash: 37aee184f38af8f216e96dbde2b24de39d655aec57d351d98fda4b015665fa50
Instruction Fuzzy Hash: E5E19E31604301AFCB24EF24C981B7ABBE5EF85354F1485ADF8999B2A2DB31DC45CB52

Function 00A9201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A92036,?,00000000,?,?,?,?,00A916CB,00000000,?), ref: 00A91B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A920D3
KillTimer.USER32(-00000001,?,?,?,?,00A916CB,00000000,?,?,00A91AE2,?,?), ref: 00A9216E
DestroyAcceleratorTable.USER32(00000000), ref: 00ACBCA6
DeleteObject.GDI32(00000000), ref: 00ACBD1C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: a07c3fe540642f04dfa67a6233b08e053e3da07ad6dcc40c1f3eae2dd33d7873
Instruction ID: afab3ef404fbce2f2a91afcf2f5bb0d0975a4df44eeda467975b14fd54b7480a
Opcode Fuzzy Hash: a07c3fe540642f04dfa67a6233b08e053e3da07ad6dcc40c1f3eae2dd33d7873
Instruction Fuzzy Hash: 0A617731610B11EFDB369F14D959B2AB7F2FB44313F60856DE5428BA60CB71AC90DBA0

Function 00AF4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AF3697,?), ref: 00AF468B

Part of subcall function 00AF466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AF3697,?), ref: 00AF46A4

Part of subcall function 00AF4A31: GetFileAttributesW.KERNEL32(?,00AF370B), ref: 00AF4A32

lstrcmpiW.KERNEL32(?,?), ref: 00AF4D40
_wcscmp.LIBCMT ref: 00AF4D5A
MoveFileW.KERNEL32(?,?), ref: 00AF4D75

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 64f467cafc2ddf0b38058b2066cc3a4c9225889f2f2cba766179e1562847578b
Instruction ID: 96d6057ae21f3f414a7b1b35cb63f867d17e7cfb22a3c4727db3314c9891bdad
Opcode Fuzzy Hash: 64f467cafc2ddf0b38058b2066cc3a4c9225889f2f2cba766179e1562847578b
Instruction Fuzzy Hash: BD5168B25083499BC725DBA4D9819EF77ECAF84350F40092EF289D3152EF34A688C766

Function 00B18645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B186FF

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 78bf6830734cc28a2640a11c5673b597c72f1a3f2db66f3848c00d3b9d8df727
Instruction ID: 832d2a2fcdb79213a9afde2ae71218c9f794885ec773091758ab820899fe40f3
Opcode Fuzzy Hash: 78bf6830734cc28a2640a11c5673b597c72f1a3f2db66f3848c00d3b9d8df727
Instruction Fuzzy Hash: 57515B30600244BEEF209B289C85FE97BE5FB06760FA042A5F955E61E1DF75AEC0CB51

Function 00A92B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00ACC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ACC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ACC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00ACC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ACC370
DestroyCursor.USER32(00000000), ref: 00ACC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ACC39C
DestroyCursor.USER32(?), ref: 00ACC3AB

Part of subcall function 00B1A4AF: DeleteObject.GDI32(00000000), ref: 00B1A4E8

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: 6b590bd7fb44bf74d6a6d1003a04fb7102753a7f70b67edbeb77c0ca35ab2570
Instruction ID: 406a829d2f3c0577b34f5b54dd35de760c52e7f14daf2d87fc87e382c97ff56d
Opcode Fuzzy Hash: 6b590bd7fb44bf74d6a6d1003a04fb7102753a7f70b67edbeb77c0ca35ab2570
Instruction Fuzzy Hash: 9F515870A00209AFDF24DF64DC45FAA7BF5EB58321F108568F906DB2A0DB70AD90DB50

Function 00AE966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AEA84C
Part of subcall function 00AEA82C: GetCurrentThreadId.KERNEL32 ref: 00AEA853
Part of subcall function 00AEA82C: AttachThreadInput.USER32(00000000,?,00AE9683,?,00000001), ref: 00AEA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00AE968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AE96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00AE96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AE96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AE96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00AE96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AE96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AE96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00AE96FB

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e820a6666d0b91f952206fed450709cc9043465d790fb67690814ff6e52d89e6
Instruction ID: 96dea716d5c0361b10dbe0071566bd6f785fd0be713e979166e596eda5bbddaa
Opcode Fuzzy Hash: e820a6666d0b91f952206fed450709cc9043465d790fb67690814ff6e52d89e6
Instruction Fuzzy Hash: A711E1B1910619BEFA106F65DC89FBA3F2DEB4C750F604425F344AB0A0CDF26C10DAA4

Function 00AE8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00AE853C,00000B00,?,?), ref: 00AE892A
RtlAllocateHeap.NTDLL(00000000,?,00AE853C), ref: 00AE8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AE853C,00000B00,?,?), ref: 00AE8946
GetCurrentProcess.KERNEL32(?,00000000,?,00AE853C,00000B00,?,?), ref: 00AE894E
DuplicateHandle.KERNEL32(00000000,?,00AE853C,00000B00,?,?), ref: 00AE8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00AE853C,00000B00,?,?), ref: 00AE8961
GetCurrentProcess.KERNEL32(00AE853C,00000000,?,00AE853C,00000B00,?,?), ref: 00AE8969
DuplicateHandle.KERNEL32(00000000,?,00AE853C,00000B00,?,?), ref: 00AE896C
CreateThread.KERNEL32(00000000,00000000,00AE8992,00000000,00000000,00000000), ref: 00AE8986

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 27d0713f854429a8db4b70a3cb38f582747c0e5a8a3f6664b53a76f629cdb3fb
Instruction ID: 8991a1dcc7ca77a349ac669199d2144fe1590df9631b868587ecd9b08c605d4a
Opcode Fuzzy Hash: 27d0713f854429a8db4b70a3cb38f582747c0e5a8a3f6664b53a76f629cdb3fb
Instruction Fuzzy Hash: 5401BFB5640345FFE710ABA5DC4DFA73B6CEB89711F408421FA05DB191CA749810CB60

Function 00B09B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00B09B7B
NULL Pointer assignment, xrefs: 00B09BA4, 00B09EC8

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 629346606a8bc3c753bc6692e2049458c6b56e591106fe64068e8c324c8b7a0e
Instruction ID: a43cbaf5bc44a2308081fecec51fb395120f0442db02511a8a009b1a4d67bb11
Opcode Fuzzy Hash: 629346606a8bc3c753bc6692e2049458c6b56e591106fe64068e8c324c8b7a0e
Instruction Fuzzy Hash: 20C1C471A0020A9FDF10CF98D984BAEBBF5FF48350F1085A9E905A72D2E7709D45CB50

Function 00B09113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B09167
VariantInit.OLEAUT32(?), ref: 00B09238
VariantInit.OLEAUT32(?), ref: 00B09339
VariantClear.OLEAUT32(?), ref: 00B09343
VariantClear.OLEAUT32(?), ref: 00B093A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B091C8, 00B092F6, 00B093AE
Incorrect Object type in FOR..IN loop, xrefs: 00B0931C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: b0eba8f1bb750429479925ae1e28a13e0183c942cb1029fda2abdc19219eba8f
Instruction ID: bb1959f09657b97f981a0d11521680d9358f1a2e1639eb36ca2ee6394041ded8
Opcode Fuzzy Hash: b0eba8f1bb750429479925ae1e28a13e0183c942cb1029fda2abdc19219eba8f
Instruction Fuzzy Hash: 4F917A71A00219ABDF24DFA5C888FAEBBF8EF45710F108599F515AB2D2D7709905CFA0

Function 00B0975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00AE710A: CLSIDFromProgID.COMBASE ref: 00AE7127
Part of subcall function 00AE710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00AE7142
Part of subcall function 00AE710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AE7044,80070057,?,?), ref: 00AE7150
Part of subcall function 00AE710A: CoTaskMemFree.COMBASE(00000000), ref: 00AE7160

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00B09806
_memset.LIBCMT ref: 00B09813
_memset.LIBCMT ref: 00B09956
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00B09982
CoTaskMemFree.COMBASE(?), ref: 00B0998D

Strings

NULL Pointer assignment, xrefs: 00B099DB

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: c09842b57a861d19f9ab9b3c86bf8fedd511c83306f4663887803a0258db5bed
Instruction ID: 6fc8c7ed39eec44ede73ca77593d578c0e23ef083858ff05c73517bfc6ca9bce
Opcode Fuzzy Hash: c09842b57a861d19f9ab9b3c86bf8fedd511c83306f4663887803a0258db5bed
Instruction Fuzzy Hash: 57912671D00229EBDF10DFA5DD81EEEBBB9EF08350F10815AF519A7291DB719A44CBA0

Function 00B16D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B16E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00B16E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B16E52
_wcscat.LIBCMT ref: 00B16EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B16EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B16EF2

Strings

SysListView32, xrefs: 00B16DF6

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 17fc786200a385ccce7679d75529dcc1dd3bf959cba1929772f6960441a702f1
Instruction ID: 55cc996f78af432ff17255c66e843e79ffc1e96ca845d5700e2f0d04057e012d
Opcode Fuzzy Hash: 17fc786200a385ccce7679d75529dcc1dd3bf959cba1929772f6960441a702f1
Instruction Fuzzy Hash: 71419071A00349EBEB21DF64DC85BEA77E8EF08350F5045AAF984E7292D6719DC4CB60

Function 00B0E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00AF3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00AF3C7A
Part of subcall function 00AF3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00AF3C88
Part of subcall function 00AF3C55: CloseHandle.KERNEL32(00000000), ref: 00AF3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B0E9A4
GetLastError.KERNEL32 ref: 00B0E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B0E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B0EA63
GetLastError.KERNEL32(00000000), ref: 00B0EA6E
CloseHandle.KERNEL32(00000000), ref: 00B0EAA3

Strings

SeDebugPrivilege, xrefs: 00B0E9C2

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: af07bef8ff729e4029dd5e8fcf3522c4b3a5967033e572f512ff3d2c5be03253
Instruction ID: dd76945621feb8860dc59d967ced5eebb61c6b9dcf2c3397d8bf4c093ff0aa50
Opcode Fuzzy Hash: af07bef8ff729e4029dd5e8fcf3522c4b3a5967033e572f512ff3d2c5be03253
Instruction Fuzzy Hash: 5D419631300201AFDB15EF68C995BAEBBE5AF45314F08889CF9169B2D2DB74E804CB95

Function 00AF2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00AF3033

Strings

warning, xrefs: 00AF301C
blank, xrefs: 00AF2FB5
stop, xrefs: 00AF3004
question, xrefs: 00AF2FEC
info, xrefs: 00AF2FD4

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: affe794281904dda7471f05f6d8ad9c2dec407cfe93611da60c9a5ddf982af5f
Instruction ID: 2f09f71e9792fdf31f30ddf59157dbe358f35034abb535b4143e7668ff78ebe0
Opcode Fuzzy Hash: affe794281904dda7471f05f6d8ad9c2dec407cfe93611da60c9a5ddf982af5f
Instruction Fuzzy Hash: 4011D83224938ABEEB149B95DC42DBF7BAC9F25360B20006BFB0066182DE619F4056A4

Function 00AF42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AF4312
LoadStringW.USER32(00000000), ref: 00AF4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AF432F
LoadStringW.USER32(00000000), ref: 00AF4336
_wprintf.LIBCMT ref: 00AF435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AF437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00AF4357

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 4bb559c30da7f386c625f1eb51cbf51863ff395ceeef186fa6a8832f3cee9625
Instruction ID: 9e4f3c9930298285c84c23cbc170e53731050eb0d0d3e27e74bdc7cf375e824e
Opcode Fuzzy Hash: 4bb559c30da7f386c625f1eb51cbf51863ff395ceeef186fa6a8832f3cee9625
Instruction Fuzzy Hash: 87012CF6900209BFE711A7A49D89EFA766CDB08700F8045A1BB49E6051EA749E858B70

Function 00A92A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ACC1C7,00000004,00000000,00000000,00000000), ref: 00A92ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00ACC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00A92B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00ACC1C7,00000004,00000000,00000000,00000000), ref: 00ACC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ACC1C7,00000004,00000000,00000000,00000000), ref: 00ACC286

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3b8705e009b883d7f5c23e6fab73710158f6475a825fe34bcd96e6b9aadf35c9
Instruction ID: 728ca251e67556c51f087c6d772fd5f2a522afab467290bcde2c4ad1e6d8bae3
Opcode Fuzzy Hash: 3b8705e009b883d7f5c23e6fab73710158f6475a825fe34bcd96e6b9aadf35c9
Instruction Fuzzy Hash: 5241D932708680BADF359B288C8CBBA7BE2AB55360F55C81DE04787961CA719C45D710

Function 00AF70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00AF70DD

Part of subcall function 00AB0DB6: std::exception::exception.LIBCMT ref: 00AB0DEC
Part of subcall function 00AB0DB6: __CxxThrowException@8.LIBCMT ref: 00AB0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AF7114
RtlEnterCriticalSection.NTDLL(?), ref: 00AF7130
_memmove.LIBCMT ref: 00AF717E
_memmove.LIBCMT ref: 00AF719B
RtlLeaveCriticalSection.NTDLL(?), ref: 00AF71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AF71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AF71DE

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 034fe76018a0e9aeee61771e9ef70d7cd4ac16af9a2bd72f1e5c6303d4e3fd7d
Instruction ID: ab94d064ac71a6291c36b1c08e2a6773123955f69219088128201cbe3ea48829
Opcode Fuzzy Hash: 034fe76018a0e9aeee61771e9ef70d7cd4ac16af9a2bd72f1e5c6303d4e3fd7d
Instruction Fuzzy Hash: 54315931A00205EBDB00DFA4DD85EAFB7B8EF45310B1481A5F904AB256DB30EA14CBA4

Function 00B161D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B161EB
GetDC.USER32(00000000), ref: 00B161F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B161FE
ReleaseDC.USER32(00000000,00000000), ref: 00B1620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B16246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B16257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B1902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00B16291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B162B1

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c6fadf37c0400c85dde808ea5098f16a55d395b706597c488ccebec41b4e05ff
Instruction ID: ab9eb3a9068953b1097a0315c7260c2bda4a96607b9c1711bcb15293e5b31a20
Opcode Fuzzy Hash: c6fadf37c0400c85dde808ea5098f16a55d395b706597c488ccebec41b4e05ff
Instruction Fuzzy Hash: CD314F72101214BFEF118F50DC8AFFA3BA9EF49765F4440A5FE08DA191CA759C51CBA4

Function 00AEBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00AEBBC4
_memcmp.LIBCMT ref: 00AEBBE6
_memcmp.LIBCMT ref: 00AEBBFE
_memcmp.LIBCMT ref: 00AEBC11
_memcmp.LIBCMT ref: 00AEBC2B
_memcmp.LIBCMT ref: 00AEBC3E
_memcmp.LIBCMT ref: 00AEBC56
_memcmp.LIBCMT ref: 00AEBC71

