Edit tour

Windows Analysis Report
xom6WSISuh.exe

Overview

General Information

Sample name:	xom6WSISuh.exe renamed because original name is a hash value
Original sample name:	96fa199b9544b7d2015c33027e5cdfaca3a36a5de09d6805d7dfb04dfc6f91b2.exe
Analysis ID:	1587874
MD5:	2856d0548e14630f06b915b7ff1d8b55
SHA1:	d52dc37084a8fdae9e90758212b899da10c5c48b
SHA256:	96fa199b9544b7d2015c33027e5cdfaca3a36a5de09d6805d7dfb04dfc6f91b2
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

xom6WSISuh.exe (PID: 2656 cmdline: "C:\Users\user\Desktop\xom6WSISuh.exe" MD5: 2856D0548E14630F06B915B7FF1D8B55)

gehlenite.exe (PID: 3744 cmdline: "C:\Users\user\Desktop\xom6WSISuh.exe" MD5: 2856D0548E14630F06B915B7FF1D8B55)

RegSvcs.exe (PID: 5076 cmdline: "C:\Users\user\Desktop\xom6WSISuh.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 3844 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

gehlenite.exe (PID: 404 cmdline: "C:\Users\user\AppData\Local\oxman\gehlenite.exe" MD5: 2856D0548E14630F06B915B7FF1D8B55)