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f3ac8e4070225a17395022cca640efbf60ce20d357d990ee2677acdfffbcad33
Instruction ID: eddb6c8889f2f2051e1e12070df518280b3fd494de4fd542a14a8958ff002f01
Opcode Fuzzy Hash: f3ac8e4070225a17395022cca640efbf60ce20d357d990ee2677acdfffbcad33
Instruction Fuzzy Hash: 9A2123B16142557BE2046712AE56FFB77ACDE54388F184420FD08DA253EB24DE1182B1

Function 00A91424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec9b04131622ba0d60a28df9143588aca0a167ef717fc405a5e2a40ba16f8c3
Instruction ID: 2f8d2449b0f245c9017cde4ea398ecc9fd6672552fe63760b310e8727a1091eb
Opcode Fuzzy Hash: cec9b04131622ba0d60a28df9143588aca0a167ef717fc405a5e2a40ba16f8c3
Instruction Fuzzy Hash: 9C714C70A0010AEFCF04DF98CC49EBEBBB9FF89310F158159F915AA251C734AA51CBA0

Function 00B1B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C828D0), ref: 00B1B3EB
IsWindowEnabled.USER32(00C828D0), ref: 00B1B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B1B4DB
SendMessageW.USER32(00C828D0,000000B0,?,?), ref: 00B1B512
IsDlgButtonChecked.USER32(?,?), ref: 00B1B54F
GetWindowLongW.USER32(00C828D0,000000EC), ref: 00B1B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B1B589

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: f144c89a815f08291fda58414298287fc783fb03f77b97e5eb5a8e5b27e87f8c
Instruction ID: 60dbd12b152959dd9196332160f44c70eadc29cdf886f3300fac3ed72a805343
Opcode Fuzzy Hash: f144c89a815f08291fda58414298287fc783fb03f77b97e5eb5a8e5b27e87f8c
Instruction Fuzzy Hash: 51718E34600204EFDB209F55D8D4FFA7BE5EF09311F9480E9EA55973A2C731A990DB50

Function 00B0F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B0F448
_memset.LIBCMT ref: 00B0F511
ShellExecuteExW.SHELL32(?), ref: 00B0F556

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

Part of subcall function 00AAFC86: _wcscpy.LIBCMT ref: 00AAFCA9

GetProcessId.KERNEL32(00000000), ref: 00B0F5CD
CloseHandle.KERNEL32(00000000), ref: 00B0F5FC

Strings

@, xrefs: 00B0F525

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 37d77a5acfb865348f33d21545dfccd38ba84457620469da3a204a21327c9f5a
Instruction ID: 4fdebbcdb9a982aa14dd8d1da2bc5a087370eec1e5879d0dfcd8f37449b163bb
Opcode Fuzzy Hash: 37d77a5acfb865348f33d21545dfccd38ba84457620469da3a204a21327c9f5a
Instruction Fuzzy Hash: 26617C75A006199FCF14DFA8C9819AEBBF5FF49310F1480ADE855AB791DB30AD41CB90

Function 00AF0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00AF0F8C
GetKeyboardState.USER32(?), ref: 00AF0FA1
SetKeyboardState.USER32(?), ref: 00AF1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00AF1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00AF104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00AF1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AF10B8

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0798efacf8602ee47a7b1e104c21116516613a9b545f5eeace32496de0433169
Instruction ID: b0b8f62003ebea6a3764332a490f61ac1ae9377202c7bb52cf74819a858fbde8
Opcode Fuzzy Hash: 0798efacf8602ee47a7b1e104c21116516613a9b545f5eeace32496de0433169
Instruction Fuzzy Hash: D151F3A06047DABDFB3643B48C05BBABEA95B06304F08858DF2D5868C3C6D9ECC9D751

Function 00AF0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00AF0DA5
GetKeyboardState.USER32(?), ref: 00AF0DBA
SetKeyboardState.USER32(?), ref: 00AF0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AF0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AF0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AF0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AF0EC9

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b141cb1fafba41a1012131c2b216ae622e5bd099d727ab80bde34fec1b3d6e0b
Instruction ID: 87e1ee49c08c800140e9eb8d3a9b26624f720dc5ce14f2c8efe277409076aacc
Opcode Fuzzy Hash: b141cb1fafba41a1012131c2b216ae622e5bd099d727ab80bde34fec1b3d6e0b
Instruction Fuzzy Hash: 5051D4A06447D97DFB3687B4CC45FBABFA96B06300F088889F2D4468C3D795AC99D750

Function 00AF55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00AF560A
_wcsncpy.LIBCMT ref: 00AF563F
_wcsncpy.LIBCMT ref: 00AF5671
_wcsncpy.LIBCMT ref: 00AF56A4
_wcsncpy.LIBCMT ref: 00AF56E6
_wcsncpy.LIBCMT ref: 00AF5720
_wcsncpy.LIBCMT ref: 00AF574F

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 037ef83e671d0903d21266265b6cdb7695f6b27035f2d56f2c0b927e1c146900
Instruction ID: d2b80286078cb0c4f667a642d739c789d85a60c2dbaf90359fadf63c53728512
Opcode Fuzzy Hash: 037ef83e671d0903d21266265b6cdb7695f6b27035f2d56f2c0b927e1c146900
Instruction Fuzzy Hash: FD419466C1061876CB11FBF48D46ADFB7BC9F05310F508A56F618E3222EB34A255C7E6

Function 00AF3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AF3697,?), ref: 00AF468B

Part of subcall function 00AF466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AF3697,?), ref: 00AF46A4

lstrcmpiW.KERNEL32(?,?), ref: 00AF36B7
_wcscmp.LIBCMT ref: 00AF36D3
MoveFileW.KERNEL32(?,?), ref: 00AF36EB
_wcscat.LIBCMT ref: 00AF3733
SHFileOperationW.SHELL32(?), ref: 00AF379F

Strings

\*.*, xrefs: 00AF372D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 2247594b8fcadf4e5e8eb96e43f9b455b46a70e633b3cfc45c34c1c4d8283d0d
Instruction ID: 8c536e98e4f01c3caaa67e8742263c776c5bc7bb90e3d1e41cdaa7b213c870b1
Opcode Fuzzy Hash: 2247594b8fcadf4e5e8eb96e43f9b455b46a70e633b3cfc45c34c1c4d8283d0d
Instruction Fuzzy Hash: 02418272508348AECB52EFA4C541AEF77ECAF89380F40092EF599C3251EB34D689C752

Function 00B17291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B172AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B17351
IsMenu.USER32(?), ref: 00B17369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B173B1
DrawMenuBar.USER32 ref: 00B173C4

Strings

0, xrefs: 00B1729E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 8f34960bd6e61e95bd76a0107ce2513193b82b1eb15341c182140eabd88896b3
Instruction ID: d279aa9f93e1e5d3a792e7efabdbc377f65ee9ed60814037ffdec32aa6e4c7af
Opcode Fuzzy Hash: 8f34960bd6e61e95bd76a0107ce2513193b82b1eb15341c182140eabd88896b3
Instruction Fuzzy Hash: 78414871A40209AFDB20DF50E884AEABBF9FB08351F5484AAFD1597250DB30AD81DB60

Function 00B10FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B10FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B10FFE
FreeLibrary.KERNEL32(00000000), ref: 00B110B5

Part of subcall function 00B10FA5: RegCloseKey.ADVAPI32(?), ref: 00B1101B
Part of subcall function 00B10FA5: FreeLibrary.KERNEL32(?), ref: 00B1106D
Part of subcall function 00B10FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B11090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B11058

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: e24bafdb3fdf9ad27c539fe698aed7c2320863de25cc793e57a69ba4a5b27af8
Instruction ID: 066713f03746677db4c77ffad7bb9ddd408e0fe5ad6bf4589432fd34a43ef41f
Opcode Fuzzy Hash: e24bafdb3fdf9ad27c539fe698aed7c2320863de25cc793e57a69ba4a5b27af8
Instruction Fuzzy Hash: 9E31FB71D01109FFDB25DF94DC89AFEB7BCEF08300F4045A9EA05A2151EA749EC59AA0

Function 00B162CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B162EC
GetWindowLongW.USER32(00C828D0,000000F0), ref: 00B1631F
GetWindowLongW.USER32(00C828D0,000000F0), ref: 00B16354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B16386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B163B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B163C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B163DB

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 01ade67cc4243280131851e59bdb6e95085bfc7c1cd72e3af608ae3d8abf87fb
Instruction ID: 9d8cbe3a117604b14e8cd0a12003586ef6c0a114019f2e232271a45e4fd9617f
Opcode Fuzzy Hash: 01ade67cc4243280131851e59bdb6e95085bfc7c1cd72e3af608ae3d8abf87fb
Instruction Fuzzy Hash: 5C311230644255AFDB20CF1DEC84FA837E1FB4A715F9941A8F9218F2B2CB71A980DB54

Function 00AEDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AEDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AEDB54
SysAllocString.OLEAUT32(00000000), ref: 00AEDB57
SysAllocString.OLEAUT32(?), ref: 00AEDB75
SysFreeString.OLEAUT32(?), ref: 00AEDB7E
StringFromGUID2.COMBASE(?,?,00000028), ref: 00AEDBA3
SysAllocString.OLEAUT32(?), ref: 00AEDBB1

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6eac1048765aa3d570e6a714eba8ddffc0dec652d9f2f2934d9dfdaaf4250d54
Instruction ID: 743acf69011e09efcd0358b7fb09cbd3228edb90c157392b95a2eb6c7073c957
Opcode Fuzzy Hash: 6eac1048765aa3d570e6a714eba8ddffc0dec652d9f2f2934d9dfdaaf4250d54
Instruction Fuzzy Hash: 1F21A436600219AFEF10DFA9DC88CFB73ACEB09360B418525F914DB2A1EA70DC41C760

Function 00B06173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B07D8B: inet_addr.WS2_32(00000000), ref: 00B07DB6

socket.WS2_32(00000002,00000001,00000006), ref: 00B061C6
WSAGetLastError.WS2_32(00000000), ref: 00B061D5
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00B0620E
connect.WSOCK32(00000000,?,00000010), ref: 00B06217
WSAGetLastError.WS2_32 ref: 00B06221
closesocket.WS2_32(00000000), ref: 00B0624A
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00B06263

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 1773d9b1f7a2cc43222635e3103a2a634fd018e50c733919bf111b0347a671f8
Instruction ID: cdbf7ffa428d1e6b5dec6e26d2075a1882a5bf2f0c0021a1c0f00e58428b629d
Opcode Fuzzy Hash: 1773d9b1f7a2cc43222635e3103a2a634fd018e50c733919bf111b0347a671f8
Instruction Fuzzy Hash: 5A317C71600118ABEF10AF68CC85BBA7BEDEF45760F0480A9F905A72D1DB74AD54CAA1

Function 00AEF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AEF671
__wcsnicmp.LIBCMT ref: 00AEF692
__wcsnicmp.LIBCMT ref: 00AEF6AC

Strings

#notrayicon, xrefs: 00AEF669
#requireadmin, xrefs: 00AEF68C
#OnAutoItStartRegister, xrefs: 00AEF6A6

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 8366e1f08ed2e27cdd5e10d558268224c85da2b57cb9957477c3e7cef8c8c60b
Instruction ID: 360d2d9e4a79e74ba74da2fade2176571d5324b5a5ba974eec4be646cbd6efa8
Opcode Fuzzy Hash: 8366e1f08ed2e27cdd5e10d558268224c85da2b57cb9957477c3e7cef8c8c60b
Instruction Fuzzy Hash: 6A2134722045D16FDA20AB36AD02EB773ECEF55350F50403AF846860A2EB609D81D295

Function 00AEDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AEDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AEDC2F
SysAllocString.OLEAUT32(00000000), ref: 00AEDC32
SysAllocString.OLEAUT32 ref: 00AEDC53
SysFreeString.OLEAUT32 ref: 00AEDC5C
StringFromGUID2.COMBASE(?,?,00000028), ref: 00AEDC76
SysAllocString.OLEAUT32(?), ref: 00AEDC84

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e9f5db912c8a62174d77a1df160ee41b15cbd3f93a822a595630dde6b4b3e9e0
Instruction ID: 349a78e481edc9775d001bcf450eddb156d1f3c71c26d9ebe2a4cddedd4c7747
Opcode Fuzzy Hash: e9f5db912c8a62174d77a1df160ee41b15cbd3f93a822a595630dde6b4b3e9e0
Instruction Fuzzy Hash: 5C214135604245AFAB10DFB9DC89DBB77ECEB49360B508125F914DB2A1DAB0EC41C764

Function 00B175CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A91D73
Part of subcall function 00A91D35: GetStockObject.GDI32(00000011), ref: 00A91D87
Part of subcall function 00A91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A91D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B17632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B1763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B1764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B17659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B17665

Strings

Msctls_Progress32, xrefs: 00B17603

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 548185565b5c9fe3ac7e3180f515c1bae1922525ef9496f287089542f2ca5892
Instruction ID: ac87341606003dc166679245b8b483392ef5dd490ed7e7d68d2da335d3346096
Opcode Fuzzy Hash: 548185565b5c9fe3ac7e3180f515c1bae1922525ef9496f287089542f2ca5892
Instruction Fuzzy Hash: D811B2B2150219BFEF118F64CC85EEB7FADEF08798F114114BA04A30A0CA729C61DBA4

Function 00AB9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00AB9AE6

Part of subcall function 00AB3187: RtlEncodePointer.NTDLL(00000000), ref: 00AB318A
Part of subcall function 00AB3187: __initp_misc_winsig.LIBCMT ref: 00AB31A5
Part of subcall function 00AB3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AB9EA0
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00AB9EB4
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00AB9EC7
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00AB9EDA
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00AB9EED
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00AB9F00
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00AB9F13
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00AB9F26
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00AB9F39
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00AB9F4C
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00AB9F5F
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00AB9F72
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00AB9F85
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00AB9F98
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00AB9FAB
Part of subcall function 00AB3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00AB9FBE

__mtinitlocks.LIBCMT ref: 00AB9AEB
__mtterm.LIBCMT ref: 00AB9AF4

Part of subcall function 00AB9B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00AB9C56
Part of subcall function 00AB9B5C: _free.LIBCMT ref: 00AB9C5D
Part of subcall function 00AB9B5C: RtlDeleteCriticalSection.NTDLL(00B4EC00), ref: 00AB9C7F

__calloc_crt.LIBCMT ref: 00AB9B19
__initptd.LIBCMT ref: 00AB9B3B
GetCurrentThreadId.KERNEL32 ref: 00AB9B42

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 62229f84423b1622e0ca8d128e9452f4f540042f5bcdde3e57a63c12e674bae5
Instruction ID: 435f2c89231c009a57a944435a3b60c6d617b2bd0fcbdc22129dac806dba0f5d
Opcode Fuzzy Hash: 62229f84423b1622e0ca8d128e9452f4f540042f5bcdde3e57a63c12e674bae5
Instruction Fuzzy Hash: ACF090325097116AEA347779BD036CB2B9CAF02774F204A1DF664D61D3EF60854142A0

Function 00AB406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AB3F85), ref: 00AB4085
GetProcAddress.KERNEL32(00000000), ref: 00AB408C
RtlEncodePointer.NTDLL(00000000), ref: 00AB4097
RtlDecodePointer.NTDLL(00AB3F85), ref: 00AB40B2

Strings

RoUninitialize, xrefs: 00AB4074
combase.dll, xrefs: 00AB4080

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: dad7b6b75681f3ef083f4610a6b03d0bd8a260ce0d2e727ba753e72a93fae2f7
Instruction ID: b95f801a008b92c2c3114b534eabdafcc79f177414b44feeaa3fa8359522f71d
Opcode Fuzzy Hash: dad7b6b75681f3ef083f4610a6b03d0bd8a260ce0d2e727ba753e72a93fae2f7
Instruction Fuzzy Hash: BFE09270581B01ABEA10AF71EC09B953AE9BB18B83F9080A4F515E32B1CFB64610EA14

Function 00B06B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 00B06C00
WSAGetLastError.WS2_32(00000000), ref: 00B06C34
htons.WS2_32(?), ref: 00B06CEA
inet_ntoa.WS2_32(?), ref: 00B06CA7

Part of subcall function 00AEA7E9: _strlen.LIBCMT ref: 00AEA7F3
Part of subcall function 00AEA7E9: _memmove.LIBCMT ref: 00AEA815

_strlen.LIBCMT ref: 00B06D44
_memmove.LIBCMT ref: 00B06DAD

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 5625dabf6418f3b92c40fd754f9a49e34af66900b507630544b1f123e3423212
Instruction ID: 7b45c3985a50001ce3087fdc0b88037da27d2bf79bd48af8481aff668f47f652
Opcode Fuzzy Hash: 5625dabf6418f3b92c40fd754f9a49e34af66900b507630544b1f123e3423212
Instruction Fuzzy Hash: CB81B171604200AFDB10EB28CD82FABBBE8EF94714F504A6DF5559B2D2DA70ED01CB91

Function 00AF64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AF660B
_memmove.LIBCMT ref: 00AF6546

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

_memmove.LIBCMT ref: 00AF65B9
_memmove.LIBCMT ref: 00AF66A0
_memmove.LIBCMT ref: 00AF66B9
_memmove.LIBCMT ref: 00AF66D5

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: b502df325a94811825dded41ac528fc93299cc79cdbb2b18572780d957d8dc6c
Instruction ID: 5a6ac41bca6f93b1b7db3b26aa2eb2c0a02b4b39c9168e8e8d9977cb4c401734
Opcode Fuzzy Hash: b502df325a94811825dded41ac528fc93299cc79cdbb2b18572780d957d8dc6c
Instruction Fuzzy Hash: 62616D3060065AABCF05EFA4CD82EFF77A9AF45308F044519FA556B192DB35ED06CB50

Function 00B101E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Part of subcall function 00B10E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0FDAD,?,?), ref: 00B10E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B102BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B102FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B10320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B10349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B1038C
RegCloseKey.ADVAPI32(00000000), ref: 00B10399

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: f0f8cd76f016cc09ad87c52ee476e33d3c078a9705c9cdf271e1b155d626ba39
Instruction ID: 18b6d93c49f8ec3a4debb7c4cab9ee1e72c3296bab8250e2945511a9703ab114
Opcode Fuzzy Hash: f0f8cd76f016cc09ad87c52ee476e33d3c078a9705c9cdf271e1b155d626ba39
Instruction Fuzzy Hash: 23518B31218200AFCB04EF64C985EAFBBE9FF89314F84495DF555872A2DB71E984CB52

Function 00B15799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B157FB
GetMenuItemCount.USER32(00000000), ref: 00B15832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B1585A
GetMenuItemID.USER32(?,?), ref: 00B158C9
GetSubMenu.USER32(?,?), ref: 00B158D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B15928

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: a1e43528aae7fc3f0b84968873c2a397ec6a2276332fa62fce06220e31c0a8e2
Instruction ID: 40874fea00976889a5228a9876f2d44b1a8230fac8adf42c52c2ef74f52bc6de
Opcode Fuzzy Hash: a1e43528aae7fc3f0b84968873c2a397ec6a2276332fa62fce06220e31c0a8e2
Instruction Fuzzy Hash: 47513A31A00615EFCF21DF64C945AEEB7F5EF88320F5080A9E955AB351DB70AE81CB91

Function 00AEEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AEEF06
VariantClear.OLEAUT32(00000013), ref: 00AEEF78
VariantClear.OLEAUT32(00000000), ref: 00AEEFD3
_memmove.LIBCMT ref: 00AEEFFD
VariantClear.OLEAUT32(?), ref: 00AEF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AEF078

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 642e5366e3e2562541af89c595ff2e0882834903d92e7412373ef8a594f64097
Instruction ID: 13a68dae73f3a52c4613d28b57a77e02ca3ffb4a3b7ddab9dd9b1106228095ad
Opcode Fuzzy Hash: 642e5366e3e2562541af89c595ff2e0882834903d92e7412373ef8a594f64097
Instruction Fuzzy Hash: 8B5166B5A00249EFCB14CF59C880AAAB7B8FF4C314B15856AED59DB301E735E911CFA0

Function 00AF220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF22A3
IsMenu.USER32(00000000), ref: 00AF22C3
CreatePopupMenu.USER32 ref: 00AF22F7
GetMenuItemCount.USER32(000000FF), ref: 00AF2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AF2386

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: a9b73a9dc6ea8971999f73ff414e8e9477145e5cc3cec6dd4f15d64056440baf
Instruction ID: 3c0076b3d725e990349e35e3b159d9c978f34a543109b8ff37a27163073e3845
Opcode Fuzzy Hash: a9b73a9dc6ea8971999f73ff414e8e9477145e5cc3cec6dd4f15d64056440baf
Instruction Fuzzy Hash: 4051ADB060420EDBDF21CFE8C988BBDBBF5AF55358F108229FA15AB290D7749944CB51

Function 00A91765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00A9179A
GetWindowRect.USER32(?,?), ref: 00A917FE
ScreenToClient.USER32(?,?), ref: 00A9181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A9182C
EndPaint.USER32(?,?), ref: 00A91876

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 444f31da0edcf867dd3b195cdb58480d041cce7830d8082bd65c42748a70efb3
Instruction ID: 057da8df6bdf06be9b94541802595fffaa2a91697a8a960d23ae034cff1192be
Opcode Fuzzy Hash: 444f31da0edcf867dd3b195cdb58480d041cce7830d8082bd65c42748a70efb3
Instruction Fuzzy Hash: 9F41B230200702AFDB20DF24CC84FBA7BF8EB59725F144668F9A4872A1CB319845DB61

Function 00B1B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00B557B0,00000000,00C828D0,?,?,00B557B0,?,00B1B5A8,?,?), ref: 00B1B712
EnableWindow.USER32(00000000,00000000), ref: 00B1B736
ShowWindow.USER32(00B557B0,00000000,00C828D0,?,?,00B557B0,?,00B1B5A8,?,?), ref: 00B1B796
ShowWindow.USER32(00000000,00000004,?,00B1B5A8,?,?), ref: 00B1B7A8
EnableWindow.USER32(00000000,00000001), ref: 00B1B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B1B7EF

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ec3f665a89081f8ff74198a5ffa04a52dd600aef46cb28b7590851cc558b311e
Instruction ID: a399ba310a64003570c2905d0e30a42b856a0a46777be62f429498e6d16e53a7
Opcode Fuzzy Hash: ec3f665a89081f8ff74198a5ffa04a52dd600aef46cb28b7590851cc558b311e
Instruction Fuzzy Hash: 40413A35605241AFDB26CF24C499FE47BE1FB45310F9881E9E9488F6A2C731AC96CB51

Function 00B0709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00B04E41,?,?,00000000,00000001), ref: 00B070AC

Part of subcall function 00B039A0: GetWindowRect.USER32(?,?), ref: 00B039B3

GetDesktopWindow.USER32 ref: 00B070D6
GetWindowRect.USER32(00000000), ref: 00B070DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B0710F

Part of subcall function 00AF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF52BC

GetCursorPos.USER32(?), ref: 00B0713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B07199

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: c638fbf20f211abc29d1259e22666e8513d3cac200e1d5d769fc059764f1f2fb
Instruction ID: 40888f6e86cd08f822f65b6e2ae5e98e22e2bc5b95ec9e633604ce8a2321a5d2
Opcode Fuzzy Hash: c638fbf20f211abc29d1259e22666e8513d3cac200e1d5d769fc059764f1f2fb
Instruction Fuzzy Hash: 5931B472509306AFD720DF54C849BABBBEAFF88314F000519F595A71D1CB74EA05CB92

Function 00AFEB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

Part of subcall function 00AAFC86: _wcscpy.LIBCMT ref: 00AAFCA9

_wcstok.LIBCMT ref: 00AFEC94
_wcscpy.LIBCMT ref: 00AFED23
_memset.LIBCMT ref: 00AFED56

Strings

X, xrefs: 00AFED93

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 8324efbd8972b1d6493e6b8fadf8f7029b2277cc3de269ecedf77798654dc951
Instruction ID: aaff17127c1371a788444c6d2faff544a279d8f76f6d7bb7a9b5226b83bd388f
Opcode Fuzzy Hash: 8324efbd8972b1d6493e6b8fadf8f7029b2277cc3de269ecedf77798654dc951
Instruction Fuzzy Hash: 4FC170316083459FCB64EF68C945A6EB7E4FF85310F00492DF9999B2A2DB30ED45CB92

Function 00AE8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AE80C0
Part of subcall function 00AE80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AE80CA
Part of subcall function 00AE80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AE80D9
Part of subcall function 00AE80A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00AE80E0
Part of subcall function 00AE80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AE80F6

GetLengthSid.ADVAPI32(?,00000000,00AE842F), ref: 00AE88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AE88D6
RtlAllocateHeap.NTDLL(00000000), ref: 00AE88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00AE88F6
GetProcessHeap.KERNEL32(00000000,00000000,00AE842F), ref: 00AE890A
HeapFree.KERNEL32(00000000), ref: 00AE8911

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 9561e4d4b350863a79f7ebd51d8a47780972bb3874205c108e1edc6b15fd803a
Instruction ID: f475e1fc2a5dfdb427ad41aa1c4e94a72e15bae4dc2b3ac4aa1e09ad51a2444d
Opcode Fuzzy Hash: 9561e4d4b350863a79f7ebd51d8a47780972bb3874205c108e1edc6b15fd803a
Instruction Fuzzy Hash: AC11B131901209FFDB109FA5DC19BFE77A8EB45311F508128E849A7111CB3A9D10DB60

Function 00AEB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AEB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00AEB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AEB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00AEB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AEB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00AEB7FE

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 13c5e36d0a9c04eda598b2eb5a683deb309591fb2bdad88aefb2167d8fa950f2
Instruction ID: 1a8155eca8ad815670d8b3fbcbd867e7a15b542f545d63b8b95d67a73c7e0992
Opcode Fuzzy Hash: 13c5e36d0a9c04eda598b2eb5a683deb309591fb2bdad88aefb2167d8fa950f2
Instruction Fuzzy Hash: E6014475E00219BBEF109FA69D49A9EBFB8EB48751F408075FA04E7291DA709C10CFA1

Function 00AB0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AB0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00AB019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AB01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AB01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00AB01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AB01C1

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e185ab7777a03af925ae700e05dc0714590c5daaa0465f9fac87aa11c260fd18
Instruction ID: 7a4d303d7b0465545ed68256b80bcc291f9df2e1227264f57f190f7058728182
Opcode Fuzzy Hash: e185ab7777a03af925ae700e05dc0714590c5daaa0465f9fac87aa11c260fd18
Instruction Fuzzy Hash: 12016CB0901B5A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 00AF53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AF53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AF540F
GetWindowThreadProcessId.USER32(?,?), ref: 00AF541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AF542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AF5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AF543E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fc549abb5f6137a3242cada3aca4491cad73c27f360887089321a58de9dc6a43
Instruction ID: fe25d86bd16f4f67d5ca23a2b635a17f107501e96cb0f1cd361b24b576fda7ad
Opcode Fuzzy Hash: fc549abb5f6137a3242cada3aca4491cad73c27f360887089321a58de9dc6a43
Instruction Fuzzy Hash: 8DF06D32240559BBE7215BA29C0DEFB7A7CEBC6B11F404169FA04D2061DAA01A01C6B5

Function 00AF7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00AF7243
RtlEnterCriticalSection.NTDLL(?), ref: 00AF7254
TerminateThread.KERNEL32(00000000,000001F6,?,00AA0EE4,?,?), ref: 00AF7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00AA0EE4,?,?), ref: 00AF726E

Part of subcall function 00AF6C35: CloseHandle.KERNEL32(00000000,?,00AF727B,?,00AA0EE4,?,?), ref: 00AF6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00AF7281
RtlLeaveCriticalSection.NTDLL(?), ref: 00AF7288

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: be0c96abd16601ebf78bddb0671480d86f47b5ac1210958170a4fd91c37d91fc
Instruction ID: df71a58c21fa6b74fe8c815d084b909a96eff77211cb12553b4236a05828d225
Opcode Fuzzy Hash: be0c96abd16601ebf78bddb0671480d86f47b5ac1210958170a4fd91c37d91fc
Instruction Fuzzy Hash: DBF05E36540613EBDB111BA4ED4C9FB772AEF55712B904632F603A20A0CFB65811CB90

Function 00B085ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B08613
CharUpperBuffW.USER32(?,?), ref: 00B08722
VariantClear.OLEAUT32(?), ref: 00B0889A

Part of subcall function 00AF7562: VariantInit.OLEAUT32(00000000), ref: 00AF75A2
Part of subcall function 00AF7562: VariantCopy.OLEAUT32(00000000,?), ref: 00AF75AB
Part of subcall function 00AF7562: VariantClear.OLEAUT32(00000000), ref: 00AF75B7

Strings

AUTOIT.ERROR, xrefs: 00B08728
Incorrect Parameter format, xrefs: 00B0864B, 00B0880D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: af07fddcdc1240f2a1ec2a9833b0b4c9b86110cc56bfbde11ce7aaf972f26756
Instruction ID: 25b6aacbdeec7a30190eb3d495770f69daa7ffbb6b50cff9cc909a900fe5ca32
Opcode Fuzzy Hash: af07fddcdc1240f2a1ec2a9833b0b4c9b86110cc56bfbde11ce7aaf972f26756
Instruction Fuzzy Hash: EE917F71604301DFCB10DF24C58596BBBE4EF89754F14896EF89A8B3A1DB31E905CB92

Function 00AF2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AAFC86: _wcscpy.LIBCMT ref: 00AAFCA9

_memset.LIBCMT ref: 00AF2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AF2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AF2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AF2C97

Strings

0, xrefs: 00AF2B73

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 99422cb871c85024a140be1d29484056123c98bb7afab32479e2dc7251dbc818
Instruction ID: 59f8ff0608d8d2fd29e3a04496c7fce4213218878da6e1e6aa44bb1f5ceb8ea3
Opcode Fuzzy Hash: 99422cb871c85024a140be1d29484056123c98bb7afab32479e2dc7251dbc818
Instruction Fuzzy Hash: F551CD716083099ED7259FA8C845BBFB7E8EF95350F040A2DFA95D7191DB70CC058B92

Function 00AED56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00AED5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AED60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AED61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AED69D