RegSvcs.exe (PID: 3332 cmdline: "C:\Users\user\AppData\Local\oxman\gehlenite.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "sendxpreview@ypcog.shop", "Password": "k4T*5ia*ES", "Server": "ypcog.shop", "To": "preview@ypcog.shop", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d84c:$a1: get_encryptedPassword 0x1d820:$a2: get_encryptedUsername 0x1d8e4:$a3: get_timePasswordChanged 0x1d7fc:$a4: get_passwordField 0x1d862:$a5: set_encryptedPassword 0x1d62f:$a7: get_logins 0x1cb9d:$a8: GetOutlookPasswords 0x1c0b1:$a9: StartKeylogger 0x1ab0b:$a10: KeyLoggerEventArgs 0x1aada:$a11: KeyLoggerEventArgsEventHandler 0x1d703:$a13: _encryptedPassword
00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21f3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21439:$a3: \Google\Chrome\User Data\Default\Login Data 0x21747:$a4: \Orbitum\User Data\Default\Login Data 0x2253f:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5e4da:$a1: get_encryptedPassword 0x5e4ae:$a2: get_encryptedUsername 0x5e572:$a3: get_timePasswordChanged 0x5e48a:$a4: get_passwordField 0x5e4f0:$a5: set_encryptedPassword 0x5e2bd:$a7: get_logins 0x5d82b:$a8: GetOutlookPasswords 0x5cd3f:$a9: StartKeylogger 0x5b799:$a10: KeyLoggerEventArgs 0x5b768:$a11: KeyLoggerEventArgsEventHandler 0x5e391:$a13: _encryptedPassword
00000002.00000002.2986816837.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c964:$a1: get_encryptedPassword 0x1c938:$a2: get_encryptedUsername 0x1c9fc:$a3: get_timePasswordChanged 0x1c914:$a4: get_passwordField 0x1c97a:$a5: set_encryptedPassword 0x1c747:$a7: get_logins 0x1bcb5:$a8: GetOutlookPasswords 0x1b1c9:$a9: StartKeylogger 0x19c23:$a10: KeyLoggerEventArgs 0x19bf2:$a11: KeyLoggerEventArgsEventHandler 0x1c81b:$a13: _encryptedPassword
00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21053:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20551:$a3: \Google\Chrome\User Data\Default\Login Data 0x2085f:$a4: \Orbitum\User Data\Default\Login Data 0x21657:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.1940996077.00000000035C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 4C 88 44 24 2B 88 44 24 2F B0 CE 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21dbc:$a1: get_encryptedPassword 0x4a0f4:$a1: get_encryptedPassword 0x21d90:$a2: get_encryptedUsername 0x4a0c8:$a2: get_encryptedUsername 0x21e54:$a3: get_timePasswordChanged 0x4a18c:$a3: get_timePasswordChanged 0x21d6c:$a4: get_passwordField 0x4a0a4:$a4: get_passwordField 0x21dd2:$a5: set_encryptedPassword 0x4a10a:$a5: set_encryptedPassword 0x21b9f:$a7: get_logins 0x49ed7:$a7: get_logins 0x2110d:$a8: GetOutlookPasswords 0x49445:$a8: GetOutlookPasswords 0x20621:$a9: StartKeylogger 0x48959:$a9: StartKeylogger 0x1f07b:$a10: KeyLoggerEventArgs 0x473b3:$a10: KeyLoggerEventArgs 0x1f04a:$a11: KeyLoggerEventArgsEventHandler 0x47382:$a11: KeyLoggerEventArgsEventHandler 0x21c73:$a13: _encryptedPassword
00000001.00000002.1775907851.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 4C 88 44 24 2B 88 44 24 2F B0 CE 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000008.00000002.2986752366.00000000035A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5076	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5076	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5076	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5076	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5076	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10d9d:$a1: get_encryptedPassword 0x2a5dd:$a1: get_encryptedPassword 0x42010:$a1: get_encryptedPassword 0x10d71:$a2: get_encryptedUsername 0x2a5b1:$a2: get_encryptedUsername 0x41fe4:$a2: get_encryptedUsername 0x10e35:$a3: get_timePasswordChanged 0x2a675:$a3: get_timePasswordChanged 0x420a8:$a3: get_timePasswordChanged 0x10d4d:$a4: get_passwordField 0x2a58d:$a4: get_passwordField 0x41fc0:$a4: get_passwordField 0x10db3:$a5: set_encryptedPassword 0x2a5f3:$a5: set_encryptedPassword 0x42026:$a5: set_encryptedPassword 0x10b89:$a7: get_logins 0x2a3c9:$a7: get_logins 0x41dfc:$a7: get_logins 0x10161:$a8: GetOutlookPasswords 0x299a1:$a8: GetOutlookPasswords 0x413b6:$a8: GetOutlookPasswords
Process Memory Space: RegSvcs.exe PID: 3332	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3332	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 3332	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3332	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24478:$a1: get_encryptedPassword 0x2444c:$a2: get_encryptedUsername 0x24510:$a3: get_timePasswordChanged 0x24428:$a4: get_passwordField 0x2448e:$a5: set_encryptedPassword 0x24264:$a7: get_logins 0x2383c:$a8: GetOutlookPasswords 0x22e0c:$a9: StartKeylogger 0x21985:$a10: KeyLoggerEventArgs 0x21954:$a11: KeyLoggerEventArgsEventHandler 0x2432f:$a13: _encryptedPassword
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.3090ee8.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3090ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3090ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3090ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3090ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab64:$a1: get_encryptedPassword 0x1ab38:$a2: get_encryptedUsername 0x1abfc:$a3: get_timePasswordChanged 0x1ab14:$a4: get_passwordField 0x1ab7a:$a5: set_encryptedPassword 0x1a947:$a7: get_logins 0x19eb5:$a8: GetOutlookPasswords 0x193c9:$a9: StartKeylogger 0x17e23:$a10: KeyLoggerEventArgs 0x17df2:$a11: KeyLoggerEventArgsEventHandler 0x1aa1b:$a13: _encryptedPassword
2.2.RegSvcs.exe.3090ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f253:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e751:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ea5f:$a4: \Orbitum\User Data\Default\Login Data 0x1f857:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2c31b76.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2c31b76.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2c31b76.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2c31b76.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2c31b76.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c964:$a1: get_encryptedPassword 0x1c938:$a2: get_encryptedUsername 0x1c9fc:$a3: get_timePasswordChanged 0x1c914:$a4: get_passwordField 0x1c97a:$a5: set_encryptedPassword 0x1c747:$a7: get_logins 0x1bcb5:$a8: GetOutlookPasswords 0x1b1c9:$a9: StartKeylogger 0x19c23:$a10: KeyLoggerEventArgs 0x19bf2:$a11: KeyLoggerEventArgsEventHandler 0x1c81b:$a13: _encryptedPassword
2.2.RegSvcs.exe.2c31b76.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21053:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20551:$a3: \Google\Chrome\User Data\Default\Login Data 0x2085f:$a4: \Orbitum\User Data\Default\Login Data 0x21657:$a5: \Kometa\User Data\Default\Login Data
5.2.gehlenite.exe.35c0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 4C 88 44 24 2B 88 44 24 2F B0 CE 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.2c31b76.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2c31b76.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2c31b76.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2c31b76.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2c31b76.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab64:$a1: get_encryptedPassword 0x1ab38:$a2: get_encryptedUsername 0x1abfc:$a3: get_timePasswordChanged 0x1ab14:$a4: get_passwordField 0x1ab7a:$a5: set_encryptedPassword 0x1a947:$a7: get_logins 0x19eb5:$a8: GetOutlookPasswords 0x193c9:$a9: StartKeylogger 0x17e23:$a10: KeyLoggerEventArgs 0x17df2:$a11: KeyLoggerEventArgsEventHandler 0x1aa1b:$a13: _encryptedPassword
2.2.RegSvcs.exe.2c31b76.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f253:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e751:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ea5f:$a4: \Orbitum\User Data\Default\Login Data 0x1f857:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3090000.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3090000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3090000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3090000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3090000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d84c:$a1: get_encryptedPassword 0x1d820:$a2: get_encryptedUsername 0x1d8e4:$a3: get_timePasswordChanged 0x1d7fc:$a4: get_passwordField 0x1d862:$a5: set_encryptedPassword 0x1d62f:$a7: get_logins 0x1cb9d:$a8: GetOutlookPasswords 0x1c0b1:$a9: StartKeylogger 0x1ab0b:$a10: KeyLoggerEventArgs 0x1aada:$a11: KeyLoggerEventArgsEventHandler 0x1d703:$a13: _encryptedPassword
2.2.RegSvcs.exe.3090000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21f3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21439:$a3: \Google\Chrome\User Data\Default\Login Data 0x21747:$a4: \Orbitum\User Data\Default\Login Data 0x2253f:$a5: \Kometa\User Data\Default\Login Data
8.2.RegSvcs.exe.4415570.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.RegSvcs.exe.4415570.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.4415570.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.RegSvcs.exe.4415570.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RegSvcs.exe.4415570.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ba4c:$a1: get_encryptedPassword 0x1ba20:$a2: get_encryptedUsername 0x1bae4:$a3: get_timePasswordChanged 0x1b9fc:$a4: get_passwordField 0x1ba62:$a5: set_encryptedPassword 0x1b82f:$a7: get_logins 0x1ad9d:$a8: GetOutlookPasswords 0x1a2b1:$a9: StartKeylogger 0x18d0b:$a10: KeyLoggerEventArgs 0x18cda:$a11: KeyLoggerEventArgsEventHandler 0x1b903:$a13: _encryptedPassword
8.2.RegSvcs.exe.4415570.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2013b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f639:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f947:$a4: \Orbitum\User Data\Default\Login Data 0x2073f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3090000.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3090000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3090000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3090000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3090000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ba4c:$a1: get_encryptedPassword 0x1ba20:$a2: get_encryptedUsername 0x1bae4:$a3: get_timePasswordChanged 0x1b9fc:$a4: get_passwordField 0x1ba62:$a5: set_encryptedPassword 0x1b82f:$a7: get_logins 0x1ad9d:$a8: GetOutlookPasswords 0x1a2b1:$a9: StartKeylogger 0x18d0b:$a10: KeyLoggerEventArgs 0x18cda:$a11: KeyLoggerEventArgsEventHandler 0x1b903:$a13: _encryptedPassword
2.2.RegSvcs.exe.3090000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2013b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f639:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f947:$a4: \Orbitum\User Data\Default\Login Data 0x2073f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3090ee8.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3090ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3090ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3090ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3090ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c964:$a1: get_encryptedPassword 0x1c938:$a2: get_encryptedUsername 0x1c9fc:$a3: get_timePasswordChanged 0x1c914:$a4: get_passwordField 0x1c97a:$a5: set_encryptedPassword 0x1c747:$a7: get_logins 0x1bcb5:$a8: GetOutlookPasswords 0x1b1c9:$a9: StartKeylogger 0x19c23:$a10: KeyLoggerEventArgs 0x19bf2:$a11: KeyLoggerEventArgsEventHandler 0x1c81b:$a13: _encryptedPassword
2.2.RegSvcs.exe.3090ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21053:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20551:$a3: \Google\Chrome\User Data\Default\Login Data 0x2085f:$a4: \Orbitum\User Data\Default\Login Data 0x21657:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.5570000.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.5570000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5570000.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.5570000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5570000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c964:$a1: get_encryptedPassword 0x1c938:$a2: get_encryptedUsername 0x1c9fc:$a3: get_timePasswordChanged 0x1c914:$a4: get_passwordField 0x1c97a:$a5: set_encryptedPassword 0x1c747:$a7: get_logins 0x1bcb5:$a8: GetOutlookPasswords 0x1b1c9:$a9: StartKeylogger 0x19c23:$a10: KeyLoggerEventArgs 0x19bf2:$a11: KeyLoggerEventArgsEventHandler 0x1c81b:$a13: _encryptedPassword
2.2.RegSvcs.exe.5570000.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21053:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20551:$a3: \Google\Chrome\User Data\Default\Login Data 0x2085f:$a4: \Orbitum\User Data\Default\Login Data 0x21657:$a5: \Kometa\User Data\Default\Login Data
8.2.RegSvcs.exe.4415570.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.RegSvcs.exe.4415570.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.4415570.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.RegSvcs.exe.4415570.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RegSvcs.exe.4415570.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d84c:$a1: get_encryptedPassword 0x45b84:$a1: get_encryptedPassword 0x1d820:$a2: get_encryptedUsername 0x45b58:$a2: get_encryptedUsername 0x1d8e4:$a3: get_timePasswordChanged 0x45c1c:$a3: get_timePasswordChanged 0x1d7fc:$a4: get_passwordField 0x45b34:$a4: get_passwordField 0x1d862:$a5: set_encryptedPassword 0x45b9a:$a5: set_encryptedPassword 0x1d62f:$a7: get_logins 0x45967:$a7: get_logins 0x1cb9d:$a8: GetOutlookPasswords 0x44ed5:$a8: GetOutlookPasswords 0x1c0b1:$a9: StartKeylogger 0x443e9:$a9: StartKeylogger 0x1ab0b:$a10: KeyLoggerEventArgs 0x42e43:$a10: KeyLoggerEventArgs 0x1aada:$a11: KeyLoggerEventArgsEventHandler 0x42e12:$a11: KeyLoggerEventArgsEventHandler 0x1d703:$a13: _encryptedPassword
8.2.RegSvcs.exe.4415570.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21f3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a273:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21439:$a3: \Google\Chrome\User Data\Default\Login Data 0x49771:$a3: \Google\Chrome\User Data\Default\Login Data 0x21747:$a4: \Orbitum\User Data\Default\Login Data 0x49a7f:$a4: \Orbitum\User Data\Default\Login Data 0x2253f:$a5: \Kometa\User Data\Default\Login Data 0x4a877:$a5: \Kometa\User Data\Default\Login Data
8.2.RegSvcs.exe.4416458.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.RegSvcs.exe.4416458.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.4416458.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.RegSvcs.exe.4416458.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RegSvcs.exe.4416458.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c964:$a1: get_encryptedPassword 0x44c9c:$a1: get_encryptedPassword 0x1c938:$a2: get_encryptedUsername 0x44c70:$a2: get_encryptedUsername 0x1c9fc:$a3: get_timePasswordChanged 0x44d34:$a3: get_timePasswordChanged 0x1c914:$a4: get_passwordField 0x44c4c:$a4: get_passwordField 0x1c97a:$a5: set_encryptedPassword 0x44cb2:$a5: set_encryptedPassword 0x1c747:$a7: get_logins 0x44a7f:$a7: get_logins 0x1bcb5:$a8: GetOutlookPasswords 0x43fed:$a8: GetOutlookPasswords 0x1b1c9:$a9: StartKeylogger 0x43501:$a9: StartKeylogger 0x19c23:$a10: KeyLoggerEventArgs 0x41f5b:$a10: KeyLoggerEventArgs 0x19bf2:$a11: KeyLoggerEventArgsEventHandler 0x41f2a:$a11: KeyLoggerEventArgsEventHandler 0x1c81b:$a13: _encryptedPassword
8.2.RegSvcs.exe.4416458.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21053:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4938b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20551:$a3: \Google\Chrome\User Data\Default\Login Data 0x48889:$a3: \Google\Chrome\User Data\Default\Login Data 0x2085f:$a4: \Orbitum\User Data\Default\Login Data 0x48b97:$a4: \Orbitum\User Data\Default\Login Data 0x21657:$a5: \Kometa\User Data\Default\Login Data 0x4998f:$a5: \Kometa\User Data\Default\Login Data
8.2.RegSvcs.exe.443e790.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.RegSvcs.exe.443e790.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.443e790.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.RegSvcs.exe.443e790.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RegSvcs.exe.443e790.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c964:$a1: get_encryptedPassword 0x1c938:$a2: get_encryptedUsername 0x1c9fc:$a3: get_timePasswordChanged 0x1c914:$a4: get_passwordField 0x1c97a:$a5: set_encryptedPassword 0x1c747:$a7: get_logins 0x1bcb5:$a8: GetOutlookPasswords 0x1b1c9:$a9: StartKeylogger 0x19c23:$a10: KeyLoggerEventArgs 0x19bf2:$a11: KeyLoggerEventArgsEventHandler 0x1c81b:$a13: _encryptedPassword
8.2.RegSvcs.exe.443e790.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21053:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20551:$a3: \Google\Chrome\User Data\Default\Login Data 0x2085f:$a4: \Orbitum\User Data\Default\Login Data 0x21657:$a5: \Kometa\User Data\Default\Login Data
1.2.gehlenite.exe.af0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 4C 88 44 24 2B 88 44 24 2F B0 CE 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.RegSvcs.exe.443e790.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.RegSvcs.exe.443e790.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.443e790.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.RegSvcs.exe.443e790.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RegSvcs.exe.443e790.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab64:$a1: get_encryptedPassword 0x1ab38:$a2: get_encryptedUsername 0x1abfc:$a3: get_timePasswordChanged 0x1ab14:$a4: get_passwordField 0x1ab7a:$a5: set_encryptedPassword 0x1a947:$a7: get_logins 0x19eb5:$a8: GetOutlookPasswords 0x193c9:$a9: StartKeylogger 0x17e23:$a10: KeyLoggerEventArgs 0x17df2:$a11: KeyLoggerEventArgsEventHandler 0x1aa1b:$a13: _encryptedPassword
8.2.RegSvcs.exe.443e790.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f253:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e751:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ea5f:$a4: \Orbitum\User Data\Default\Login Data 0x1f857:$a5: \Kometa\User Data\Default\Login Data
8.2.RegSvcs.exe.4416458.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.RegSvcs.exe.4416458.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.4416458.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.RegSvcs.exe.4416458.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RegSvcs.exe.4416458.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab64:$a1: get_encryptedPassword 0x1ab38:$a2: get_encryptedUsername 0x1abfc:$a3: get_timePasswordChanged 0x1ab14:$a4: get_passwordField 0x1ab7a:$a5: set_encryptedPassword 0x1a947:$a7: get_logins 0x19eb5:$a8: GetOutlookPasswords 0x193c9:$a9: StartKeylogger 0x17e23:$a10: KeyLoggerEventArgs 0x17df2:$a11: KeyLoggerEventArgsEventHandler 0x1aa1b:$a13: _encryptedPassword
8.2.RegSvcs.exe.4416458.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f253:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e751:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ea5f:$a4: \Orbitum\User Data\Default\Login Data 0x1f857:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2c30c8e.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2c30c8e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2c30c8e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2c30c8e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2c30c8e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d84c:$a1: get_encryptedPassword 0x1d820:$a2: get_encryptedUsername 0x1d8e4:$a3: get_timePasswordChanged 0x1d7fc:$a4: get_passwordField 0x1d862:$a5: set_encryptedPassword 0x1d62f:$a7: get_logins 0x1cb9d:$a8: GetOutlookPasswords 0x1c0b1:$a9: StartKeylogger 0x1ab0b:$a10: KeyLoggerEventArgs 0x1aada:$a11: KeyLoggerEventArgsEventHandler 0x1d703:$a13: _encryptedPassword
2.2.RegSvcs.exe.2c30c8e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21f3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21439:$a3: \Google\Chrome\User Data\Default\Login Data 0x21747:$a4: \Orbitum\User Data\Default\Login Data 0x2253f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.5570000.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.5570000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5570000.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.5570000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5570000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab64:$a1: get_encryptedPassword 0x1ab38:$a2: get_encryptedUsername 0x1abfc:$a3: get_timePasswordChanged 0x1ab14:$a4: get_passwordField 0x1ab7a:$a5: set_encryptedPassword 0x1a947:$a7: get_logins 0x19eb5:$a8: GetOutlookPasswords 0x193c9:$a9: StartKeylogger 0x17e23:$a10: KeyLoggerEventArgs 0x17df2:$a11: KeyLoggerEventArgsEventHandler 0x1aa1b:$a13: _encryptedPassword
2.2.RegSvcs.exe.5570000.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f253:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e751:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ea5f:$a4: \Orbitum\User Data\Default\Login Data 0x1f857:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2c30c8e.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2c30c8e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2c30c8e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2c30c8e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2c30c8e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ba4c:$a1: get_encryptedPassword 0x1ba20:$a2: get_encryptedUsername 0x1bae4:$a3: get_timePasswordChanged 0x1b9fc:$a4: get_passwordField 0x1ba62:$a5: set_encryptedPassword 0x1b82f:$a7: get_logins 0x1ad9d:$a8: GetOutlookPasswords 0x1a2b1:$a9: StartKeylogger 0x18d0b:$a10: KeyLoggerEventArgs 0x18cda:$a11: KeyLoggerEventArgsEventHandler 0x1b903:$a13: _encryptedPassword
2.2.RegSvcs.exe.2c30c8e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2013b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f639:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f947:$a4: \Orbitum\User Data\Default\Login Data 0x2073f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 93 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , ProcessId: 3844, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , ProcessId: 3844, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\oxman\gehlenite.exe, ProcessId: 3744, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:55:20.572778+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	132.226.8.169	80	TCP
2025-01-10T18:55:29.589691+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 8.2.RegSvcs.exe.4416458.1.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "sendxpreview@ypcog.shop", "Password": "k4T*5ia*ES", "Server": "ypcog.shop", "To": "preview@ypcog.shop", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Virustotal: Detection: 74%			Perma Link