Strings

DllGetClassObject, xrefs: 00AED610

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 87256085bfe1fd75f51d02f3ee2732e65414085827489191a1b11e37016ed715
Instruction ID: e076424c1d5756741402fda28baefb0a5e743d3b95f9e5fb1b509afb835c2755
Opcode Fuzzy Hash: 87256085bfe1fd75f51d02f3ee2732e65414085827489191a1b11e37016ed715
Instruction Fuzzy Hash: B841BEB1610244EFDB05CF66C884AAABBB9EF44314F1581ADEC09DF205DBB1DE40DBA0

Function 00AF2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00AF27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00AF2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B55890,00000000), ref: 00AF286B

Strings

0, xrefs: 00AF27B5

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 80e70e57cb52325bae81d57da63a37bb9b693f76b2320582a1e7060043851104
Instruction ID: 41bc2b6bdbba500688551e4277691ea1c5edbd33b90210760e7799b413c52bee
Opcode Fuzzy Hash: 80e70e57cb52325bae81d57da63a37bb9b693f76b2320582a1e7060043851104
Instruction Fuzzy Hash: 7941B2702043459FDB20DF64CC45B7ABBE8EF85754F144A2DFA6597291DB30E805CBA2

Function 00B0D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B0D7C5

Part of subcall function 00A9784B: _memmove.LIBCMT ref: 00A97899

Strings

none, xrefs: 00B0D8A0
cdecl, xrefs: 00B0D81C
stdcall, xrefs: 00B0D847
winapi, xrefs: 00B0D836

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: a7174ac5724c5f83ad9427d7ed0e70f8fa7fe6d098719e9fcb404dec6e57be79
Instruction ID: ce825708a503b4de56b2bb109e821984fb6f3e300546b623209db71d59750bf6
Opcode Fuzzy Hash: a7174ac5724c5f83ad9427d7ed0e70f8fa7fe6d098719e9fcb404dec6e57be79
Instruction Fuzzy Hash: 2D317071A04619AFCF00EFA4C9519FEB7F9FF05320F108AA9E825976D1DB71A905CB90

Function 00AE8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Part of subcall function 00AEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AEAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AE8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AE8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00AE8F57

Part of subcall function 00A97BCC: _memmove.LIBCMT ref: 00A97C06

Strings

ComboBox, xrefs: 00AE8E9E
ListBox, xrefs: 00AE8ED3

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 3b2438950cb97ddefa0bc38f6d921ce012bfdc684a23abfc2c53c0fa388a9abc
Instruction ID: 3bb5b37a8386c3d09f1fda679d40a8ad4835b53f6d9eb77423f705869a019688
Opcode Fuzzy Hash: 3b2438950cb97ddefa0bc38f6d921ce012bfdc684a23abfc2c53c0fa388a9abc
Instruction Fuzzy Hash: B3212371A04204BEEF14ABB1DC86DFFB7B9DF05360B148129F429971E1DF394909D620

Function 00B0182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B0184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B01872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B018A2
InternetCloseHandle.WININET(00000000), ref: 00B018E9

Part of subcall function 00B02483: GetLastError.KERNEL32(?,?,00B01817,00000000,00000000,00000001), ref: 00B02498
Part of subcall function 00B02483: SetEvent.KERNEL32(?,?,00B01817,00000000,00000000,00000001), ref: 00B024AD

Strings

, xrefs: 00B01893

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ed2677b4b5f0fc4373870cbaa6edbfce401da6729e033276fbcae40aa2c528e0
Instruction ID: 844f297bc20975f72f87e7a869f4dc4322f8ebccc21ecd4d9fdffcafda548a19
Opcode Fuzzy Hash: ed2677b4b5f0fc4373870cbaa6edbfce401da6729e033276fbcae40aa2c528e0
Instruction Fuzzy Hash: DA2180B1500308BFEB159F68DC85EBF7BEDEB48754F10856AF50597280DA209E0597B1

Function 00B163E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A91D73
Part of subcall function 00A91D35: GetStockObject.GDI32(00000011), ref: 00A91D87
Part of subcall function 00A91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A91D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B16461
LoadLibraryW.KERNEL32(?), ref: 00B16468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B1647D
DestroyWindow.USER32(?), ref: 00B16485

Strings

SysAnimate32, xrefs: 00B1643C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: adac2257a6a9156d2ae8da300cbf1246ad200c43f9a48273ec34cd3831051c0b
Instruction ID: 95bb735ca9c0514ef5c60a7ea78b40266dc1b4a2231862fae96b807ea6cbc33a
Opcode Fuzzy Hash: adac2257a6a9156d2ae8da300cbf1246ad200c43f9a48273ec34cd3831051c0b
Instruction Fuzzy Hash: 6E215E71200205ABEF108FA4EC94EFB77EDEB59364FA08669FA5093290D7719C919760

Function 00AF6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00AF6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AF6DEF
GetStdHandle.KERNEL32(0000000C), ref: 00AF6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00AF6E3B

Strings

nul, xrefs: 00AF6E36

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e412745b35ba87d3adeb7944bbea637f05edd0ec765a3fbd3e692b067516fa15
Instruction ID: 4a8869edf8aa20091c3e3b160e752729324745e9db93e52c7873d23aa89c8232
Opcode Fuzzy Hash: e412745b35ba87d3adeb7944bbea637f05edd0ec765a3fbd3e692b067516fa15
Instruction Fuzzy Hash: 3621A17560020EABDB209FA9DC05ABA7BF4EF54720F204A29FEE0D72D0DB709951DB50

Function 00AF6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AF6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AF6EBB
GetStdHandle.KERNEL32(000000F6), ref: 00AF6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00AF6F06

Strings

nul, xrefs: 00AF6F01

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ff90b3310c4320f88313e0b36b4e368ec10d7b2f7ce25af3253507173ddfe550
Instruction ID: 13a2394306c0ac602d4b0941ec09934a3357af278094a880927e81d5842e5c0d
Opcode Fuzzy Hash: ff90b3310c4320f88313e0b36b4e368ec10d7b2f7ce25af3253507173ddfe550
Instruction Fuzzy Hash: 6521627A60030A9BDB209FA9DC04ABA77A8AF55720F204A19FEE1D72D0DB709951CB50

Function 00AFAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AFAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AFACA8
__swprintf.LIBCMT ref: 00AFACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B1F910), ref: 00AFACFF

Strings

%lu, xrefs: 00AFACBB

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 8eafa80ef03721ea2f6f284c5bb385a54f27103460e5858d97e073c65a62fadd
Instruction ID: 438dc6431ae791ebe329a55c4f2d9501449b7e079f1cdbc66eece9aaf410a074
Opcode Fuzzy Hash: 8eafa80ef03721ea2f6f284c5bb385a54f27103460e5858d97e073c65a62fadd
Instruction Fuzzy Hash: 02214471A00109AFCB10DFA9C945DEF77F8EF49714B004469F509AB251DA31EA51DB61

Function 00AF1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AF1B19

Strings

EXISTS, xrefs: 00AF1B41
REMOVE, xrefs: 00AF1B1F
APPEND, xrefs: 00AF1B52
KEYS, xrefs: 00AF1B30

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: d3dc6dd07e79261c8692ca4b72ae265561981d0957779c726cdb0cf14686dbde
Instruction ID: 30a3756ab52c61878b676e17c4b5847284dad1e46b10cb9887941864ab97623d
Opcode Fuzzy Hash: d3dc6dd07e79261c8692ca4b72ae265561981d0957779c726cdb0cf14686dbde
Instruction Fuzzy Hash: AD113C31910119CFCF00FFA4D9629FEB7F4BF25704F5084A9E81467292EB325906DB50

Function 00B0EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B0EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B0EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B0ED6A
CloseHandle.KERNEL32(?), ref: 00B0EDEB

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 5c1420c2fec6a6cecaf60cff26a9777ee7e714c8dbd8c79e6961684e59deec06
Instruction ID: 5e5cf960ad801aac087fd947518ec07d7fee16852b7047c9a9206372548ec81b
Opcode Fuzzy Hash: 5c1420c2fec6a6cecaf60cff26a9777ee7e714c8dbd8c79e6961684e59deec06
Instruction Fuzzy Hash: C3815D71604300AFDB20EF28C986B2AB7E5EF45710F04895DF9A9DB2D2DA74EC40CB91

Function 00B10037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Part of subcall function 00B10E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0FDAD,?,?), ref: 00B10E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B100FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B1013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B10183
RegCloseKey.ADVAPI32(?,?), ref: 00B101AF
RegCloseKey.ADVAPI32(00000000), ref: 00B101BC

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 82f87f71ab088e4069e9b7dcd465ac06649eeacb74f04d935b156929e6ce5525
Instruction ID: c4b4297b4fc78fad189a0699beadb15c7f4bba133d8ccb25c094e46d28ef9927
Opcode Fuzzy Hash: 82f87f71ab088e4069e9b7dcd465ac06649eeacb74f04d935b156929e6ce5525
Instruction Fuzzy Hash: BD518F31218204AFDB04EF68C981FAEB7E9FF88314F40895DF55597291DB71E984CB52

Function 00B0D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B0D927
GetProcAddress.KERNEL32(00000000,?), ref: 00B0D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B0D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00B0DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B0DA21

Part of subcall function 00A95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AF7896,?,?,00000000), ref: 00A95A2C
Part of subcall function 00A95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AF7896,?,?,00000000,?,?), ref: 00A95A50

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: fa9c4525c8a7437011a6952306df3bced1168dfb30ab01c4f8a090efac41ffad
Instruction ID: 36e32611652ea79eca2e8911c5ad11a2d40f91b0f4e080f94210aad9af3348cc
Opcode Fuzzy Hash: fa9c4525c8a7437011a6952306df3bced1168dfb30ab01c4f8a090efac41ffad
Instruction Fuzzy Hash: C4510935A00209EFCB01EFA8C5859ADBBF5FF09320B54C0A9E955AB392DB31AD45CF51

Function 00AFE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AFE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00AFE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AFE687

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AFE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AFE6B4

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 47894c34be1e987992923d03ab28d18635aa69c0438e1bf47e03ab91f5d95a0e
Instruction ID: a7ee2029d56b8f14fe92b596bee25dc53531733a975d9287cdfd803e1ffb68a9
Opcode Fuzzy Hash: 47894c34be1e987992923d03ab28d18635aa69c0438e1bf47e03ab91f5d95a0e
Instruction Fuzzy Hash: 7051EE35A00109EFCF01EF64C9819AEBBF9EF09314B1480A9F949AB361DB31ED11DB50

Function 00B1A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a96fc2c85fc5bd8fbc7bd4fd8e3637003b06bb243530de3ca42d95f316f06e
Instruction ID: 6153368c4dc0ecce32ac7f4acd2d3ee389693b5e9f6039b089ae0e035dc128d1
Opcode Fuzzy Hash: 20a96fc2c85fc5bd8fbc7bd4fd8e3637003b06bb243530de3ca42d95f316f06e
Instruction Fuzzy Hash: 6741D235906204BFD721DF28CC89FE9BBE4EB0A320F9441A5E915B72E0CB30BD91DA51

Function 00A92344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A92357
ScreenToClient.USER32(00B557B0,?), ref: 00A92374
GetAsyncKeyState.USER32(00000001), ref: 00A92399
GetAsyncKeyState.USER32(00000002), ref: 00A923A7

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ff95272361793aa9fc909b880288038ab8e5d434e17baa166759691e408f1508
Instruction ID: 172140ac6e92f413fa0e45874473a52bb7a86b7c15c272a2dbe5a91e416f6b40
Opcode Fuzzy Hash: ff95272361793aa9fc909b880288038ab8e5d434e17baa166759691e408f1508
Instruction Fuzzy Hash: 81416135604115FBDF159F68C844FEABBB5FB05360F20435AF829A62A0CB359990DFA1

Function 00AE63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AE63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00AE6433
TranslateMessage.USER32(?), ref: 00AE645C
DispatchMessageW.USER32(?), ref: 00AE6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AE6475

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 8808de142cea8f4e0783323db5ec7a082fd80377caaaf416bbbd47ec0df54dda
Instruction ID: bcede0a0049092d0b6b5fe4de7f7febf5a9a02a6222ca008a718ab67b6ae3af9
Opcode Fuzzy Hash: 8808de142cea8f4e0783323db5ec7a082fd80377caaaf416bbbd47ec0df54dda
Instruction Fuzzy Hash: 35310431900783AFDB60CFB1CD44BF67BB8AB24382F1449A5E421C70A1EB259884DB60

Function 00AE8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AE8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00AE8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AE8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00AE8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AE8AF8

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2cd809992d8182fd13f7814ad9b849d1e0f559f08c9c765da70292248aadccdc
Instruction ID: bb3003e1e552881afe23a5bebe3772941e12253b785655bfaab40d9a4b2a0abe
Opcode Fuzzy Hash: 2cd809992d8182fd13f7814ad9b849d1e0f559f08c9c765da70292248aadccdc
Instruction Fuzzy Hash: F831AD71500259EFDF14CFA9D948AAE3BB5FB04315F11822AF929E71D0CBB49914DB90

Function 00AEB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00AEB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AEB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AEB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AEB27F
_wcsstr.LIBCMT ref: 00AEB289

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 8f7c66b01ebd83f007cb4a080f607c43144de08dd9afbcbf728e0fb7f7aa45fe
Instruction ID: ab4d5035ed4e4bb11f9f3a49799f72516d0cedf0519d079b3ac951115d864e1d
Opcode Fuzzy Hash: 8f7c66b01ebd83f007cb4a080f607c43144de08dd9afbcbf728e0fb7f7aa45fe
Instruction Fuzzy Hash: 9321F5322142417BEB159B769C49EFF7BACDF49760F108139F904DA1A1EF61DC40D260

Function 00B1B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623

GetWindowLongW.USER32(?,000000F0), ref: 00B1B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B1B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B1B1CF
GetSystemMetrics.USER32(00000004), ref: 00B1B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B00E90,00000000), ref: 00B1B216

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: cd0e7c4090f33a2c6ca8c4e5a7ad9a1c600ca5b2ef44a51c604cdd874ff451bc
Instruction ID: 95b2bd67d766947751df48b60c3e7d38abf96361d9818cff01f079df5c73a8bc
Opcode Fuzzy Hash: cd0e7c4090f33a2c6ca8c4e5a7ad9a1c600ca5b2ef44a51c604cdd874ff451bc
Instruction Fuzzy Hash: 2E218271A20651EFCB209F389C54FAA3BE5EB15361F914768B922D71E0D7309860CB90

Function 00AE9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AE9320

Part of subcall function 00A97BCC: _memmove.LIBCMT ref: 00A97C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AE9352
__itow.LIBCMT ref: 00AE936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AE9392
__itow.LIBCMT ref: 00AE93A3

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 06a1430ab33e99c91d3f83de037d58c0e3cfb5f6f3a795a7a569a32dcd170f33
Instruction ID: 80f3d3fa48e5bf364ec8ecb2299a2835fc24529ff37d532ae7820882c8633dda
Opcode Fuzzy Hash: 06a1430ab33e99c91d3f83de037d58c0e3cfb5f6f3a795a7a569a32dcd170f33
Instruction Fuzzy Hash: F721C531700349ABDB20AB659D85EEF7BADEB48710F144029F905DB1D1DAB0CD41D7A1