Multi AV Scanner detection for submitted file

Source: xom6WSISuh.exe	Virustotal: Detection: 74%			Perma Link
Source: xom6WSISuh.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: xom6WSISuh.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: xom6WSISuh.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49732 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49739 version: TLS 1.0

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986285277.0000000002F89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: gehlenite.exe, 00000001.00000003.1772660264.0000000003620000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000001.00000003.1773073049.0000000003480000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1931884711.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1933902415.0000000003A90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: gehlenite.exe, 00000001.00000003.1772660264.0000000003620000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000001.00000003.1773073049.0000000003480000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1931884711.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1933902415.0000000003A90000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0012DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0012DBBE
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_001368EE FindFirstFileW,FindClose,	0_2_001368EE
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0013698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0013698F
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0012D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0012D076
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0012D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0012D3A9
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00139642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00139642
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0013979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0013979D
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00139B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00139B2B
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00135C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00135C97
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_005DDBBE
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E68EE FindFirstFileW,FindClose,	1_2_005E68EE
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_005E698F
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_005DD076
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_005DD3A9
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_005E9642
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_005E979D
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_005E9B2B
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E5C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_005E5C97
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_005DDBBE
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E68EE FindFirstFileW,FindClose,	5_2_005E68EE
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_005E698F
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_005DD076
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_005DD3A9
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_005E9642
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_005E979D
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_005E9B2B
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E5C97 FindFirstFileW,FindNextFileW,FindClose,	5_2_005E5C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h

2_2_02AAE2E0

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49732 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49739 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_0013CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0013CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.2986816837.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.2986816837.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986816837.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.2986816837.0000000003179000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.2986816837.0000000003218000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.2986816837.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.2986816837.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.2986816837.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.2986816837.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_0013EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0013EAFF

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0013ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_0013ED6A
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	1_2_005EED6A
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_005EED6A

Source: C:\Users\user\Desktop\xom6WSISuh.exe

0_2_0013EAFF

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_0012AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0012AA57

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00159576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00159576
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00609576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_00609576
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00609576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	5_2_00609576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.gehlenite.exe.35c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.gehlenite.exe.af0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.1940996077.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1775907851.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 3332, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: xom6WSISuh.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: xom6WSISuh.exe, 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0b317ab8-9
Source: xom6WSISuh.exe, 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_20f78945-9
Source: gehlenite.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: gehlenite.exe, 00000001.00000002.1775302014.0000000000632000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b778c1b3-a
Source: gehlenite.exe, 00000001.00000002.1775302014.0000000000632000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_21d7a9b6-c
Source: gehlenite.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: gehlenite.exe, 00000005.00000002.1939131763.0000000000632000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_261dc83d-e
Source: gehlenite.exe, 00000005.00000002.1939131763.0000000000632000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_dc5189ab-a

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000C3170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_000C3170
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0015A2D7 NtdllDialogWndProc_W,	0_2_0015A2D7
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_001587B2 NtdllDialogWndProc_W,CallWindowProcW,	0_2_001587B2
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00158AAA NtdllDialogWndProc_W,	0_2_00158AAA
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000D8BA4 NtdllDialogWndProc_W,	0_2_000D8BA4
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00158FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00158FC9
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000D9052 NtdllDialogWndProc_W,	0_2_000D9052
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000D90A7 NtdllDialogWndProc_W,	0_2_000D90A7
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_001590A1 SendMessageW,NtdllDialogWndProc_W,	0_2_001590A1
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0015911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0015911E
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00159380 NtdllDialogWndProc_W,	0_2_00159380
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_001593CB NtdllDialogWndProc_W,	0_2_001593CB
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00159400 ClientToScreen,NtdllDialogWndProc_W,	0_2_00159400
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0015953A GetWindowLongW,NtdllDialogWndProc_W,	0_2_0015953A
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00159576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00159576
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000D97C0 GetParent,NtdllDialogWndProc_W,	0_2_000D97C0
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000D997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	0_2_000D997D
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00159E74 NtdllDialogWndProc_W,	0_2_00159E74
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00159EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	0_2_00159EF3
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00159F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00159F86
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00573170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	1_2_00573170
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0060A2D7 NtdllDialogWndProc_W,	1_2_0060A2D7
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_006087B2 NtdllDialogWndProc_W,CallWindowProcW,	1_2_006087B2
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00608AAA NtdllDialogWndProc_W,	1_2_00608AAA
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00588BA4 NtdllDialogWndProc_W,	1_2_00588BA4
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00608FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	1_2_00608FC9
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00589052 NtdllDialogWndProc_W,	1_2_00589052
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_006090A1 SendMessageW,NtdllDialogWndProc_W,	1_2_006090A1
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005890A7 NtdllDialogWndProc_W,	1_2_005890A7
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0060911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	1_2_0060911E
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_006093CB NtdllDialogWndProc_W,	1_2_006093CB
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00609380 NtdllDialogWndProc_W,	1_2_00609380
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00609400 ClientToScreen,NtdllDialogWndProc_W,	1_2_00609400
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00609576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_00609576
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0060953A GetWindowLongW,NtdllDialogWndProc_W,	1_2_0060953A
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005897C0 GetParent,NtdllDialogWndProc_W,	1_2_005897C0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0058997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	1_2_0058997D
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00609E74 NtdllDialogWndProc_W,	1_2_00609E74
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00609EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	1_2_00609EF3
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00609F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	1_2_00609F86
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00573170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	5_2_00573170
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0060A2D7 NtdllDialogWndProc_W,	5_2_0060A2D7
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_006087B2 NtdllDialogWndProc_W,CallWindowProcW,	5_2_006087B2
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00608AAA NtdllDialogWndProc_W,	5_2_00608AAA
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00588BA4 NtdllDialogWndProc_W,	5_2_00588BA4
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00608FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	5_2_00608FC9
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00589052 NtdllDialogWndProc_W,	5_2_00589052
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_006090A1 SendMessageW,NtdllDialogWndProc_W,	5_2_006090A1
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005890A7 NtdllDialogWndProc_W,	5_2_005890A7
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0060911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	5_2_0060911E
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_006093CB NtdllDialogWndProc_W,	5_2_006093CB
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00609380 NtdllDialogWndProc_W,	5_2_00609380
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00609400 ClientToScreen,NtdllDialogWndProc_W,	5_2_00609400
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00609576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	5_2_00609576
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0060953A GetWindowLongW,NtdllDialogWndProc_W,	5_2_0060953A
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005897C0 GetParent,NtdllDialogWndProc_W,	5_2_005897C0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0058997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	5_2_0058997D
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00609E74 NtdllDialogWndProc_W,	5_2_00609E74
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00609EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	5_2_00609EF3
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00609F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	5_2_00609F86

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_0012D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0012D5EB

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_00121201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,74B45590,CreateProcessAsUserW,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00121201

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0012E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	0_2_0012E8F6
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	1_2_005DE8F6
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	5_2_005DE8F6

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00132046	0_2_00132046
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000C8060	0_2_000C8060
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00128298	0_2_00128298
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000FE4FF	0_2_000FE4FF
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000F676B	0_2_000F676B
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00154873	0_2_00154873
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000ECAA0	0_2_000ECAA0
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000CCAF0	0_2_000CCAF0
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000DCC39	0_2_000DCC39
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000F6DD9	0_2_000F6DD9
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000DB119	0_2_000DB119
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000C91C0	0_2_000C91C0
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E1394	0_2_000E1394
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E1706	0_2_000E1706
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E781B	0_2_000E781B
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000C7920	0_2_000C7920
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000D997D	0_2_000D997D
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E19B0	0_2_000E19B0
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E7A4A	0_2_000E7A4A
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E1C77	0_2_000E1C77
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E7CA7	0_2_000E7CA7
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0014BE44	0_2_0014BE44
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000F9EEE	0_2_000F9EEE
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E1F32	0_2_000E1F32
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00BE89A8	0_2_00BE89A8
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0057BF40	1_2_0057BF40
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E2046	1_2_005E2046
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00578060	1_2_00578060
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005D8298	1_2_005D8298
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005AE4FF	1_2_005AE4FF
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005A676B	1_2_005A676B
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00604873	1_2_00604873
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0057CAF0	1_2_0057CAF0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0059CAA0	1_2_0059CAA0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0058CC39	1_2_0058CC39
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005A6DD9	1_2_005A6DD9
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0058B119	1_2_0058B119
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005791C0	1_2_005791C0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00591394	1_2_00591394
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00591706	1_2_00591706
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0059781B	1_2_0059781B
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0058997D	1_2_0058997D
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00577920	1_2_00577920
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005919B0	1_2_005919B0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00597A4A	1_2_00597A4A
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00591C77	1_2_00591C77
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00597CA7	1_2_00597CA7
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005FBE44	1_2_005FBE44
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005A9EEE	1_2_005A9EEE
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00591F32	1_2_00591F32
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00DD3F10	1_2_00DD3F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02AA1438	2_2_02AA1438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02AA1448	2_2_02AA1448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02AA11A8	2_2_02AA11A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02AA119C	2_2_02AA119C
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0057BF40	5_2_0057BF40
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E2046	5_2_005E2046
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00578060	5_2_00578060
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005D8298	5_2_005D8298
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005AE4FF	5_2_005AE4FF
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005A676B	5_2_005A676B
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00604873	5_2_00604873
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0057CAF0	5_2_0057CAF0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0059CAA0	5_2_0059CAA0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0058CC39	5_2_0058CC39
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005A6DD9	5_2_005A6DD9
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0058B119	5_2_0058B119
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005791C0	5_2_005791C0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00591394	5_2_00591394
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00591706	5_2_00591706
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0059781B	5_2_0059781B
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0058997D	5_2_0058997D
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00577920	5_2_00577920
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005919B0	5_2_005919B0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00597A4A	5_2_00597A4A
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00591C77	5_2_00591C77
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00597CA7	5_2_00597CA7
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005FBE44	5_2_005FBE44
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005A9EEE	5_2_005A9EEE
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00591F32	5_2_00591F32
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_01273E70	5_2_01273E70

Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 005B1F50 appears 52 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 00579CB3 appears 60 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 005DDF27 appears 32 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 0058F9F2 appears 62 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 0057988F appears 34 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 0057600E appears 34 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 00594A28 appears 40 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 00598E0B appears 36 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 005A2FA6 appears 48 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 0057CFA0 appears 44 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 00594963 appears 54 times
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: String function: 00590A30 appears 92 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 43 times
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: String function: 000E0A30 appears 46 times
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: String function: 000DF9F2 appears 31 times

Source: xom6WSISuh.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.gehlenite.exe.35c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.gehlenite.exe.af0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.1940996077.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1775907851.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 3332, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_001337B5 GetLastError,FormatMessageW,

0_2_001337B5

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_001210BF AdjustTokenPrivileges,CloseHandle,	0_2_001210BF
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_001216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_001216C3
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005D10BF AdjustTokenPrivileges,CloseHandle,	1_2_005D10BF
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_005D16C3
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005D10BF AdjustTokenPrivileges,CloseHandle,	5_2_005D10BF
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	5_2_005D16C3

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_001351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001351CD

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_0014A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0014A67C

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_0013648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0013648E

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_000C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_000C42A2

Source: C:\Users\user\Desktop\xom6WSISuh.exe

File created: C:\Users\user\AppData\Local\oxman

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\xom6WSISuh.exe

File created: C:\Users\user\AppData\Local\Temp\aut1E99.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2986816837.000000000325B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986816837.000000000326B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986816837.0000000003279000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.000000000355B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.0000000003579000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.000000000356B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: xom6WSISuh.exe	Virustotal: Detection: 74%
Source: xom6WSISuh.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\xom6WSISuh.exe

File read: C:\Users\user\Desktop\xom6WSISuh.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xom6WSISuh.exe "C:\Users\user\Desktop\xom6WSISuh.exe"
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Process created: C:\Users\user\AppData\Local\oxman\gehlenite.exe "C:\Users\user\Desktop\xom6WSISuh.exe"
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\xom6WSISuh.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\oxman\gehlenite.exe "C:\Users\user\AppData\Local\oxman\gehlenite.exe"
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\oxman\gehlenite.exe"
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Process created: C:\Users\user\AppData\Local\oxman\gehlenite.exe "C:\Users\user\Desktop\xom6WSISuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\xom6WSISuh.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\oxman\gehlenite.exe "C:\Users\user\AppData\Local\oxman\gehlenite.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\oxman\gehlenite.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986285277.0000000002F89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: gehlenite.exe, 00000001.00000003.1772660264.0000000003620000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000001.00000003.1773073049.0000000003480000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1931884711.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1933902415.0000000003A90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: gehlenite.exe, 00000001.00000003.1772660264.0000000003620000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000001.00000003.1773073049.0000000003480000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1931884711.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1933902415.0000000003A90000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_000C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000C42DE

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E0A76 push ecx; ret	0_2_000E0A89
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00590A76 push ecx; ret	1_2_00590A89
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00DD02D2 push edi; ret	1_2_00DD0311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040BB97 push dword ptr [ecx-75h]; iretd	2_2_0040BBA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02AA4692 push ebx; iretd	2_2_02AA469C
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00590A76 push ecx; ret	5_2_00590A89

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\xom6WSISuh.exe

File created: C:\Users\user\AppData\Local\oxman\gehlenite.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Jump to behavior

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_000DF98E
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00151C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00151C41
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0058F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_0058F98E
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00601C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00601C41
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0058F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	5_2_0058F98E
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00601C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	5_2_00601C41

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3332, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-98294
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	API/Special instruction interceptor: Address: DD3B34
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	API/Special instruction interceptor: Address: 1273A94

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\xom6WSISuh.exe	API coverage: 3.9 %
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	API coverage: 4.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 5.5 %
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	API coverage: 4.0 %

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0012DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0012DBBE
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_001368EE FindFirstFileW,FindClose,	0_2_001368EE
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0013698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0013698F
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0012D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0012D076
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0012D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0012D3A9
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00139642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00139642
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_0013979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0013979D
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00139B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00139B2B
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00135C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00135C97
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_005DDBBE
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E68EE FindFirstFileW,FindClose,	1_2_005E68EE
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_005E698F
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_005DD076
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_005DD3A9
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_005E9642
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_005E979D
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_005E9B2B
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005E5C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_005E5C97
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_005DDBBE
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E68EE FindFirstFileW,FindClose,	5_2_005E68EE
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_005E698F
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_005DD076
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_005DD3A9
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_005E9642
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_005E979D
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_005E9B2B
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005E5C97 FindFirstFileW,FindNextFileW,FindClose,	5_2_005E5C97

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_000C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000C42DE

Source: wscript.exe, 00000004.00000002.1893794028.000002B8253C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000004.00000002.1893794028.000002B8253C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}iT
Source: RegSvcs.exe, 00000008.00000002.2985783718.000000000149E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: RegSvcs.exe, 00000002.00000002.2985008089.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_0013EAA2 BlockInput,

0_2_0013EAA2

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_000F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000F2622

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_000C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000C42DE

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E4CE8 mov eax, dword ptr fs:[00000030h]	0_2_000E4CE8
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00BE8898 mov eax, dword ptr fs:[00000030h]	0_2_00BE8898
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00BE8838 mov eax, dword ptr fs:[00000030h]	0_2_00BE8838
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00BE71F8 mov eax, dword ptr fs:[00000030h]	0_2_00BE71F8
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00594CE8 mov eax, dword ptr fs:[00000030h]	1_2_00594CE8
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00DD2760 mov eax, dword ptr fs:[00000030h]	1_2_00DD2760
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00DD3DA0 mov eax, dword ptr fs:[00000030h]	1_2_00DD3DA0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00DD3E00 mov eax, dword ptr fs:[00000030h]	1_2_00DD3E00
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00594CE8 mov eax, dword ptr fs:[00000030h]	5_2_00594CE8
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_012726C0 mov eax, dword ptr fs:[00000030h]	5_2_012726C0
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_01273D00 mov eax, dword ptr fs:[00000030h]	5_2_01273D00
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_01273D60 mov eax, dword ptr fs:[00000030h]	5_2_01273D60

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_00120B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00120B62

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000F2622
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000E083F
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E09D5 SetUnhandledExceptionFilter,	0_2_000E09D5
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_000E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000E0C21
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_005A2622
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_0059083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0059083F
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005909D5 SetUnhandledExceptionFilter,	1_2_005909D5
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_00590C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00590C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_005A2622
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_0059083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0059083F
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005909D5 SetUnhandledExceptionFilter,	5_2_005909D5
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_00590C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00590C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D48008			Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F47008			Jump to behavior

Source: C:\Users\user\Desktop\xom6WSISuh.exe

0_2_00121201

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_00102BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00102BA5

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_0012B226 SendInput,keybd_event,

0_2_0012B226

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_001422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001422DA

Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\xom6WSISuh.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\oxman\gehlenite.exe "C:\Users\user\AppData\Local\oxman\gehlenite.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\oxman\gehlenite.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xom6WSISuh.exe

0_2_00120B62

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_00121663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00121663

Source: xom6WSISuh.exe, 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmp, gehlenite.exe, 00000001.00000002.1775302014.0000000000632000.00000040.00000001.01000000.00000004.sdmp, gehlenite.exe, 00000005.00000002.1939131763.0000000000632000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: gehlenite.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_000E0698 cpuid

0_2_000E0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_00138195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00138195

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_0011D27A GetUserNameW,

0_2_0011D27A

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_000FBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_000FBB6F

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Code function: 0_2_000C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000C42DE

Source: C:\Users\user\Desktop\xom6WSISuh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3332, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3332, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: gehlenite.exe	Binary or memory string: WIN_81
Source: gehlenite.exe	Binary or memory string: WIN_XP
Source: gehlenite.exe, 00000005.00000002.1939131763.0000000000632000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: gehlenite.exe	Binary or memory string: WIN_XPe
Source: gehlenite.exe	Binary or memory string: WIN_VISTA
Source: gehlenite.exe	Binary or memory string: WIN_7
Source: gehlenite.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2986816837.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2986752366.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3332, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3332, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c31b76.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4415570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.443e790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4416458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5570000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c30c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3332, type: MEMORYSTR

Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00141204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00141204
Source: C:\Users\user\Desktop\xom6WSISuh.exe	Code function: 0_2_00141806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00141806
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	1_2_005F1204
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 1_2_005F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_005F1806
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	5_2_005F1204
Source: C:\Users\user\AppData\Local\oxman\gehlenite.exe	Code function: 5_2_005F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	5_2_005F1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	31 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	321 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xom6WSISuh.exe	75%	Virustotal		Browse
xom6WSISuh.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
xom6WSISuh.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\oxman\gehlenite.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\oxman\gehlenite.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
C:\Users\user\AppData\Local\oxman\gehlenite.exe	75%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2986816837.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034FC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.2986816837.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986816837.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.2986816837.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000002.00000002.2986816837.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034FC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2986816837.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.0000000003479000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2986816837.0000000003218000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.0000000003518000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000002.00000002.2986816837.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2986752366.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.112.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587874
Start date and time:	2025-01-10 18:54:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xom6WSISuh.exe renamed because original name is a hash value
Original Sample Name:	96fa199b9544b7d2015c33027e5cdfaca3a36a5de09d6805d7dfb04dfc6f91b2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 49 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:55:11	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
104.21.112.1	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
checkip.dyndns.com	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	104.21.48.233
	https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modal	Get hash	malicious	Unknown	Browse	104.17.25.14
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Encrypted_Archive_2025_LHC1W64SMW.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	secured File__esperion.com.html	Get hash	malicious	Phisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1

Process:	C:\Users\user\Desktop\xom6WSISuh.exe
File Type:	data
Category:	dropped
Size (bytes):	205250
Entropy (8bit):	7.978000823733601
Encrypted:	false
SSDEEP:	6144:im40Vggq7h9aqXRfzl5FuqDNPSKATf+91afkqnh0J5j1O1:vVggq7hEqhfnDpSKAK1afkqne5G
MD5:	231518925D130A2E9BC279ECCB1395A7
SHA1:	AC704129495BA8AD5AF32CDF85A189DC58DD5C60
SHA-256:	66B4056F3220DF609DD3E173CC600F2B2E4A76E3403307DB4CA147A46FD6C8F1
SHA-512:	C812618EAE940438AC5B68098887BEAE5EFF998C49B12E1E8086F11BCAF33F24086B4168D45E4A6B43E79CC3110C39188524C327525AF951DB7E5827B982DBAB
Malicious:	false
Reputation:	low
Preview:	EA06..4..@83z..oJ.S+.].2.3.R&ti..Q....I...D..&t..\...~....T.cj....m.Q!..-.M!.Y.....9...5...U0......Q..M.78../'..'..L....T..O...}...i...(ZI...I..d..4...Y.:..~k.E(Z.D..?..)=...1...Z.m..H.F.[.}.c[..:i0.G...j6 ..R.N._..)...7..^.D.S.s\|.g.M......k........[.?/.zT..T.L.`.L..?5...zu#.}.L....bq7.L)....GN.H...H.&..1.Y..Y..o&.S@T>.&..H......Y.Mf........d...Ld4....+...u.......)......8.....aR..$..........."."Fe..........i..G.T'.....Z....$..J$4Y.:Q1.M.....t.Q.A..8..?..+...qa.z.n{Z.m....W..Qx.:..H..(V.EX.]._..S....?.,'.....h.?E.o..L.V.B..H..v.=.........O>.`..1./......n3z..{..\|.t...o3.m.U.....mn.?u...L1..e.m....Y.#k.U.sY./....l\|..k.N..'T.~.O...f.....E.E..nE.a...4.....r.4z......>.........".b.L.q.Bo...s.h..'......"..._"v...k.E...o..F.K.DK...a.....&.w<.u&Ti..^..~.O....Q&\|JU....M..]u.!..M.....3.l...VoJ...~...Z.t..x....}B.c.P.{.....$..h..3......m...&..l./n..9.(.:o8.r.<8.&....t...u.....J......6.?...._..w...~.=.$.!.....%.....(w.E....(.JU2.....<.dg.k.K'..M.