Function 00B05A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B05A6E
GetForegroundWindow.USER32 ref: 00B05A85
GetDC.USER32(00000000), ref: 00B05AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00B05ACD
ReleaseDC.USER32(00000000,00000003), ref: 00B05B08

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: eeecf08e8e864dd266c6e19cdf901adecffb0a49696294ba3cae73bfa96f252b
Instruction ID: b08e2d72e89de9bff2f85998838df278c40cab29b210232ac2542a2622be9e82
Opcode Fuzzy Hash: eeecf08e8e864dd266c6e19cdf901adecffb0a49696294ba3cae73bfa96f252b
Instruction Fuzzy Hash: A9218435A00504AFDB14EF69DD85AAABBE9EF48310F14C479F80997351CE34AD00CB90

Function 00A912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A9134D
SelectObject.GDI32(?,00000000), ref: 00A9135C
BeginPath.GDI32(?), ref: 00A91373
SelectObject.GDI32(?,00000000), ref: 00A9139C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 076ed53e2ac1dc9275fe5adb7394ad6fb15086e509db7abade169486b854a4d7
Instruction ID: 23136647e3167b65652e1eaba3abd2493cc08e0c1b7a955ca81f2c003848b1ec
Opcode Fuzzy Hash: 076ed53e2ac1dc9275fe5adb7394ad6fb15086e509db7abade169486b854a4d7
Instruction Fuzzy Hash: D1215130910705EBDF208F15DD487AA7BF8EB10323F548266F8119B1B0DB719991DF50

Function 00AEBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00AEBCB3
_memcmp.LIBCMT ref: 00AEBCD1
_memcmp.LIBCMT ref: 00AEBCE4
_memcmp.LIBCMT ref: 00AEBCFC
_memcmp.LIBCMT ref: 00AEBD14

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f1f432d672270b2ca9c842fea361a826c71e31ff22e921d7fdb11ed2a5893722
Instruction ID: cd393ad7fe5be9166bc5b9a7967e7722188cf8ca34101a6a8a5c27f6d410fc15
Opcode Fuzzy Hash: f1f432d672270b2ca9c842fea361a826c71e31ff22e921d7fdb11ed2a5893722
Instruction Fuzzy Hash: AE01F1B22141597BD2046B13AE96FFBB7ACDEA4388B144420FD0896243FB20EE11C6B0

Function 00AF4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AF4ABA
__beginthreadex.LIBCMT ref: 00AF4AD8
MessageBoxW.USER32(?,?,?,?), ref: 00AF4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AF4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AF4B0A

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 399f7dfa11bbe8eca36093d6c6729dddb5c1f43f7b963493e3acabc327c76e98
Instruction ID: e4383023ee32a3b8509d68aa9f82561e9257a5eefe420b1aba835f05cb7c9623
Opcode Fuzzy Hash: 399f7dfa11bbe8eca36093d6c6729dddb5c1f43f7b963493e3acabc327c76e98
Instruction Fuzzy Hash: B111C876905619BBD7119FE8AC04BEB7FACEB49322F144269FA14D3251DA71C90487A0

Function 00AE8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE821E
GetLastError.KERNEL32(?,00AE7CE2,?,?,?), ref: 00AE8228
GetProcessHeap.KERNEL32(00000008,?,?,00AE7CE2,?,?,?), ref: 00AE8237
RtlAllocateHeap.NTDLL(00000000,?,00AE7CE2), ref: 00AE823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE8255

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 03845a0c8b65c03586507aa25ada1627a383c1eb92bd2666f80d318f6d75da25
Instruction ID: 53b7f6663ecb08fc82d45e35afbe7c9093a2031ffee637ed7074219f060c9f0d
Opcode Fuzzy Hash: 03845a0c8b65c03586507aa25ada1627a383c1eb92bd2666f80d318f6d75da25
Instruction Fuzzy Hash: 53016971600245BFDB204FA6EC48DBB7BACEF8A794B904569FA1DC3220DE318C10DA60

Function 00AE710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 00AE7127
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00AE7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AE7044,80070057,?,?), ref: 00AE7150
CoTaskMemFree.COMBASE(00000000), ref: 00AE7160
CLSIDFromString.COMBASE(?,?), ref: 00AE716C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 5b53312967a3410d45c7b4d81b35e1e5d7f662cbc946562666ea094b9f60003f
Instruction ID: cf799efa782683f0f67feb3fcd78cb2d0008ddb83d6b77f51075feb4a1502811
Opcode Fuzzy Hash: 5b53312967a3410d45c7b4d81b35e1e5d7f662cbc946562666ea094b9f60003f
Instruction Fuzzy Hash: 70017C76601305ABDB118F69DC44BAE7BADEB44791F144264FD08D3220EB31DE41DBA0

Function 00AF5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AF526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AF5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF52BC

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e09325dce4fa51a28f91e0d4988f6d1196571e8072234458df7422c5af77d9e8
Instruction ID: 1b8bef664e544a25096407d458ec895103cade6fcee836e6aa70f68d20de96bf
Opcode Fuzzy Hash: e09325dce4fa51a28f91e0d4988f6d1196571e8072234458df7422c5af77d9e8
Instruction Fuzzy Hash: 48010531D01A1EEBCF00AFE5E849AFDBB78BB09711F814256EA45B3241CF305560C7A1

Function 00AE810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AE8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AE812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE813A
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00AE8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE8157

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 698bdd514dc4f13363acae3c14a46ea391e9f35dc26b18e5b605a27fdca51a39
Instruction ID: 8b8bf1a01bc7caa1e063803f4e95b516b7a850dcdd24fed5fa86c45d14a474b1
Opcode Fuzzy Hash: 698bdd514dc4f13363acae3c14a46ea391e9f35dc26b18e5b605a27fdca51a39
Instruction Fuzzy Hash: 7DF04F75240305BFEB110FA5EC88EB73BACEF49754F404125FA49D7150CE659941EA60

Function 00AEC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00AEC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00AEC20E
MessageBeep.USER32(00000000), ref: 00AEC226
KillTimer.USER32(?,0000040A), ref: 00AEC242
EndDialog.USER32(?,00000001), ref: 00AEC25C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 83050c7adb29cc7e51b4a0a11d026e0fc552add77ef80e1c0a33fd8fbd97fad5
Instruction ID: 7ac572f654827fc964c84f41dbdc5be4f6c384206421eda9bf32b1747251f40b
Opcode Fuzzy Hash: 83050c7adb29cc7e51b4a0a11d026e0fc552add77ef80e1c0a33fd8fbd97fad5
Instruction Fuzzy Hash: 2601D630504705ABEB246B65ED4EFE677B8FF00B16F404269F642A24E0DBF06945CB90

Function 00A913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A913BF
StrokeAndFillPath.GDI32(?,?,00ACB888,00000000,?), ref: 00A913DB
SelectObject.GDI32(?,00000000), ref: 00A913EE
DeleteObject.GDI32 ref: 00A91401
StrokePath.GDI32(?), ref: 00A9141C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 760c70f1f196c0bcfe192fde0ab54b20a57ba0237cd42510dc939ba5a96fd673
Instruction ID: 7b8624dcb9942aa97dc042b287269488bae47b39bef2366fca451b61c5604e4f
Opcode Fuzzy Hash: 760c70f1f196c0bcfe192fde0ab54b20a57ba0237cd42510dc939ba5a96fd673
Instruction Fuzzy Hash: FCF0EC30104B0AEBDF215F26EC5C7A83FE5A765327F48C265E42A8A1F1CB314996DF50

Function 00AE8992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AE899D
CloseHandle.KERNEL32(?), ref: 00AE89B2
CloseHandle.KERNEL32(?), ref: 00AE89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00AE89C3
HeapFree.KERNEL32(00000000), ref: 00AE89CA

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: b7fb441ba8b2c2891e090e55067e943f7b41a17cdd8ebe65c3f3e4dc24bbb258
Instruction ID: b17b603ecd1876bf736ab74d1681ecbb6c4520a0b62048aad878abe317f56831
Opcode Fuzzy Hash: b7fb441ba8b2c2891e090e55067e943f7b41a17cdd8ebe65c3f3e4dc24bbb258
Instruction Fuzzy Hash: 22E0C236104402FBDA011FE1EC0C9AABB69FB8A322B908230F229920B0CF329430DB50

Function 00AFC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AFC432
CoCreateInstance.COMBASE(00B22D6C,00000000,00000001,00B22BDC,?), ref: 00AFC44A

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

CoUninitialize.COMBASE ref: 00AFC6B7

Strings

.lnk, xrefs: 00AFC3C6, 00AFC3EE, 00AFC3F8

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 56b95e4e8d4d62767181c736faaef5766b24723b2a657b1cc8dfebbebe731d76
Instruction ID: 9d45402d7a50dede0e15177b4e087419a948c097b332714f2a645b83722af742
Opcode Fuzzy Hash: 56b95e4e8d4d62767181c736faaef5766b24723b2a657b1cc8dfebbebe731d76
Instruction Fuzzy Hash: 96A13C71208205AFD700EF64C991EAFB7E8FF95354F00491CF1559B1A2EB71EA49CB62

Function 00AA2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00AB0DB6: std::exception::exception.LIBCMT ref: 00AB0DEC
Part of subcall function 00AB0DB6: __CxxThrowException@8.LIBCMT ref: 00AB0E01

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Part of subcall function 00A97A51: _memmove.LIBCMT ref: 00A97AAB

__swprintf.LIBCMT ref: 00AA2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AA2D66

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 711762afc7e50af50f2f4cb39542937aa8e3f892466e679f8ccc2a235e2b110b
Instruction ID: 50209cd818b0fc518fb97944c61c1d227e4a5548ffcb842f64ee11a38e1e653d
Opcode Fuzzy Hash: 711762afc7e50af50f2f4cb39542937aa8e3f892466e679f8ccc2a235e2b110b
Instruction Fuzzy Hash: C1913C716182019FDB14EF28C985D6FB7F8EF96710F04491EF4569B2A2EB20ED44CB62

Function 00AFB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A94743,?,?,00A937AE,?), ref: 00A94770

CoInitialize.OLE32(00000000), ref: 00AFB9BB
CoCreateInstance.COMBASE(00B22D6C,00000000,00000001,00B22BDC,?), ref: 00AFB9D4
CoUninitialize.COMBASE ref: 00AFB9F1

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

Strings

.lnk, xrefs: 00AFB99D, 00AFB9AB

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 8b1ac98d0ef10701d3ca8e7f8c6a8f7836e80f849847e5445642f4f6fef22ec6
Instruction ID: 7a3795fd7c50e6b3499b32dc20b530315586e477cdfa659bd3d9cc596c592d29
Opcode Fuzzy Hash: 8b1ac98d0ef10701d3ca8e7f8c6a8f7836e80f849847e5445642f4f6fef22ec6
Instruction Fuzzy Hash: FAA13475604205AFCB00EF58C984D6AB7F9FF89314F048998F9999B2A1CB31ED45CB91

Function 00AB501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00AB50AD

Part of subcall function 00AC00F0: __87except.LIBCMT ref: 00AC012B

Strings

pow, xrefs: 00AB5085, 00AB50A2

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 119f75202244379b11b9f22114a3d962b8596940d4c6e7c350c30c9484f98e73
Instruction ID: 6260d1fee5129f4c78ec48119a8b90e93776c95d256d5a08dd68dbd96f53e56e
Opcode Fuzzy Hash: 119f75202244379b11b9f22114a3d962b8596940d4c6e7c350c30c9484f98e73
Instruction Fuzzy Hash: CD515B71D0C601CADB217738D905FFE6BE8EB40700F248E5DE4E5862AADE348DC49A86

Function 00AA6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA6248
_memmove.LIBCMT ref: 00AA62E4
_memset.LIBCMT ref: 00AA6308

Strings

ERCP, xrefs: 00AA61B3

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: a25640e537cd5487dd94b7dc0fc2b82bbe14d59679fb1c295a41c5ae14e3f4fd
Instruction ID: ce09083cd00d61daa6f5895451b288c1a0d85f3ab707331e6851d2b4e524285f
Opcode Fuzzy Hash: a25640e537cd5487dd94b7dc0fc2b82bbe14d59679fb1c295a41c5ae14e3f4fd
Instruction Fuzzy Hash: 0A518C71900305DBDB24CF65C981BEBBBF8EF49314F24456EE84ACB281E770AA858F50

Function 00AE97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AE9296,?,?,00000034,00000800,?,00000034), ref: 00AF14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AE983F

Part of subcall function 00AF1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AE92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00AF14B1

Part of subcall function 00AF13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00AF1409
Part of subcall function 00AF13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AE925A,00000034,?,?,00001004,00000000,00000000), ref: 00AF1419
Part of subcall function 00AF13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AE925A,00000034,?,?,00001004,00000000,00000000), ref: 00AF142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AE98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AE98F9

Strings

@, xrefs: 00AE9911

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 254c8eb07d97b86224525f1c52991b358666663f1af65c1caf374472634506a3
Instruction ID: 8d4d68b6f29cabcfd0e4ade21f8a0ccfb082e2d28d728ab80aaa7ae04a471804
Opcode Fuzzy Hash: 254c8eb07d97b86224525f1c52991b358666663f1af65c1caf374472634506a3
Instruction Fuzzy Hash: 75415D7690021CBFDB10DFA4CD81AEEBBB8EF49300F104199FA55B7191DA716E85CBA1

Function 00B17946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B1F910,00000000,?,?,?,?), ref: 00B179DF
GetWindowLongW.USER32 ref: 00B179FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B17A0C

Strings

SysTreeView32, xrefs: 00B179B1

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 058884a175750ba4f9e974c1c45e654df8727d6c4d1bef3be26964b5aff43006
Instruction ID: b6e22899e6a356894f1cb5a9094b075c6ec31b5c9ceca19c663b481416d2153d
Opcode Fuzzy Hash: 058884a175750ba4f9e974c1c45e654df8727d6c4d1bef3be26964b5aff43006
Instruction Fuzzy Hash: F331CB31244206ABDF118E38CC45BEA77E9EF09364F648725F8B5A32E0DB30ED918B50

Function 00B173D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B17461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B17475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B17499

Strings

SysMonthCal32, xrefs: 00B1742C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: de6550f7661c1e6a8cec3582a2d600bcd38030c74caf21a95a3fade0d8534180
Instruction ID: 13fb3fd7bb188ff74bb0a1326de22b27e650bceef7a9350910d48c610ab90b5f
Opcode Fuzzy Hash: de6550f7661c1e6a8cec3582a2d600bcd38030c74caf21a95a3fade0d8534180
Instruction Fuzzy Hash: 7D21D332540219ABDF11CFA4CC42FEA3BB9EF48724F110154FE156B1D0DA75AC91DBA0

Function 00B17B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B17C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B17C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B17C5F

Strings

msctls_updown32, xrefs: 00B17BC4

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 9cf5870309251dd27690bbae26532eff8bf72a382ce96d60f9da0dc788fd41c1
Instruction ID: 682d180fe70f39e5ae1533ccc137905a2a849854431414ae2b7efba25998d341
Opcode Fuzzy Hash: 9cf5870309251dd27690bbae26532eff8bf72a382ce96d60f9da0dc788fd41c1
Instruction Fuzzy Hash: CD217CB5204209AFDB10DF24DCD1DA737ECEB5A394B544099FA019B3A1CB31EC41CBA0

Function 00B16CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B16D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B16D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B16D70

Strings

Listbox, xrefs: 00B16D08

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 511358342a41094ac88b23837740cebee8130513f6ee9c57fef92e4dd2f343b8
Instruction ID: f1193e1c8fbc52ad49277173801b697d206b6c48128db22e7ae1e7d359a40b02
Opcode Fuzzy Hash: 511358342a41094ac88b23837740cebee8130513f6ee9c57fef92e4dd2f343b8
Instruction Fuzzy Hash: FE218032600118BFDF118F54DC45FFB3BBAEB89764F918168F9459B1A0CA719C9197A0

Function 00B1770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B17772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B17787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B17794

Strings

msctls_trackbar32, xrefs: 00B17749

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: cddfa15ed0ebb528d2db5541e164cc50e97d6f337247be485baba5c8adeb1f8b
Instruction ID: 9f5e9d88233775e4e994439466feeb40f8a0a7bc672eaf4f6325ad749fe91cce
Opcode Fuzzy Hash: cddfa15ed0ebb528d2db5541e164cc50e97d6f337247be485baba5c8adeb1f8b
Instruction Fuzzy Hash: 6D11E772244209BAEF209F65CC45FE777B9EF88B64F114518FA41970D0DA71EC51DB10

Function 00A94B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A94AD0), ref: 00A94B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A94B57

Strings

kernel32.dll, xrefs: 00A94B40
GetNativeSystemInfo, xrefs: 00A94B51

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 71ccf883f14d64934d37d0f33d25f430f15f2c1bc47112c4669202b5a19fce19
Instruction ID: 8ddaccfebbb5e5448efc777e5fd2cbb5b343a9b53eade53fca58fa40409dad2f
Opcode Fuzzy Hash: 71ccf883f14d64934d37d0f33d25f430f15f2c1bc47112c4669202b5a19fce19
Instruction Fuzzy Hash: 99D0C230A00713DFDB209F31E818B9272E4AF04350B50C8399485D2160DA70D4C0C614

Function 00A94C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A94B83,?), ref: 00A94C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A94C56

Strings

kernel32.dll, xrefs: 00A94C3F
Wow64RevertWow64FsRedirection, xrefs: 00A94C50

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: adff2a90255d74427e4759372dfe94f280c21d810c12b9ab6aae26cb226e0b90
Instruction ID: 78f8526157d9f70ddc69d409dca4fd95d32c12409c60a9a18be474cad75977cd
Opcode Fuzzy Hash: adff2a90255d74427e4759372dfe94f280c21d810c12b9ab6aae26cb226e0b90
Instruction Fuzzy Hash: 6FD0C730604B23DFCB208F31D808BAA72E4AF09342B50C83A9496E6270EA70D880CA10

Function 00A94C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A94BD0,?,00A94DEF,?,00B552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A94C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A94C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A94C1D
kernel32.dll, xrefs: 00A94C0C

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 9886569b1129d223ba320566e8fe630568e3906903b64ef958b6db4b55a1763b
Instruction ID: 8576c59422164fcae6cb5500154d7ab36727da41bde5bb71629c42be7550fd7e
Opcode Fuzzy Hash: 9886569b1129d223ba320566e8fe630568e3906903b64ef958b6db4b55a1763b
Instruction Fuzzy Hash: 70D0C230600B13DFCB205F70D808757B6D5EF08342B40CC399485D2160EAB0C480CA10

Function 00B10DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00B11039), ref: 00B10DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B10E07

Strings

advapi32.dll, xrefs: 00B10DF0
RegDeleteKeyExW, xrefs: 00B10E01

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 5f098b305af107b22ba2952ad0e79873f15937ba83cc5870e0c17b483781b279
Instruction ID: 9b87f2c1d19b2a2a93b25dc3fdf54a956430c24f623c10b042ac7c0ac32c10da
Opcode Fuzzy Hash: 5f098b305af107b22ba2952ad0e79873f15937ba83cc5870e0c17b483781b279
Instruction Fuzzy Hash: BBD0EC71910713DFD7205B75C80869776D5AF14351F51CC6EA485D2160DAB0D4E0C650

Function 00B090E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B08CF4,?,00B1F910), ref: 00B090EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B09100

Strings

kernel32.dll, xrefs: 00B090E9
GetModuleHandleExW, xrefs: 00B090FA

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 852303b1949313a46c309bce3e6f4f0823e2497e0d19663651324cf505548d1d
Instruction ID: 038ecd4fc8a41fbfbe5a3e48e510f8ef3fc1e78d369a721a066e0d1e36352bb6
Opcode Fuzzy Hash: 852303b1949313a46c309bce3e6f4f0823e2497e0d19663651324cf505548d1d
Instruction Fuzzy Hash: 9ED01734614713EFEB209F31D8196967AE5EF05351B52CCBA9486E65A1EAB4C880CA90

Function 00AD1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AD1718
__swprintf.LIBCMT ref: 00AD1749

Strings

WIN_XPe, xrefs: 00AD1788
%.3d, xrefs: 00AD1723

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 59df64ae07d4e3b2924a25a3d7aacc60908abd307ea57977071115026511f487
Instruction ID: 6b50bad641ce38a8cbf43bcaf78b0099b25c6b203cea1c5a0a902d625d2e05dd
Opcode Fuzzy Hash: 59df64ae07d4e3b2924a25a3d7aacc60908abd307ea57977071115026511f487
Instruction Fuzzy Hash: 03D05E72908109FBCB04DBD09C89CFA77FCAB09311F500563F503E2261E6359B94EE21

Function 00AE717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b568ef1d5be885422c3e8a8891366886e5163a8ff9ff89a23bb28ae538345e
Instruction ID: b5b6d2af8ba514c8394e8b7b21b397cce0290cd09153e2d144886c181242ebb1
Opcode Fuzzy Hash: e0b568ef1d5be885422c3e8a8891366886e5163a8ff9ff89a23bb28ae538345e
Instruction Fuzzy Hash: 2EC18D74A04256EFDB14CFA9C884EAEBBB5FF48704B148598F805EB251D730ED81DB90

Function 00B0E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B0E0BE
CharLowerBuffW.USER32(?,?), ref: 00B0E101

Part of subcall function 00B0D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B0D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B0E301
_memmove.LIBCMT ref: 00B0E314

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: a645b9e693ce8339a5f75443c771d507d3c5f3d347d016da10078a3ea85670f3
Instruction ID: 771929a02d08779e18c2d0fdfffe05782f51be9d568eb99c1ae589736f2fbe58
Opcode Fuzzy Hash: a645b9e693ce8339a5f75443c771d507d3c5f3d347d016da10078a3ea85670f3
Instruction Fuzzy Hash: 57C14A71608301DFC714DF28C481A6ABBE4FF89714F1489ADF8999B391D731E945CB91

Function 00B08093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B080C3
CoUninitialize.COMBASE ref: 00B080CE

Part of subcall function 00AED56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00AED5D4

VariantInit.OLEAUT32(?), ref: 00B080D9
VariantClear.OLEAUT32(?), ref: 00B083AA

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: a4e2ebdbb577a11b34435decef0df4303f2b0840c9ecc459c182736b0368ac30
Instruction ID: 620a5ce20f3d1c42a3949a07afd664a03edc68a674daa3ad6dbf0722bc906fa6
Opcode Fuzzy Hash: a4e2ebdbb577a11b34435decef0df4303f2b0840c9ecc459c182736b0368ac30
Instruction Fuzzy Hash: 46A13775604701AFCB10DF58C581A2ABBE8FF89754F14849CF9959B3A2DB30ED05CB86

Function 00AE7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 00AE76EA
CoTaskMemFree.COMBASE(00000000), ref: 00AE7702
CLSIDFromProgID.COMBASE(?,?), ref: 00AE7727
_memcmp.LIBCMT ref: 00AE7748

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: aeb5077a8edf12f769318492f96d1bf17968da18366b693205e4eed7d9dd4545
Instruction ID: 6959d02f858129e02eff4481ce98cb7149eebf5bb945d0000c68d659c9e1fdce
Opcode Fuzzy Hash: aeb5077a8edf12f769318492f96d1bf17968da18366b693205e4eed7d9dd4545
Instruction Fuzzy Hash: A781EC75A10109EFCF04DFA9C984EEEB7B9FF89315F204598E505AB250DB71AE06CB60

Function 00AE687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE688E
SysAllocString.OLEAUT32(00000000), ref: 00AE6937
VariantCopy.OLEAUT32 ref: 00AE6966
VariantClear.OLEAUT32(?), ref: 00AE698D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 1e1eb8372ab1745106599e6c3519f25eecdefda24132ebe500323ed0d1d8949f
Instruction ID: b5b1e929bdf92f0eeab04c3d5947742b1e02679730bd4f84e51ee770e2f6c354
Opcode Fuzzy Hash: 1e1eb8372ab1745106599e6c3519f25eecdefda24132ebe500323ed0d1d8949f
Instruction Fuzzy Hash: 8351C774B003819EDF24AF66D891A7AB7F5AF65390F20DC2FE586D7292EA74D8408701

Function 00B197F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00C8ECE0,?), ref: 00B19863
ScreenToClient.USER32(00000002,00000002), ref: 00B19896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00B19903

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e163df23211f19581a1b518fd5bf27c8abb24580c6cbde31dd949cc31ff1249e
Instruction ID: 2946a09021442096b3d4a84913ea3383d0a4b118d8fd1a8933d39d165a73a348
Opcode Fuzzy Hash: e163df23211f19581a1b518fd5bf27c8abb24580c6cbde31dd949cc31ff1249e
Instruction Fuzzy Hash: 65512D34A00249AFDF24CF54C890AEE7BF5FF463A1F548199F8559B2A0D730AD81CB90

Function 00AE9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00AE9AD2
__itow.LIBCMT ref: 00AE9B03

Part of subcall function 00AE9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00AE9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00AE9B6C
__itow.LIBCMT ref: 00AE9BC3

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 9689c61a147546a41bdcccd68d4f2ac8f83a30bfefcc5c37fd17fdded5182fbe
Instruction ID: c871402ebf043cf08474676e17c515d6c00e291fdbe7b1f571e4aa07e20afde7
Opcode Fuzzy Hash: 9689c61a147546a41bdcccd68d4f2ac8f83a30bfefcc5c37fd17fdded5182fbe
Instruction Fuzzy Hash: 13416A70A00348ABDF25EF65D946BEE7BF9EF48750F000069F905A7291DB709A44CBA1

Function 00AFB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AFB89E
GetLastError.KERNEL32(?,00000000), ref: 00AFB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AFB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AFB915

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: bfb9e7f2f357b9942feb0136da9188c2d695406d759973fc23339057bcc46102
Instruction ID: cf1822961e382bef3d4fa732a2cd832032fbbce8640f6360b8673670fd3a8a83
Opcode Fuzzy Hash: bfb9e7f2f357b9942feb0136da9188c2d695406d759973fc23339057bcc46102
Instruction Fuzzy Hash: 0F411739600515EFCB10EF58C585A6ABBE9AF49310B09C098FD4A9B362DB30ED01CB91

Function 00B18851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B188DE

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 82afdee3115113eaafeae6e582f4486c49c1d07901c3e1fd08d0e6ae8c9d0a7d
Instruction ID: fa8ef80c0863513d8fea1a89de4e1f53d3322d2f5374d67f8c4d45530828bf52
Opcode Fuzzy Hash: 82afdee3115113eaafeae6e582f4486c49c1d07901c3e1fd08d0e6ae8c9d0a7d
Instruction Fuzzy Hash: D631B434600109AFEF209A58DC85BF877E5FB06390FE44192FA55E71A1CE70E9C0D752

Function 00B1AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B1AB60
GetWindowRect.USER32(?,?), ref: 00B1ABD6
PtInRect.USER32(?,?,00B1C014), ref: 00B1ABE6
MessageBeep.USER32(00000000), ref: 00B1AC57

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 84f7bcfd489e20f4ee8a93043df6e8a6612eb5553587724575d11dc95b9807d0
Instruction ID: dac1cbb99b966d2b4faef5065c55df79d2ff74d54b043bcc8353098c3883f3c0
Opcode Fuzzy Hash: 84f7bcfd489e20f4ee8a93043df6e8a6612eb5553587724575d11dc95b9807d0
Instruction Fuzzy Hash: 9E417C30601219DFCB21DF58D894BA97BF6FB49311F9480E9E8149B260DB30B881CB92

Function 00AF0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AF0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00AF0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00AF0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00AF0BFB

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3aa8435fa05a16668529013800f623edc573b206af3531abdd007f6f20bc6390
Instruction ID: 26e9f4ed2b687238bf1c3c704f860ca873d5c511c6b7139112cd49288f0b44f1
Opcode Fuzzy Hash: 3aa8435fa05a16668529013800f623edc573b206af3531abdd007f6f20bc6390
Instruction Fuzzy Hash: FE313870D4021CAEFF308BA58C05FFABBBAEB45318F58826AF691921D3C7758941D751

Function 00AF0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00AF0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00AF0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00AF0CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00AF0D33

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 919de025a7bd4c62cf4c5f1a743667581346e92736dac97bcf2fa0c1b681f583
Instruction ID: d939c5da5bd22310710930417039cd19123443eeec31faadd35fb724edce20a4
Opcode Fuzzy Hash: 919de025a7bd4c62cf4c5f1a743667581346e92736dac97bcf2fa0c1b681f583
Instruction Fuzzy Hash: 0231243094021CAEFF308BE58C14FFEBBB6AB45320F54832AFA95521D2C3359956C7A1

Function 00AC61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AC61FB
__isleadbyte_l.LIBCMT ref: 00AC6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AC6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AC628D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ddbf2e4b19a84106a174347a1f0106bdfdd0dbffd87164b4a57a5fd43bbeaa67
Instruction ID: 3eece106e8d2392c3d282469582bc5e95818ede5bd5af87e26fe4c6876d7c640
Opcode Fuzzy Hash: ddbf2e4b19a84106a174347a1f0106bdfdd0dbffd87164b4a57a5fd43bbeaa67
Instruction Fuzzy Hash: 8A318C31A04246AFDF21CF65CC48FEA7BB9BF41310F16412DE864971A2EB31E950DB90

Function 00B14EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B14F02

Part of subcall function 00AF3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AF365B
Part of subcall function 00AF3641: GetCurrentThreadId.KERNEL32 ref: 00AF3662
Part of subcall function 00AF3641: AttachThreadInput.USER32(00000000,?,00AF5005), ref: 00AF3669

GetCaretPos.USER32(?), ref: 00B14F13
ClientToScreen.USER32(00000000,?), ref: 00B14F4E
GetForegroundWindow.USER32 ref: 00B14F54

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a0af5b97362af0bd5125f43c9da8d853aea24219afb9a647babbbe51a9137cfd
Instruction ID: 325fbe2a40cce6cecbe8272b9af336d56682468f0c63f6025250b4c54fc95078
Opcode Fuzzy Hash: a0af5b97362af0bd5125f43c9da8d853aea24219afb9a647babbbe51a9137cfd
Instruction Fuzzy Hash: 69313E72E00108AFDB00EFA9C9859EFB7FDEF99300F10446AE415E7241EA759E45CBA0