C:\Users\user\AppData\Local\Temp\aut2530.tmp

Download File

Process:	C:\Users\user\AppData\Local\oxman\gehlenite.exe
File Type:	data
Category:	dropped
Size (bytes):	205250
Entropy (8bit):	7.978000823733601
Encrypted:	false
SSDEEP:	6144:im40Vggq7h9aqXRfzl5FuqDNPSKATf+91afkqnh0J5j1O1:vVggq7hEqhfnDpSKAK1afkqne5G
MD5:	231518925D130A2E9BC279ECCB1395A7
SHA1:	AC704129495BA8AD5AF32CDF85A189DC58DD5C60
SHA-256:	66B4056F3220DF609DD3E173CC600F2B2E4A76E3403307DB4CA147A46FD6C8F1
SHA-512:	C812618EAE940438AC5B68098887BEAE5EFF998C49B12E1E8086F11BCAF33F24086B4168D45E4A6B43E79CC3110C39188524C327525AF951DB7E5827B982DBAB
Malicious:	false
Reputation:	low
Preview:	EA06..4..@83z..oJ.S+.].2.3.R&ti..Q....I...D..&t..\...~....T.cj....m.Q!..-.M!.Y.....9...5...U0......Q..M.78../'..'..L....T..O...}...i...(ZI...I..d..4...Y.:..~k.E(Z.D..?..)=...1...Z.m..H.F.[.}.c[..:i0.G...j6 ..R.N._..)...7..^.D.S.s\|.g.M......k........[.?/.zT..T.L.`.L..?5...zu#.}.L....bq7.L)....GN.H...H.&..1.Y..Y..o&.S@T>.&..H......Y.Mf........d...Ld4....+...u.......)......8.....aR..$..........."."Fe..........i..G.T'.....Z....$..J$4Y.:Q1.M.....t.Q.A..8..?..+...qa.z.n{Z.m....W..Qx.:..H..(V.EX.]._..S....?.,'.....h.?E.o..L.V.B..H..v.=.........O>.`..1./......n3z..{..\|.t...o3.m.U.....mn.?u...L1..e.m....Y.#k.U.sY./....l\|..k.N..'T.~.O...f.....E.E..nE.a...4.....r.4z......>.........".b.L.q.Bo...s.h..'......"..._"v...k.E...o..F.K.DK...a.....&.w<.u&Ti..^..~.O....Q&\|JU....M..]u.!..M.....3.l...VoJ...~...Z.t..x....}B.c.P.{.....$..h..3......m...&..l./n..9.(.:o8.r.<8.&....t...u.....J......6.?...._..w...~.=.$.!.....%.....(w.E....(.JU2.....<.dg.k.K'..M.

C:\Users\user\AppData\Local\Temp\aut6391.tmp

Download File

Process:	C:\Users\user\AppData\Local\oxman\gehlenite.exe
File Type:	data
Category:	dropped
Size (bytes):	205250
Entropy (8bit):	7.978000823733601
Encrypted:	false
SSDEEP:	6144:im40Vggq7h9aqXRfzl5FuqDNPSKATf+91afkqnh0J5j1O1:vVggq7hEqhfnDpSKAK1afkqne5G
MD5:	231518925D130A2E9BC279ECCB1395A7
SHA1:	AC704129495BA8AD5AF32CDF85A189DC58DD5C60
SHA-256:	66B4056F3220DF609DD3E173CC600F2B2E4A76E3403307DB4CA147A46FD6C8F1
SHA-512:	C812618EAE940438AC5B68098887BEAE5EFF998C49B12E1E8086F11BCAF33F24086B4168D45E4A6B43E79CC3110C39188524C327525AF951DB7E5827B982DBAB
Malicious:	false
Reputation:	low
Preview:	EA06..4..@83z..oJ.S+.].2.3.R&ti..Q....I...D..&t..\...~....T.cj....m.Q!..-.M!.Y.....9...5...U0......Q..M.78../'..'..L....T..O...}...i...(ZI...I..d..4...Y.:..~k.E(Z.D..?..)=...1...Z.m..H.F.[.}.c[..:i0.G...j6 ..R.N._..)...7..^.D.S.s\|.g.M......k........[.?/.zT..T.L.`.L..?5...zu#.}.L....bq7.L)....GN.H...H.&..1.Y..Y..o&.S@T>.&..H......Y.Mf........d...Ld4....+...u.......)......8.....aR..$..........."."Fe..........i..G.T'.....Z....$..J$4Y.:Q1.M.....t.Q.A..8..?..+...qa.z.n{Z.m....W..Qx.:..H..(V.EX.]._..S....?.,'.....h.?E.o..L.V.B..H..v.=.........O>.`..1./......n3z..{..\|.t...o3.m.U.....mn.?u...L1..e.m....Y.#k.U.sY./....l\|..k.N..'T.~.O...f.....E.E..nE.a...4.....r.4z......>.........".b.L.q.Bo...s.h..'......"..._"v...k.E...o..F.K.DK...a.....&.w<.u&Ti..^..~.O....Q&\|JU....M..]u.!..M.....3.l...VoJ...~...Z.t..x....}B.c.P.{.....$..h..3......m...&..l./n..9.(.:o8.r.<8.&....t...u.....J......6.?...._..w...~.=.$.!.....%.....(w.E....(.JU2.....<.dg.k.K'..M.

C:\Users\user\AppData\Local\Temp\chiffons

Download File

Process:	C:\Users\user\Desktop\xom6WSISuh.exe
File Type:	data
Category:	dropped
Size (bytes):	209920
Entropy (8bit):	7.817802369789991
Encrypted:	false
SSDEEP:	6144:VIiy+yNm5JL1hDOCmN6C67RKm7vFPwwJIIKk2lf:jy+yQD1hAN6C67t7vFP7BD2F
MD5:	BB11EAF00DE1167EE551A0663341546D
SHA1:	CDACEC3B3423A62BE863C48E36CCA4D967BB44A5
SHA-256:	BB3CF210B92DBFEF354FD2F421FE916F79FDCCD8B6B48B38B55608A67810A8EA
SHA-512:	106A86E089750C3B6E773EB576E61DF8BDB5EE9B6DEE1245DC2BC549E5B13EA883CDC216A9AD537414028BC8D1C831D7530EEAD924AC8A83B946FBCAA742D3BD
Malicious:	false
Reputation:	low
Preview:	~..7[87J4LXE..D3.H3F63ZQwX87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH.F63TN.V8.C.m.D..eg&!@fFA56E9U.)Q"60.&Vn:F(.Z4qs.k.'_(=kI>N.NH3F63Z9'...;.2t4.MhB.6.eIMe .&3..Ng).:.5.0.B.H.y?IDI.4.o1;.B.M\|kH8.B./e1[_fA.&ED3D3NH3F63ZQ7X8..XED3.vNH.G23..7.87J0LXED.D.OC2O63.P7X.6J0LXEk.D3NX3F6.[Q7Xx7J LXEF3D6NH3F63ZT7X87J0LX.G3D7NH.}43XQ7.87Z0LHED3D#NH#F63ZQ7H87J0LXED3D3.]1Ff3ZQ78:7&"MXED3D3NH3F63ZQ7X87J0LXED3..OH/F63ZQ7X87J0LXED3D3NH3F63ZQ7.55JpLXED3D3NH3F6.[Q.Y87J0LXED3D3NH3F63ZQ7X87J0Lv1!K03NH+.73ZA7X8.K0L\ED3D3NH3F63ZQ7x87.><$0RD3.%3F6.[Q7687J.MXED3D3NH3F63Z.7Xx..Q89ED3..NH3f43ZG7X8=H0LXED3D3NH3F6sZQ.vJD8SLXE(!E3N(1F6'[Q7x:7J0LXED3D3NH3.63.Q7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED3D3NH3F63ZQ7X87J0LXED

C:\Users\user\AppData\Local\oxman\gehlenite.exe

Download File

Process:	C:\Users\user\Desktop\xom6WSISuh.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	676352
Entropy (8bit):	7.941152855925268
Encrypted:	false
SSDEEP:	12288:esHzOUNUSB/o5LsI1uwajJ5yvv1l2HBx8gR17mmvVNJ1irgLzmgxH:BiUmSB/o5d1ubcvss6YUJ1ikzm4H
MD5:	2856D0548E14630F06B915B7FF1D8B55
SHA1:	D52DC37084A8FDAE9E90758212B899DA10C5C48B
SHA-256:	96FA199B9544B7D2015C33027E5CDFACA3A36A5DE09D6805D7DFB04DFC6F91B2
SHA-512:	D2E6A171712D266413747095B51FD44FDE23562D04E908670EA9F04E541D985CC8079E1EE7BF60AD64DB6371341BA646C6A4A45BE1CE9AB964E1E94C54280F97
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 75%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...Q^bg.........."...............................@..........................p............@...@.......@......................^..$........~...................b......................................................................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Download File

Process:	C:\Users\user\AppData\Local\oxman\gehlenite.exe
File Type:	data
Category:	dropped
Size (bytes):	270
Entropy (8bit):	3.389636515611468
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1Klhg9BnriIM8lfQVn:DsO+vNloRKQ1OgjmA2n
MD5:	2CBE3004B98AB7D049DA99DA07A33575
SHA1:	33D752DF805B680F68DB8100912CB7F6A24EC751
SHA-256:	4248FF6D5CE0FC12D815D69AEEBC730101853B3F10EA7CCC9A2055171146B35B
SHA-512:	FD38F3885524199F85D5BC66D7FA4347F66D6E60FC29B9684D7BD5B817BDA61EF8E6E85423C025EB444BB0D3820517654E5AAE32B5BD0C5367CC5069CC203624
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.o.x.m.a.n.\.g.e.h.l.e.n.i.t.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.941152855925268
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	xom6WSISuh.exe
File size:	676'352 bytes
MD5:	2856d0548e14630f06b915b7ff1d8b55
SHA1:	d52dc37084a8fdae9e90758212b899da10c5c48b
SHA256:	96fa199b9544b7d2015c33027e5cdfaca3a36a5de09d6805d7dfb04dfc6f91b2
SHA512:	d2e6a171712d266413747095b51fd44fde23562d04e908670ea9f04e541d985cc8079e1ee7bf60ad64db6371341ba646c6a4a45be1ce9ab964e1e94c54280f97
SSDEEP:	12288:esHzOUNUSB/o5LsI1uwajJ5yvv1l2HBx8gR17mmvVNJ1irgLzmgxH:BiUmSB/o5d1ubcvss6YUJ1ikzm4H
TLSH:	36E42326A0C0DC59D11273B8803A8EE554617631DE853B758790FBAFB9353C6CA47F2B
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x52d6f0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67625E51 [Wed Dec 18 05:32:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	21371b611d91188d602926b15db6bd48

Entrypoint Preview

Instruction
pushad
mov esi, 004D1000h
lea edi, dword ptr [esi-000D0000h]
push edi
jmp 00007F3E60FEB1EDh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F3E60FEB1E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F3E60FEB1CFh
mov eax, 00000001h
add ebx, ebx
jne 00007F3E60FEB1E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F3E60FEB1EDh
jne 00007F3E60FEB20Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F3E60FEB201h
dec eax
add ebx, ebx
jne 00007F3E60FEB1E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F3E60FEB1B6h
add ebx, ebx
jne 00007F3E60FEB1E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F3E60FEB234h
xor ecx, ecx
sub eax, 03h
jc 00007F3E60FEB1F3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F3E60FEB257h
sar eax, 1
mov ebp, eax
jmp 00007F3E60FEB1EDh
add ebx, ebx
jne 00007F3E60FEB1E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F3E60FEB1AEh
inc ecx
add ebx, ebx
jne 00007F3E60FEB1E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F3E60FEB1A0h
add ebx, ebx
jne 00007F3E60FEB1E9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F3E60FEB1D1h
jne 00007F3E60FEB1EBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F3E60FEB1C6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F3E60FEB1F0h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x175eb0	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12e000	0x47eb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1762d4	0x14	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x12d8d4	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x12d8f4	0xa0	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xd0000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xd1000	0x5d000	0x5ca00	71db6506da5abfc44d5f04ddbf45da2d	False	0.9885000210863698	data	7.937154572908039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12e000	0x49000	0x48400	2c9d001f7e3a60462a9e411ee6f6f032	False	0.9294982698961938	data	7.899536828685614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12e5ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x12e6d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x12e804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x12e930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x12ec1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x12ed48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x12fbf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x1304a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x130a0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x132fb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x134064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	1.1375
RT_STRING	0xda4f0	0x594	MPEG-4 LOAS	English	Great Britain	1.007703081232493
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.9414575866188769
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.958904109589041
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.9301566579634465
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.9606879606879607
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.9671403197158082
RT_STRING	0xdc660	0x158	OpenPGP Secret Key	English	Great Britain	1.0319767441860466
RT_RCDATA	0x1344d0	0x41447	data			1.0003403968803186
RT_GROUP_ICON	0x17591c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x175998	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1759b0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1759c8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1759e0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x175ac0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetGetConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	OleLoadPicture
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T18:55:20.572778+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	132.226.8.169	80	TCP
2025-01-10T18:55:29.589691+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:55:10.038738966 CET	49730	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:55:10.043638945 CET	80	49730	132.226.8.169	192.168.2.4
Jan 10, 2025 18:55:10.043711901 CET	49730	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:55:10.043976068 CET	49730	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:55:10.048788071 CET	80	49730	132.226.8.169	192.168.2.4
Jan 10, 2025 18:55:19.039814949 CET	80	49730	132.226.8.169	192.168.2.4
Jan 10, 2025 18:55:19.048337936 CET	49730	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:55:19.053236008 CET	80	49730	132.226.8.169	192.168.2.4
Jan 10, 2025 18:55:20.530529022 CET	80	49730	132.226.8.169	192.168.2.4
Jan 10, 2025 18:55:20.541591883 CET	49732	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:20.541656971 CET	443	49732	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:20.541719913 CET	49732	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:20.572777987 CET	49730	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:55:20.594727993 CET	49732	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:20.594769001 CET	443	49732	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:21.134202957 CET	443	49732	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:21.134288073 CET	49732	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:21.141422033 CET	49732	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:21.141463995 CET	443	49732	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:21.141773939 CET	443	49732	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:21.182128906 CET	49732	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:21.231900930 CET	49732	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:21.275338888 CET	443	49732	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:21.358587980 CET	443	49732	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:21.358649015 CET	443	49732	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:21.358709097 CET	49732	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:21.465560913 CET	49732	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:26.342973948 CET	49738	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:55:26.348361969 CET	80	49738	132.226.8.169	192.168.2.4
Jan 10, 2025 18:55:26.348439932 CET	49738	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:55:26.348694086 CET	49738	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:55:26.353497982 CET	80	49738	132.226.8.169	192.168.2.4
Jan 10, 2025 18:55:29.247775078 CET	80	49738	132.226.8.169	192.168.2.4
Jan 10, 2025 18:55:29.252223969 CET	49738	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:55:29.257157087 CET	80	49738	132.226.8.169	192.168.2.4
Jan 10, 2025 18:55:29.539735079 CET	80	49738	132.226.8.169	192.168.2.4
Jan 10, 2025 18:55:29.544140100 CET	49739	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:29.544176102 CET	443	49739	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:29.544286013 CET	49739	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:29.552287102 CET	49739	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:29.552303076 CET	443	49739	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:29.589690924 CET	49738	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:55:30.061687946 CET	443	49739	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:30.061784983 CET	49739	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:30.063719988 CET	49739	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:30.063733101 CET	443	49739	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:30.064002037 CET	443	49739	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:30.104403973 CET	49739	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:30.111697912 CET	49739	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:30.155332088 CET	443	49739	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:30.228270054 CET	443	49739	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:30.228329897 CET	443	49739	104.21.112.1	192.168.2.4
Jan 10, 2025 18:55:30.228383064 CET	49739	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:55:30.231281996 CET	49739	443	192.168.2.4	104.21.112.1
Jan 10, 2025 18:56:25.525448084 CET	80	49730	132.226.8.169	192.168.2.4
Jan 10, 2025 18:56:25.525509119 CET	49730	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:56:34.538484097 CET	80	49738	132.226.8.169	192.168.2.4
Jan 10, 2025 18:56:34.538557053 CET	49738	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:57:00.542088032 CET	49730	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:57:00.547082901 CET	80	49730	132.226.8.169	192.168.2.4
Jan 10, 2025 18:57:09.542987108 CET	49738	80	192.168.2.4	132.226.8.169
Jan 10, 2025 18:57:09.547789097 CET	80	49738	132.226.8.169	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:55:10.021800995 CET	60078	53	192.168.2.4	1.1.1.1
Jan 10, 2025 18:55:10.029261112 CET	53	60078	1.1.1.1	192.168.2.4
Jan 10, 2025 18:55:20.532107115 CET	52349	53	192.168.2.4	1.1.1.1
Jan 10, 2025 18:55:20.540767908 CET	53	52349	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:55:10.021800995 CET	192.168.2.4	1.1.1.1	0xfcec	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:20.532107115 CET	192.168.2.4	1.1.1.1	0xf2a0	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:55:10.029261112 CET	1.1.1.1	192.168.2.4	0xfcec	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:55:10.029261112 CET	1.1.1.1	192.168.2.4	0xfcec	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:10.029261112 CET	1.1.1.1	192.168.2.4	0xfcec	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:10.029261112 CET	1.1.1.1	192.168.2.4	0xfcec	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:10.029261112 CET	1.1.1.1	192.168.2.4	0xfcec	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:10.029261112 CET	1.1.1.1	192.168.2.4	0xfcec	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:20.540767908 CET	1.1.1.1	192.168.2.4	0xf2a0	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:20.540767908 CET	1.1.1.1	192.168.2.4	0xf2a0	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:20.540767908 CET	1.1.1.1	192.168.2.4	0xf2a0	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:20.540767908 CET	1.1.1.1	192.168.2.4	0xf2a0	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:20.540767908 CET	1.1.1.1	192.168.2.4	0xf2a0	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:20.540767908 CET	1.1.1.1	192.168.2.4	0xf2a0	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:20.540767908 CET	1.1.1.1	192.168.2.4	0xf2a0	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	132.226.8.169	80	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:10.043976068 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:55:19.039814949 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:55:19.048337936 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:55:20.530529022 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	132.226.8.169	80	3332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:26.348694086 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:55:29.247775078 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:55:29.252223969 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:55:29.539735079 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	104.21.112.1	443	5076	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:55:21 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846510 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1%2BRxuojfnDqAiFL1Jg%2FCbMuk9XebQ03cqr7Op4fx590OXQfk3cd3teIINIAAMBjLucoRMKVUBFBvWdIyf8XmBurPlbcYbJ1IoVfJodpYscefLZzKSwtmpnfZn6XZ6oPGENAsXhrw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe899a0a9a424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1834&min_rtt=1805&rtt_var=736&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1429970&cwnd=248&unsent_bytes=0&cid=f3761747a124ba91&ts=237&x=0"
2025-01-10 17:55:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	104.21.112.1	443	3332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:30 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:55:30 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846519 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tm4k8r%2F4Val8NBnNirDe2EsTqTeHs5FfqKCWimHXHX0aEoby%2BOugQUjx7Rh11rx5wb80RiIJmXUfudoL0FjzyNTKrYa80ED0ijrBGfedmHB3nxQujaby0JswIRTnSYYObGl6QFLg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe89d18b0c727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2051&min_rtt=2042&rtt_var=772&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1429970&cwnd=234&unsent_bytes=0&cid=76dd314a791de529&ts=174&x=0"
2025-01-10 17:55:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	12:55:02
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\xom6WSISuh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xom6WSISuh.exe"
Imagebase:	0xc0000
File size:	676'352 bytes
MD5 hash:	2856D0548E14630F06B915B7FF1D8B55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:55:06
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\oxman\gehlenite.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xom6WSISuh.exe"
Imagebase:	0x570000
File size:	676'352 bytes
MD5 hash:	2856D0548E14630F06B915B7FF1D8B55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000001.00000002.1775907851.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs Detection: 75%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:55:08
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xom6WSISuh.exe"
Imagebase:	0xac0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2986492274.0000000003090000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2986125435.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2986816837.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2989627602.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:55:19
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs"
Imagebase:	0x7ff60c9a0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:55:20
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\oxman\gehlenite.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\oxman\gehlenite.exe"
Imagebase:	0x570000
File size:	676'352 bytes
MD5 hash:	2856D0548E14630F06B915B7FF1D8B55
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.1940996077.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:55:24
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\oxman\gehlenite.exe"
Imagebase:	0xdd0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2988556410.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2986752366.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	4.8%
Total number of Nodes:	1953
Total number of Limit Nodes:	72