Function 00AE8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AE8121
Part of subcall function 00AE810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AE812B
Part of subcall function 00AE810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE813A
Part of subcall function 00AE810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00AE8141
Part of subcall function 00AE810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AE86A3
_memcmp.LIBCMT ref: 00AE86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE86FC
HeapFree.KERNEL32(00000000), ref: 00AE8703

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: 5310f8818cce580f609c79600177f74cc73c9296b217dabbc413f19a519985e8
Instruction ID: 0b21dbafb02ee9c6245c3559075fd5ffd10299698d92d150f71e37659bc49485
Opcode Fuzzy Hash: 5310f8818cce580f609c79600177f74cc73c9296b217dabbc413f19a519985e8
Instruction Fuzzy Hash: 1921AF71E40149EFDB10DFA6CA49BEEB7B8FF44308F158459E848AB241DB34AE05CB90

Function 00AB098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00AB09AE

Part of subcall function 00A95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AF7896,?,?,00000000), ref: 00A95A2C
Part of subcall function 00A95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AF7896,?,?,00000000,?,?), ref: 00A95A50

_fprintf.LIBCMT ref: 00AB09E5
OutputDebugStringW.KERNEL32(?), ref: 00AE5DBB

Part of subcall function 00AB4AAA: _flsall.LIBCMT ref: 00AB4AC3

__setmode.LIBCMT ref: 00AB0A1A

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 8003973a7c7288d8321e0dcaea3cc2934ae0962ae9ef865d1b223236dbde3899
Instruction ID: a3179d8a137669d3576cbe079f42dbd5eae10258cb62f767a6ed6a8762f5d26c
Opcode Fuzzy Hash: 8003973a7c7288d8321e0dcaea3cc2934ae0962ae9ef865d1b223236dbde3899
Instruction Fuzzy Hash: 91112431A046087FDB04B3B8AC879FE77AC9F59360F200159F10557183EE20584297A4

Function 00B01767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B017A3

Part of subcall function 00B0182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B0184C
Part of subcall function 00B0182D: InternetCloseHandle.WININET(00000000), ref: 00B018E9

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 9e366e347852d54422ccaca7bb9bd25efae0184a919604dd349ae4d30b5e33b2
Instruction ID: dc89115e4c1301db48674634f4146c08007afa769771fa27f4e46cb897f4df11
Opcode Fuzzy Hash: 9e366e347852d54422ccaca7bb9bd25efae0184a919604dd349ae4d30b5e33b2
Instruction Fuzzy Hash: 7B21CF71200701BFEB1A9F648C40FBABFE9FF48B10F10846AFA05966D0DB71991097A0

Function 00AF3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B1FAC0), ref: 00AF3A64
GetLastError.KERNEL32 ref: 00AF3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AF3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B1FAC0), ref: 00AF3ADF

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: e761f6a92d61de7ac43c598fef87fc731600d5450df3beef15a19c247678b61c
Instruction ID: 3dc77dad5c7bc0b69d28ada176230fa7300719c2dd53033a87b7aa77353a5ccf
Opcode Fuzzy Hash: e761f6a92d61de7ac43c598fef87fc731600d5450df3beef15a19c247678b61c
Instruction Fuzzy Hash: 7D21D3755082068F8B00EF79C9818BEB7F4AE153A4F104A2DF499C72A1DB32DE45CB92

Function 00AEDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00AEDCD3,?,?,?,00AEEAC6,00000000,000000EF,00000119,?,?), ref: 00AEF0CB
Part of subcall function 00AEF0BC: lstrcpyW.KERNEL32(00000000,?,?,00AEDCD3,?,?,?,00AEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AEF0F1
Part of subcall function 00AEF0BC: lstrcmpiW.KERNEL32(00000000,?,00AEDCD3,?,?,?,00AEEAC6,00000000,000000EF,00000119,?,?), ref: 00AEF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00AEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AEDCEC
lstrcpyW.KERNEL32(00000000,?,?,00AEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AEDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00AEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AEDD46

Strings

cdecl, xrefs: 00AEDD3D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: eb190aa23973a3968c370b319d2815300dffdbe6bc07971e1a20d6261047cca4
Instruction ID: 01f7c64ae9d22e36d987e6c12d9060b2f42810c15bbe8d3dccfe7ff628c0a88b
Opcode Fuzzy Hash: eb190aa23973a3968c370b319d2815300dffdbe6bc07971e1a20d6261047cca4
Instruction Fuzzy Hash: 7D11DD3A200345EFCB25AF35DC85DBA77B8FF45350B40802AF806CB2A0EB719850C7A1

Function 00AC50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AC5101

Part of subcall function 00AB571C: __FF_MSGBANNER.LIBCMT ref: 00AB5733
Part of subcall function 00AB571C: __NMSG_WRITE.LIBCMT ref: 00AB573A
Part of subcall function 00AB571C: RtlAllocateHeap.NTDLL(00C70000,00000000,00000001), ref: 00AB575F

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c636d25241ca73177860f3afbd4fb30079d727d315ad0ca18b9221df8464b931
Instruction ID: cf50df9c1ac66d7fb42afa465b4af771603c33b9fa5dc2877cf024f0f974dd28
Opcode Fuzzy Hash: c636d25241ca73177860f3afbd4fb30079d727d315ad0ca18b9221df8464b931
Instruction Fuzzy Hash: E911A772D00A15AECF213F74AD49FAE3BDC9B043A1B15462DF9059A152DE349980D790

Function 00A944A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A944CF

Part of subcall function 00A9407C: _memset.LIBCMT ref: 00A940FC
Part of subcall function 00A9407C: _wcscpy.LIBCMT ref: 00A94150
Part of subcall function 00A9407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A94160

KillTimer.USER32(?,00000001,?,?), ref: 00A94524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A94533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ACD4B9

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 4841529e3a88104986850cf00c94e40c9d8510da7f1d18a2cb6df7352d2d2469
Instruction ID: 3563d43e659822ca431b5e1fe7c2833a26da2be9fcf71f6fb7a4495808250c2d
Opcode Fuzzy Hash: 4841529e3a88104986850cf00c94e40c9d8510da7f1d18a2cb6df7352d2d2469
Instruction Fuzzy Hash: AC21C270904784AFEB328B648955FE6BBECAB05315F04009EE79E5B282C7746E85CB51

Function 00AE85B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AE85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00AE85E9
CloseHandle.KERNEL32(00000004), ref: 00AE8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AE8632

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: a23f17377a4f600576c38160dcb74b4f883c0d4d5623dba17275d3cfa4cfdd73
Instruction ID: e37a0be3e0574e0b19962984f3301fb82921cd7766818559978ec9b7b2b91d32
Opcode Fuzzy Hash: a23f17377a4f600576c38160dcb74b4f883c0d4d5623dba17275d3cfa4cfdd73
Instruction Fuzzy Hash: F9115C7250024AAFDF01CFA5DD49BEE7BA9EF48304F048064FE08A21A0CB758E60DB60

Function 00B06369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AF7896,?,?,00000000), ref: 00A95A2C
Part of subcall function 00A95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AF7896,?,?,00000000,?,?), ref: 00A95A50

gethostbyname.WS2_32(?), ref: 00B06399
WSAGetLastError.WS2_32(00000000), ref: 00B063A4
_memmove.LIBCMT ref: 00B063D1
inet_ntoa.WS2_32(?), ref: 00B063DC

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 8541fe7c47de1e8bf44b34b0e1b82b029a8487dbb82217f3b63a4af81724ed72
Instruction ID: 65f48830dbf54822a863a273872d68dd8ec353de41c2e1385ff6961199e2e404
Opcode Fuzzy Hash: 8541fe7c47de1e8bf44b34b0e1b82b029a8487dbb82217f3b63a4af81724ed72
Instruction Fuzzy Hash: B0110D31A00109AFCF05FBA8DA86DEEBBF8AF04350B544065F505A71A1DF31AE14DB61

Function 00AE8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AE8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE8BA4

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fb0692129c0846b0bcec63c2a3a8d78ba6348058632791bc8e0f452b807dc26d
Instruction ID: 0477b243778a33f8a5c3915acd127657d9b8401b3b70c96196bcd54d1be30d89
Opcode Fuzzy Hash: fb0692129c0846b0bcec63c2a3a8d78ba6348058632791bc8e0f452b807dc26d
Instruction Fuzzy Hash: 5B112A79901218FFEB11DFA5CD85FADBBB8FB48710F2040A5EA04B7290DA716E11DB94

Function 00AF1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AEFCED,?,00AF0D40,?,00008000), ref: 00AF115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00AEFCED,?,00AF0D40,?,00008000), ref: 00AF1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AEFCED,?,00AF0D40,?,00008000), ref: 00AF118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00AEFCED,?,00AF0D40,?,00008000), ref: 00AF11C1

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c66f4d30caa773e5ae0db05116fa18b048948066bca4b3d4883f9467e21f7c4a
Instruction ID: 13e0df4df8cf0d73a4b6520248b3715f94f9a1a4529bff6c01607a98fe75ce6f
Opcode Fuzzy Hash: c66f4d30caa773e5ae0db05116fa18b048948066bca4b3d4883f9467e21f7c4a
Instruction Fuzzy Hash: E7111831D0092DE7CF009FE5D948AFEBBB8FB09751F408259EB81B2240CB7095A1CB99

Function 00AED831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00AED84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AED864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AED879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00AED897

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 60a71f96c9a6aada858512fbfa99cb5b5b870e8bcea5271d7bddee4a32394be6
Instruction ID: ea528fb369a4cd2777a76bef199d8e8730dc6de457c1f37d3a76af3d122ba8b8
Opcode Fuzzy Hash: 60a71f96c9a6aada858512fbfa99cb5b5b870e8bcea5271d7bddee4a32394be6
Instruction Fuzzy Hash: D1116DB5605355EBE320CF52EC08FA3BBBCEF00B00F508569AA16D7150DBB1E949DBA1

Function 00AC6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00AC6FDB

Part of subcall function 00AC76C2: __fltout2.LIBCMT ref: 00AC76EB

__cftog_l.LIBCMT ref: 00AC7001
__cftoe_l.LIBCMT ref: 00AC7033

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 0463d10dc1837805eb1c3526ed3e53e1d1ea8e28f363379b4648469457f5f06d
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D8014C7244814EBBCF165F89CC01DEE3F62BB18390F5A8419FE1858031D636CAB1AF81

Function 00B1B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B1B2E4
ScreenToClient.USER32(?,?), ref: 00B1B2FC
ScreenToClient.USER32(?,?), ref: 00B1B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B1B33B

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d490ed7dc72afb90ee2d1b6c2ac04de84f9af0c7f6a69a4829514479abccf64c
Instruction ID: d2bcfde7b5ade3b4fb63b07bf17515596ae10e1dd099221e2d00924bef6f1f6e
Opcode Fuzzy Hash: d490ed7dc72afb90ee2d1b6c2ac04de84f9af0c7f6a69a4829514479abccf64c
Instruction Fuzzy Hash: 05114679D0020AEFDB41CF99D4449EEBBF5FB08310F508166E914E3220D735AA65CF50

Function 00B1B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1B644
_memset.LIBCMT ref: 00B1B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B56F20,00B56F64), ref: 00B1B682
CloseHandle.KERNEL32 ref: 00B1B694

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 1e4845330d9bb44aa3b3f749181516b0836fce7979021e10b95350fbab6514b5
Instruction ID: 35f50353c38b30283c172deaf38058baf085a63b960edf99c389fff37240cb15
Opcode Fuzzy Hash: 1e4845330d9bb44aa3b3f749181516b0836fce7979021e10b95350fbab6514b5
Instruction Fuzzy Hash: D7F0FEB2940304BAF6102765BC46FBB7B9CEB19796F8044A1BA09E71A2DB755C10C7A8

Function 00AF6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00AF6BE6

Part of subcall function 00AF76C4: _memset.LIBCMT ref: 00AF76F9

_memmove.LIBCMT ref: 00AF6C09
_memset.LIBCMT ref: 00AF6C16
RtlLeaveCriticalSection.NTDLL(?), ref: 00AF6C26

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: f3a74f5ad923b5baa457310e7aaf864a0c6f9c9039af3b55bc600a88d29517a4
Instruction ID: e07404e6979b5158d45f76f1f0ae65a987c1ea0650bf9ebeffdb94173992e8fe
Opcode Fuzzy Hash: f3a74f5ad923b5baa457310e7aaf864a0c6f9c9039af3b55bc600a88d29517a4
Instruction Fuzzy Hash: DFF05E7A200104ABCF016F95DC85E9ABB2AEF45321F04C061FE089F227DB31E811CBB4

Function 00A92218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A92231
SetTextColor.GDI32(?,000000FF), ref: 00A9223B
SetBkMode.GDI32(?,00000001), ref: 00A92250
GetStockObject.GDI32(00000005), ref: 00A92258
GetWindowDC.USER32(?,00000000), ref: 00ACBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00ACBE90
GetPixel.GDI32(00000000,?,00000000), ref: 00ACBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00ACBEC2
GetPixel.GDI32(00000000,?,?), ref: 00ACBEE2
ReleaseDC.USER32(?,00000000), ref: 00ACBEED

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c1ed2cd83890662a5dc5410633f1c67f43eb17946809bd89a90292a865e7a17d
Instruction ID: 8c1abe15d6ebdaac5b6527f8fc6032599a78d6c4b647868123f8e43fe6e4b772
Opcode Fuzzy Hash: c1ed2cd83890662a5dc5410633f1c67f43eb17946809bd89a90292a865e7a17d
Instruction Fuzzy Hash: B1E03932144245FADF215FA4FC0DBE83B11EB15332F50C36AFA69580E1CB728990DB22

Function 00AE8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00AE871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00AE82E6), ref: 00AE8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AE82E6), ref: 00AE872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00AE82E6), ref: 00AE8736

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a9cce69305e8e0df904debbf2bf7a98429bf29650bfac5737316291063181f92
Instruction ID: 7364046651aed0ca6ea2e8160956ad5c0f7ff32e224435a30ca0d9012f4488b1
Opcode Fuzzy Hash: a9cce69305e8e0df904debbf2bf7a98429bf29650bfac5737316291063181f92
Instruction Fuzzy Hash: 3FE086366112129FD7205FB16D0CBEA3BACEF55B91F55C828B649CB050DE388541C750

Function 00AEB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00AEB4BE

Strings

Container, xrefs: 00AEB43B
AutoIt3GUI, xrefs: 00AEB436

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: aa92aeb1f8cae2f063837e73a649ebd22759173a0e74c9b33aecc6eaec7aa294
Instruction ID: 15730aa520a6e450c0b4a004b69d38ef95d7b57985e219a2ccb1fca63cfcf79e
Opcode Fuzzy Hash: aa92aeb1f8cae2f063837e73a649ebd22759173a0e74c9b33aecc6eaec7aa294
Instruction Fuzzy Hash: 75915B70610601AFDB14DF69C889B6BB7F5FF48710F10856DE94ACB6A1DB71E841CB60

Function 00AFAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AAFC86: _wcscpy.LIBCMT ref: 00AAFCA9