Executed Functions

Function 000C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 000C430D

Part of subcall function 000C6B57: _wcslen.LIBCMT ref: 000C6B6A

GetCurrentProcess.KERNEL32(?,0015CB64,00000000,?,?), ref: 000C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 000C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 000C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 000C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 000C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 000C44A0

Strings

GetNativeSystemInfo, xrefs: 000C4460
|O, xrefs: 001036F8
kernel32.dll, xrefs: 000C444F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 89a9e3794f05b0c33ef255546a4d712eede50411ed1e04d8f0ca75e8dc84c6f8
Instruction ID: db7587102a40a58df5881e0f1bc71648e5fcf250f3e98e4bbb80a9438556a350
Opcode Fuzzy Hash: 89a9e3794f05b0c33ef255546a4d712eede50411ed1e04d8f0ca75e8dc84c6f8
Instruction Fuzzy Hash: 3FA18376D0A3C2FFC716CB6A78416AD7FB87B26320B18449ED49197E62D36047C8CB61

Function 000C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,000C316A,?,?), ref: 000C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,000C316A,?,?), ref: 000C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000C3227
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 000C3232
CreatePopupMenu.USER32 ref: 000C3246
PostQuitMessage.USER32(00000000), ref: 000C3267

Strings

TaskbarCreated, xrefs: 000C322D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: cb46c58e6f1c2bbcd426eaec965165d7bafa7c7d0d5f2b07c52a5e548869d478
Instruction ID: cd355492a345d4dfcc7de5553b5c1b6df36b864a425c3d3cd418806d0746e26f
Opcode Fuzzy Hash: cb46c58e6f1c2bbcd426eaec965165d7bafa7c7d0d5f2b07c52a5e548869d478
Instruction Fuzzy Hash: CF41F835264305BEDF251B789D0EFBD3A65E709354F08811EF90196992CB718EC09BA1

Function 000C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 000C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000C50AA,?,?,00000000,00000000), ref: 000C42C9
LoadResource.KERNEL32(?,00000000,?,?,000C50AA,?,?,00000000,00000000,?,?,?,?,?,?,000C4F20), ref: 001035BE
SizeofResource.KERNEL32(?,00000000,?,?,000C50AA,?,?,00000000,00000000,?,?,?,?,?,?,000C4F20), ref: 001035D3
LockResource.KERNEL32(000C50AA,?,?,000C50AA,?,?,00000000,00000000,?,?,?,?,?,?,000C4F20,?), ref: 001035E6

Strings

SCRIPT, xrefs: 000C42BF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: d76a7e9d54f7317ce1fcaadf43784a9dcaf41a1448cac42d0c233214586b4fe7
Instruction ID: 82bd68b8611ed767056485405dd692ce703ab16ce168d5a52986b413788a9dbf
Opcode Fuzzy Hash: d76a7e9d54f7317ce1fcaadf43784a9dcaf41a1448cac42d0c233214586b4fe7
Instruction Fuzzy Hash: 6F117C70600700FFD7218F65DC49F2B7BB9EBC5B52F20416DB8169A6A0DB71D840DA60

Function 00102BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 000C2B6B

Part of subcall function 000C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00191418,?,000C2E7F,?,?,?,00000000), ref: 000C3A78

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00182224), ref: 00102C10
ShellExecuteW.SHELL32(00000000,?,?,00182224), ref: 00102C17

Strings

runas, xrefs: 00102C0B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 1e82341ac37c2fd391e96e21a2517795ed3432556806245a90241ee79d4a68ba
Instruction ID: 679c2b2f75c00d100f84de83dfcfcf83a512bd1902dfed9549f553438934faa0
Opcode Fuzzy Hash: 1e82341ac37c2fd391e96e21a2517795ed3432556806245a90241ee79d4a68ba
Instruction Fuzzy Hash: 7311E631208342AACB14FF60D896FFEBBA5AF95300F44542DF082174A3CF318A8AC752

Function 0012DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00105222), ref: 0012DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0012DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0012DBEE
FindClose.KERNEL32(00000000), ref: 0012DBFA

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: def91458aadf37262f6dc29bf64214f0161d874ae701f306d898c94f327c03a1
Instruction ID: c370d8df1162d1e897619221db79ca135d4e1cc66fae14f974dc8b436ed284cc
Opcode Fuzzy Hash: def91458aadf37262f6dc29bf64214f0161d874ae701f306d898c94f327c03a1
Instruction Fuzzy Hash: B1F0A030810B209B82246F78FC0D8AA376D9F02336B10470AF836D24E0EBB059B4C6D6

Function 000CD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 000CD807
timeGetTime.WINMM ref: 000CDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000CDB28
TranslateMessage.USER32(?), ref: 000CDB7B
DispatchMessageW.USER32(?), ref: 000CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000CDB9F
Sleep.KERNEL32(0000000A), ref: 000CDBB1

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 2914577df9b47b9adf8b3a46f1f212a007013762631a3689439627b3f8d1da12
Instruction ID: 55cee646107b16d88bcb72dce43a50625d4022677e09d370cec81926d059cb38
Opcode Fuzzy Hash: 2914577df9b47b9adf8b3a46f1f212a007013762631a3689439627b3f8d1da12
Instruction Fuzzy Hash: 2642AE30608342EFD728DF24C885FAEB7E1BF86304F14456EE5568B692D770A894DB92

Function 0010065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0010039A: CreateFileW.KERNELBASE(00000000,00000000,?,00100704,?,?,00000000,?,00100704,00000000,0000000C), ref: 001003B7

GetLastError.KERNEL32 ref: 0010076F
__dosmaperr.LIBCMT ref: 00100776
GetFileType.KERNELBASE(00000000), ref: 00100782
GetLastError.KERNEL32 ref: 0010078C
__dosmaperr.LIBCMT ref: 00100795
CloseHandle.KERNEL32(00000000), ref: 001007B5
CloseHandle.KERNEL32(?), ref: 001008FF
GetLastError.KERNEL32 ref: 00100931
__dosmaperr.LIBCMT ref: 00100938

Strings

H, xrefs: 001008BD

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 25838155a07724deea7506e28cf2246fd269850ebacd07b7104b1603ccda9686
Instruction ID: 1323a7bc6bad1d214352c7f7926564c9b0b1155769eef22b43f1cade7152fca9
Opcode Fuzzy Hash: 25838155a07724deea7506e28cf2246fd269850ebacd07b7104b1603ccda9686
Instruction Fuzzy Hash: 86A12732A002488FDF1AAF68DC51BAD7BA0EB0A320F14415EF855AF3D2D7759D52CB91

Function 000C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00191418,?,000C2E7F,?,?,?,00000000), ref: 000C3A78

Part of subcall function 000C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0010318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001031CE
RegCloseKey.ADVAPI32(?), ref: 00103210
_wcslen.LIBCMT ref: 00103277
_wcslen.LIBCMT ref: 00103286

Strings

Include, xrefs: 00103184, 001031C5
\Include\, xrefs: 000C3527
Software\AutoIt v3\AutoIt, xrefs: 000C3560
\, xrefs: 0010328C

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 025a892ac07e1468f3970f221cb4fa57d2ca64367894726609522501b5b17cef
Instruction ID: af32e742863418d70d3f016eeb32dd102594d11a6e200a039f543b555654bf6b
Opcode Fuzzy Hash: 025a892ac07e1468f3970f221cb4fa57d2ca64367894726609522501b5b17cef
Instruction Fuzzy Hash: 5471A171505301AEC314DF25DC82DAFBBE8FF89340F40452EF495971A1EB709A88CBA1

Function 000C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 000C2B9D
LoadIconW.USER32(00000063), ref: 000C2BB3
LoadIconW.USER32(000000A4), ref: 000C2BC5
LoadIconW.USER32(000000A2), ref: 000C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000C2BEF
RegisterClassExW.USER32(?), ref: 000C2C40

Part of subcall function 000C2CD4: GetSysColorBrush.USER32(0000000F), ref: 000C2D07
Part of subcall function 000C2CD4: RegisterClassExW.USER32(00000030), ref: 000C2D31
Part of subcall function 000C2CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 000C2D42
Part of subcall function 000C2CD4: LoadIconW.USER32(000000A9), ref: 000C2D85

Strings

0, xrefs: 000C2C0F
AutoIt v3, xrefs: 000C2C2F
#, xrefs: 000C2C16

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: f4e985a3e25f49e24d66b73e1dff63fd20246cfa61c166f0e8fd7e89ed860d6c
Instruction ID: fe26e3582c81eb33e1c8bf37f8c71140ac77193b9c675fbedcdc58c8f1bc6d6e
Opcode Fuzzy Hash: f4e985a3e25f49e24d66b73e1dff63fd20246cfa61c166f0e8fd7e89ed860d6c
Instruction Fuzzy Hash: 24210770E10319BFDB109FA5EC95AAD7FB4FB48B60F04412BE504A6AA0D7B516C0CF90

Function 000C2CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000C2D07
RegisterClassExW.USER32(00000030), ref: 000C2D31
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 000C2D42
LoadIconW.USER32(000000A9), ref: 000C2D85

Strings

+, xrefs: 000C2CF0
0, xrefs: 000C2CE9
TaskbarCreated, xrefs: 000C2D37
AutoIt v3 GUI, xrefs: 000C2D23

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 67de3d04cbce7eaac04c98d75b28353ac3b286e51f674e27bc55d62b0453c15d
Instruction ID: be21fe7e0f91b3c0d721edfd9c1b17c86909716ac55c3459bb1d50b7e0575016
Opcode Fuzzy Hash: 67de3d04cbce7eaac04c98d75b28353ac3b286e51f674e27bc55d62b0453c15d
Instruction Fuzzy Hash: C621F2B5901309EFDB00DFA4EC89BDDBBB4FB08706F00811AF911AAAA0D7B10584CF90

Function 000F8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec8ee899dee97235725bf44d8dcb8f850b44b6e7ac0465fc1b90593e07ca45a
Instruction ID: f4620254c9cda82750f10020c4ea78bdfd56a5575b2e9d3cc398cde1e1b3ec0a
Opcode Fuzzy Hash: 0ec8ee899dee97235725bf44d8dcb8f850b44b6e7ac0465fc1b90593e07ca45a
Instruction Fuzzy Hash: 84C1F175A0434DAFCB61DFA9D841BFDBBF0AF09310F044099EA14A7792CB359941EB60

Function 00BE5CA8 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00BE5CED

Memory Dump Source

Source File: 00000000.00000002.1755722286.0000000000BE5000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be5000_xom6WSISuh.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 9d312d158b93e546053bbb21d467e92678646e463675eb29c1b3dd6aa949438d
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 91510575A50248FBEB30DFA4CC99FEE77B8AF48704F108554F61AEA1C0DB749A449B60

Function 000C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,000C1CAD,?), ref: 000C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,000C1CAD,?), ref: 000C2CCF

Strings

AutoIt v3, xrefs: 000C2C89, 000C2C8E, 000C2C8F
edit, xrefs: 000C2CAC

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c2a1766012652c63616c3f8a17f2384799addf727d85c704eb20f6d8e0103e20
Instruction ID: 555858e77866bac33c99a308619502770e0a3a0de833dc73a82619dd23d1d54b
Opcode Fuzzy Hash: c2a1766012652c63616c3f8a17f2384799addf727d85c704eb20f6d8e0103e20
Instruction Fuzzy Hash: C7F0DA75540391BEEB311B27AC08E773EBDE7CAF61B00005AFD14A69A0C67119D4DAB1

Function 00132947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00132C05
DeleteFileW.KERNEL32(?), ref: 00132C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00132C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00132CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00132CC0

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: adcbd78d34fbf0e8ea75d71a1391f56fbed1cadabd67263ffd9d05c6caca5e64
Instruction ID: 5db6f64145b6b56708e248a67074fe9f27521201156035cde84fd611e3f5d900
Opcode Fuzzy Hash: adcbd78d34fbf0e8ea75d71a1391f56fbed1cadabd67263ffd9d05c6caca5e64
Instruction Fuzzy Hash: 38B12E71900219AFDF25EBA4CC85EDEB77DEF49350F1040A6F509E6156EB30AA448F61

Function 001ED6F0 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 001ED82A
GetProcAddress.KERNEL32(?,001E6FF9), ref: 001ED848
ExitProcess.KERNEL32(?,001E6FF9), ref: 001ED859
VirtualProtect.KERNELBASE(000C0000,00001000,00000004,?,00000000), ref: 001ED8A7
VirtualProtect.KERNELBASE(000C0000,00001000), ref: 001ED8BC

Memory Dump Source

Source File: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 6bec9d84b91a0698e667e8acdc2c68004ce57d8dcd60e4fe82b50a6ab010d0f8
Instruction ID: 3e4e6a909ffd767403bc18687672b1cc9f90187708e353cc92edb73033634b5b
Opcode Fuzzy Hash: 6bec9d84b91a0698e667e8acdc2c68004ce57d8dcd60e4fe82b50a6ab010d0f8
Instruction Fuzzy Hash: 31514672E44AD24BD7248FB9ECC067CB7A1EB413287280738D9E5CB3C5E7A45C0583A0

Function 00BE7738 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BE7628: Sleep.KERNELBASE(000001F4), ref: 00BE7639

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BE7864

Strings

3ZQ7X87J0LXED3D3NH3F6, xrefs: 00BE78E4, 00BE78E7

Memory Dump Source

Source File: 00000000.00000002.1755722286.0000000000BE5000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be5000_xom6WSISuh.jbxd

Similarity

API ID: CreateFileSleep
String ID: 3ZQ7X87J0LXED3D3NH3F6
API String ID: 2694422964-1374027123
Opcode ID: cd23815cbdc0e9b7590287a65be7c2a1eb7ed846ba61b65b1b70e5ab78ace1b6
Instruction ID: 35932aa288e0ed3e2d7ee7a8d4582b1301a6fb5fdf4f8b3c0b34670afe0cadd3
Opcode Fuzzy Hash: cd23815cbdc0e9b7590287a65be7c2a1eb7ed846ba61b65b1b70e5ab78ace1b6
Instruction Fuzzy Hash: 2B519530D08288EBEF11D7B4C859BEEBBB9AF15304F104199E2447B2C1DBB90B45CBA5

Function 000C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,000C3B0F,SwapMouseButtons,00000004,?), ref: 000C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,000C3B0F,SwapMouseButtons,00000004,?), ref: 000C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,000C3B0F,SwapMouseButtons,00000004,?), ref: 000C3B83

Strings

Control Panel\Mouse, xrefs: 000C3B3E

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 97fb02fb39f1050f6d84a9fb68eb34c8ed1313218f22f1c37adb634a02781225
Instruction ID: f4b6254dbcab8f999431eebd78de3660539647761d391235f085f1c03dc3d8bd
Opcode Fuzzy Hash: 97fb02fb39f1050f6d84a9fb68eb34c8ed1313218f22f1c37adb634a02781225
Instruction Fuzzy Hash: 66112AB5520208FFDB608FA5DC44EEFB7BCEF44755B108459BA05D7150D3319E409BA0

Function 000CDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 001132B7

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 11f0ef5e6096cb6a1383a3fe1a4852530172258d8570414d05091d81de6cc74b
Instruction ID: 3c885b7e4b923f43e77c9e48ea490a606b9a477d18cb04c283dcec7ff286de78
Opcode Fuzzy Hash: 11f0ef5e6096cb6a1383a3fe1a4852530172258d8570414d05091d81de6cc74b
Instruction Fuzzy Hash: 2AC26971A00255DFCB24CF58C884FADB7F1BF09310F24816AE916AB396D775AE81CB91

Function 000C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001033A2

Part of subcall function 000C6B57: _wcslen.LIBCMT ref: 000C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 000C3A04

Strings

Line: , xrefs: 001033EB

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: b66f4566afc956697d00e24f380eabe068dcc77477ff27b21214949ceb788cc2
Instruction ID: d24c7d4d8b9e56d99962dacae7caeb79f1e62206e2ea377e4b29f5604a9d7308
Opcode Fuzzy Hash: b66f4566afc956697d00e24f380eabe068dcc77477ff27b21214949ceb788cc2
Instruction Fuzzy Hash: 8431C171518305AED725EB20DC46FEFB7E8AB40720F00892EF59993592DB709B89C7C2

Function 000DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 000E0668

Part of subcall function 000E32A4: RaiseException.KERNEL32(?,?,?,000E068A,?,00191444,?,?,?,?,?,?,000E068A,000C1129,00188738,000C1129), ref: 000E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 000E0685

Strings

Unknown exception, xrefs: 000E0692

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 7ebbaa5cc9a1f1de4de363476c0e1e696995e2c1dbd0974cf9af060bb7d8e95e
Instruction ID: 42c8da9bfb702ed683406a43a58495406c7d7ef068cf3c2404e29fc82b78b6bc
Opcode Fuzzy Hash: 7ebbaa5cc9a1f1de4de363476c0e1e696995e2c1dbd0974cf9af060bb7d8e95e
Instruction Fuzzy Hash: D2F0C83490038DBBCB10B666D846DDE7BBD5F40310BA04535B924F65D2EFB1DB55CA90

Function 00BE6388 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00BE63CD
ExitProcess.KERNEL32(00000000), ref: 00BE63EC

Strings

D, xrefs: 00BE6399

Memory Dump Source

Source File: 00000000.00000002.1755722286.0000000000BE5000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be5000_xom6WSISuh.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
Instruction ID: c1199709379b2cbbe9cb9d7b06fcf7513ae25f1fcfedbce49d13322f3ffa2ed2
Opcode Fuzzy Hash: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
Instruction Fuzzy Hash: 3CF0EC7554424CABDB60EFE5CC89FEE77B8BF04701F508549FA1A9A180EB7896088B61

Function 00133017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0013302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00133044

Strings

aut, xrefs: 00133038

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: bb0a4b263bd1f94c1ab6597c5797734549a94ebdea0d5f6888f685b8c736f158
Instruction ID: cc353d65736244ba903f87a252715e13502367cb71728f32843b77112e07f335
Opcode Fuzzy Hash: bb0a4b263bd1f94c1ab6597c5797734549a94ebdea0d5f6888f685b8c736f158
Instruction Fuzzy Hash: 13D05E72500328ABDA20ABA4AC4EFCB7A7CDB04751F0002A1B655E6491EAB09A84CBD0

Function 00147F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001482F5
TerminateProcess.KERNEL32(00000000), ref: 001482FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 001484DD

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 51e40b6541dcb768dd776a9bf4538d7f80e6e8dc312fc8718ddfc0aa924a8fbe
Instruction ID: ebc0b70f34ef5e7419b53a67b2c22787e29e8895df67acefb2fdac245e244274
Opcode Fuzzy Hash: 51e40b6541dcb768dd776a9bf4538d7f80e6e8dc312fc8718ddfc0aa924a8fbe
Instruction Fuzzy Hash: D6126B71A083019FC714DF28C484B6EBBE5BF85314F04895DE8998B2A2DB71E946CF92

Function 000F5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bb733a135a85681b1f4eee7f4d0102fc3c68305f81493af8b5bd6ae4bc6fc3
Instruction ID: e7303e2be5812d538c9fd25fbc6f676cb02d9ce3b210ed85360494678844f545
Opcode Fuzzy Hash: a1bb733a135a85681b1f4eee7f4d0102fc3c68305f81493af8b5bd6ae4bc6fc3
Instruction Fuzzy Hash: 4451B171D00A0E9FCB219FA5CC45EFEBBB8AF05312F14005AF705A7692D7359A41ABA1

Function 000C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000C1BF4
Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 000C1BFC
Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000C1C07
Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000C1C12
Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 000C1C1A
Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 000C1C22

Part of subcall function 000C1B4A: RegisterClipboardFormatW.USER32(00000004), ref: 000C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000C136A
OleInitialize.OLE32 ref: 000C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 001024AB

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 3094916012-0
Opcode ID: ca3429ecc30586c3609b3b5c4fdc200247b00b86563a80706cd6bead2df5524f
Instruction ID: 51b19cdaaf0505a943bdb5370a3129b00d8625052b37545a85874a1a374d7769
Opcode Fuzzy Hash: ca3429ecc30586c3609b3b5c4fdc200247b00b86563a80706cd6bead2df5524f
Instruction Fuzzy Hash: B271CFB4901303AFE785DF79AA45A993AE1FB8A344357822FD41AD7B62EB3044C5CF41

Function 0012C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 000C3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0012C259
KillTimer.USER32(?,00000001,?,?), ref: 0012C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0012C270

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 374989e53cc62e994d269715cb67722fbc4585087790e7ec14ecffe75e30f115
Instruction ID: 5cf572107fb08a5f805b10cee61c0099c0c8c9fc1a1d09e2f70ac94921ee6cfc
Opcode Fuzzy Hash: 374989e53cc62e994d269715cb67722fbc4585087790e7ec14ecffe75e30f115
Instruction Fuzzy Hash: FB31C570904354EFEB26DF64A855BEBBBECAF16304F00049ED2DA97241C7745A84CB91

Function 000F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,000F85CC,?,00188CC8,0000000C), ref: 000F8704
GetLastError.KERNEL32(?,000F85CC,?,00188CC8,0000000C), ref: 000F870E
__dosmaperr.LIBCMT ref: 000F8739

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: a28971cf563fc162dbc94362d74cb1ba01aff939504861363a9b69eadb4b444d
Instruction ID: d7169c14a8ec4a80ba0a944bd0e38212085f0bfae8e6