Part of subcall function 00A99837: __itow.LIBCMT ref: 00A99862
Part of subcall function 00A99837: __swprintf.LIBCMT ref: 00A998AC

__wcsnicmp.LIBCMT ref: 00AFB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00AFB0F6

Strings

LPT, xrefs: 00AFB027

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 9f4f64ec96221840c7d98979dc8a28d407c7c0ac37915a6ca8e2c54f5b899b9f
Instruction ID: 619ed4b3a817c5562619a80665ae4137e67bc4a1e41c681ccb6c9f8b5bf45516
Opcode Fuzzy Hash: 9f4f64ec96221840c7d98979dc8a28d407c7c0ac37915a6ca8e2c54f5b899b9f
Instruction Fuzzy Hash: 1D618575A10219EFCB14DF98C951EBEB7F9EF09310F104169FA16AB291DB70AE40CB64

Function 00AA2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00AA2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00AA2981

Strings

@, xrefs: 00AA2975

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0a5edb5feab1a457c21fbe33f0a9edc48decb863f5dc042be02cfaa93303e571
Instruction ID: 0e3d5854cb3fb5b73d90f450f69999ac65357b3f4902cab739cb3873ae730d6c
Opcode Fuzzy Hash: 0a5edb5feab1a457c21fbe33f0a9edc48decb863f5dc042be02cfaa93303e571
Instruction Fuzzy Hash: 24514A72518744ABD720EF14D885BAFB7E8FF85344F41885DF2D8410A1EF309929CB56

Function 00AF9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A94F0B: __fread_nolock.LIBCMT ref: 00A94F29

_wcscmp.LIBCMT ref: 00AF9824
_wcscmp.LIBCMT ref: 00AF9837

Strings

FILE, xrefs: 00AF9770

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: dc628ff87fd899c73f25cf32ab41055f6dcb4235daf089bf16d83cf564856df6
Instruction ID: 6367773ca56bcde33ec766cbb4024a0d43d358c5b2d9a6d0a662f7ecdd008734
Opcode Fuzzy Hash: dc628ff87fd899c73f25cf32ab41055f6dcb4235daf089bf16d83cf564856df6
Instruction Fuzzy Hash: E2419671A4021EBADF219BE4CC45FEFBBFDDF89710F000469FA04A7191DA719A058BA5

Function 00B0258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B0259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B025D4

Strings

|, xrefs: 00B025A5

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 34b35b853331de822aaec7bb5226964367a8184dd90932f2b3a3d4def23cee76
Instruction ID: e8e87895fff1ace3e633fd844844b17785d1f7559a4ebf849dcf5703ad09223e
Opcode Fuzzy Hash: 34b35b853331de822aaec7bb5226964367a8184dd90932f2b3a3d4def23cee76
Instruction Fuzzy Hash: C1311871910119EBCF01EFA4CD89EEEBFB9FF08310F10006AF919A6162EB315956DB60

Function 00B17A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00B17B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B17B76

Strings

', xrefs: 00B17ACA

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d9e4e1c850d5cc486763446e0fdf0e7befb0166b03bacb544d55fa26ebece2e1
Instruction ID: f258f0bc1ccf3f34dcd9d7f3acfb0633e8791a90d1e9a312ec00b255f8f0b6b0
Opcode Fuzzy Hash: d9e4e1c850d5cc486763446e0fdf0e7befb0166b03bacb544d55fa26ebece2e1
Instruction Fuzzy Hash: BF41E874A452099FDB14CF64D991BDABBF5FF08300F5041AAE905AB351DB70AA91CF90

Function 00B16A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B16B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B16B53

Strings

static, xrefs: 00B16AB3

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1b25b620b95ca8407c222e28b4d61e6d92fc3f26ccf5b0ec3ef76f7d79a583ee
Instruction ID: 9742e88288ef0568cdb405d730176bf913acc009722bb4a2ba9bb7211bc04818
Opcode Fuzzy Hash: 1b25b620b95ca8407c222e28b4d61e6d92fc3f26ccf5b0ec3ef76f7d79a583ee
Instruction Fuzzy Hash: EC317C71210604AEDB109F68DC81BFB77E9FF48760F50861DF9A9D7190DA31AC91CB60

Function 00AF28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AF294C

Strings

0, xrefs: 00AF290A

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: dd1b3cbcbe4efde78f22d1abdeca02cb1d821aaf833f9ec2965a06098b147a42
Instruction ID: 7c320f2bcad6ffb0d920717ace8bc7174f5a01b6314f69b899236cc5d4055952
Opcode Fuzzy Hash: dd1b3cbcbe4efde78f22d1abdeca02cb1d821aaf833f9ec2965a06098b147a42
Instruction Fuzzy Hash: 19318F316003099BEB24DFD8C985BFEBBB9EF45390F140069FA85A71A1D7B09944CB51

Function 00B039E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00B03A66

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00B03A58
, $, xrefs: 00B03AA6

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: caa0ec2e999bfbe420f270ef009e3d570bc9c973776dc5e9b78bddc15c022626
Instruction ID: 5cb33d97bb766580625d784edc2c43e9d6216a173dafb39a53feff5048e7dd5c
Opcode Fuzzy Hash: caa0ec2e999bfbe420f270ef009e3d570bc9c973776dc5e9b78bddc15c022626
Instruction Fuzzy Hash: 29217E31B00219ABCF14EF64CD86AAE7BF9EF49700F500499F455AB192DB34EA45CBA1

Function 00B166D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B16761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B1676C

Strings

Combobox, xrefs: 00B1672E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b5220cd87ccb26bf289f08fdab6694427e5515fb8a792383f067de884aadbd68
Instruction ID: 5af3205ff9f6884b54486a10f26a19abab8147216f50baf52facd736bb2a7569
Opcode Fuzzy Hash: b5220cd87ccb26bf289f08fdab6694427e5515fb8a792383f067de884aadbd68
Instruction Fuzzy Hash: 26118275300209AFEF21DF54DC81EFB37AAEB583A8F604169F914972D0D6719C9187A0

Function 00B16C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A91D73
Part of subcall function 00A91D35: GetStockObject.GDI32(00000011), ref: 00A91D87
Part of subcall function 00A91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A91D91

GetWindowRect.USER32(00000000,?), ref: 00B16C71
GetSysColor.USER32(00000012), ref: 00B16C8B

Strings

static, xrefs: 00B16C4E

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 175da17d4ddbf20c5cef1a35cd0e2276472f6720ce1119aae4cfc4c7e837e187
Instruction ID: b8ee6eba5a1e2af9ea6dcf0e20b2a535c6d17da365b2927af60e54a67a6b9b2c
Opcode Fuzzy Hash: 175da17d4ddbf20c5cef1a35cd0e2276472f6720ce1119aae4cfc4c7e837e187
Instruction Fuzzy Hash: 9621177261020AAFDF04DFA8CC45AFA7BE9FB08315F404669F995D3250EA35E891DB60

Function 00B16920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B169A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B169B1

Strings

edit, xrefs: 00B16986

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f10207f59d6815bcf03c344cc7d90cab29666b8cd90e2c7f67c1be3632917270
Instruction ID: 9bf3193e49242762fc70ae0ffe64871c1276cb114a726ce49b14264f8ab12301
Opcode Fuzzy Hash: f10207f59d6815bcf03c344cc7d90cab29666b8cd90e2c7f67c1be3632917270
Instruction Fuzzy Hash: 5B116D71100205ABEF108F749C44AFB37AAEB193B4F904764F9A5971E0CA31DC919760

Function 00AF29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AF2A41

Strings

0, xrefs: 00AF2A18

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 3326025a484ac573631cfb9eec34a02ba18bb1b06c08a4dddcd56f513d162426
Instruction ID: 7e1cf1517ef3dc0826fc5eea8d912efa044fdb7464a0bec75de1e9b522115d7b
Opcode Fuzzy Hash: 3326025a484ac573631cfb9eec34a02ba18bb1b06c08a4dddcd56f513d162426
Instruction Fuzzy Hash: 4511D07291121CABDB30FBD8D845BFA77B8AB45380F044061FA55E7290D770AD0AC791

Function 00B021D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B0222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B02255

Strings

<local>, xrefs: 00B0221D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f3dcad315b0950e420edcce3e75d2b05437fe65c1a8f6f4680bfa233be9b4828
Instruction ID: 1a9b0c615cab3a0ab7421d59035d7f71686a4c8b0b11c2df5695309d7d308d89
Opcode Fuzzy Hash: f3dcad315b0950e420edcce3e75d2b05437fe65c1a8f6f4680bfa233be9b4828
Instruction Fuzzy Hash: 4211EC70501226BADB298F918CC8EFBFFE8FF16751F1082AAF90496080D2705D98D6F0

Function 00AE8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Part of subcall function 00AEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AEAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AE8E73

Strings

ComboBox, xrefs: 00AE8E12
ListBox, xrefs: 00AE8E3D

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 05dd31f23282428fdb72c02613cd12c5332b7919fe9b3096a79f8c275504c32e
Instruction ID: 9cf193c14f04dcdea76aa2294a551996dc89caf223703ff6918a46f4231d5cfc
Opcode Fuzzy Hash: 05dd31f23282428fdb72c02613cd12c5332b7919fe9b3096a79f8c275504c32e
Instruction Fuzzy Hash: FE012471B41219ABDF15EBB1CD429FE73A8EF05320B540A19F835672E1DF359808D7A0

Function 00AE8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Part of subcall function 00AEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AEAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00AE8D6B

Strings

ComboBox, xrefs: 00AE8D0A
ListBox, xrefs: 00AE8D35

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 968e1e426f9e6722f70d675f02a7cdd11dfc79eeb5a0c4416ab242f401c481c3
Instruction ID: e5dc374bd5611b333b89d6d1263416f589218857ef7319ae7d78155db7f26b32
Opcode Fuzzy Hash: 968e1e426f9e6722f70d675f02a7cdd11dfc79eeb5a0c4416ab242f401c481c3
Instruction Fuzzy Hash: 7B018F71B41209ABDF25EBE2CE96AFE77E89F15340F500029B806672E1DE255E08D6B1

Function 00AE8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A97DE1: _memmove.LIBCMT ref: 00A97E22

Part of subcall function 00AEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AEAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00AE8DEE

Strings

ComboBox, xrefs: 00AE8D8F
ListBox, xrefs: 00AE8DBA

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 737954d15a2373a050dcd1b38f1b154240d299bd32b209b301362559fb552bea
Instruction ID: c0b1b0c65c607ab90229555303bc1496bdb7b03a2c1ca88c44db202be3505fe8
Opcode Fuzzy Hash: 737954d15a2373a050dcd1b38f1b154240d299bd32b209b301362559fb552bea
Instruction Fuzzy Hash: 3501A271B41209B7DF21EBA5CE86BFE77E89F15340F504025B805A3292DE255E08E6B1

Function 00AF4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00AF4F46
_wcscmp.LIBCMT ref: 00AF4F58

Strings

#32770, xrefs: 00AF4F52

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: bd6263e6e2b1902b1ef220086f0916b33dc0554b54ff97e38d6b726261af1339
Instruction ID: 6cd21ff56ee50ab80a1343c063a6113a9380cf3a21c27e9fd4a974df82109ad4
Opcode Fuzzy Hash: bd6263e6e2b1902b1ef220086f0916b33dc0554b54ff97e38d6b726261af1339
Instruction Fuzzy Hash: 1EE09232A0022D2AE7209B99AC49BA7F7ECEB55B61F40016AFD04D3051EA609A45C7E0

Function 00ACB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00ACB314: _memset.LIBCMT ref: 00ACB321

Part of subcall function 00AB0940: InitializeCriticalSectionAndSpinCount.KERNEL32(00B54158,00000000,00B54144,00ACB2F0,?,?,?,00A9100A), ref: 00AB0945

IsDebuggerPresent.KERNEL32(?,?,?,00A9100A), ref: 00ACB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A9100A), ref: 00ACB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00ACB2FE

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: c66acb14940112be3a08db0513e3a2f4b1ba0a43155db1f36a43a39734782c36
Instruction ID: 5fb815f80cf1bc3f9f2bb5d06747bbab7611b1b6dc321c23285ee31a5ebdcd65
Opcode Fuzzy Hash: c66acb14940112be3a08db0513e3a2f4b1ba0a43155db1f36a43a39734782c36
Instruction Fuzzy Hash: 8AE092702107518FD730DF28E505B867BE8AF04304F01896CE456CB751EBB5E404CBB1

Function 00AD1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00AD1775

Part of subcall function 00B0BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00AD195E,?), ref: 00B0BFFE
Part of subcall function 00B0BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B0C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00AD196D

Strings

WIN_XPe, xrefs: 00AD1788

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 3c58869a697f7cb35286e8a0728f9ec31e66cc339e50d574dde3a5c5dd7177ae
Instruction ID: a081631ce9bbde4e7c651609ffefb26cca4b50393bc2815bda94784bcaeedc70
Opcode Fuzzy Hash: 3c58869a697f7cb35286e8a0728f9ec31e66cc339e50d574dde3a5c5dd7177ae
Instruction Fuzzy Hash: E1F0ED7080410AEFDB15DB91C984BECBBF8BB08301F540096E102B32A1DB714F85DF60

Function 00B15998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B159AE
PostMessageW.USER32(00000000), ref: 00B159B5

Part of subcall function 00AF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF52BC

Strings

Shell_TrayWnd, xrefs: 00B159A7

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 13a16492e86349669b7167b6521e2749e38edca0811b353a161008d61c0441b6
Instruction ID: 4f01825fc932313a403365bee0c86e33d75f2cbd248f230c42d3bcd7ab61d0c9
Opcode Fuzzy Hash: 13a16492e86349669b7167b6521e2749e38edca0811b353a161008d61c0441b6
Instruction Fuzzy Hash: 0DD0C9317807127AE664AB709C0BFE66655BB14B50F404835B349AB1E5CDE0A800C654

Function 00B15964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B1596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B15981

Part of subcall function 00AF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF52BC

Strings

Shell_TrayWnd, xrefs: 00B15967

Memory Dump Source

Source File: 00000000.00000002.2177197772.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true

Associated: 00000000.00000002.2177164617.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177197772.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177927609.0000000000B98000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178101088.0000000000B99000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_uOCavrYu1y.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 780b3e6d39cb30073f4c892c7ef37887a421457a92a4697554d7064797cc2ae2
Instruction ID: 9b3cb976df99b34c2cc758912b54609cc1546c1254a7794e4b1053cee4f08741
Opcode Fuzzy Hash: 780b3e6d39cb30073f4c892c7ef37887a421457a92a4697554d7064797cc2ae2
Instruction Fuzzy Hash: D7D0C931784712BAE664AB709C1BFF66A55BB10B50F004835B349AB1E5CDE09800C654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report uOCavrYu1y.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut10F5.tmp

C:\Users\user\AppData\Local\Temp\aut1154.tmp

C:\Users\user\AppData\Local\Temp\dews

C:\Users\user\AppData\Local\Temp\savager

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
uOCavrYu1y.exe

Function 00A93B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00A93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Function 00A949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00A94E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00B989C0 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Function 00AF9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00A9708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00A93A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00A93766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00A93015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71
registrywindowclipboardCOMMON

Function 00A93041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 036825D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00A939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 036823B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Function 00A9407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre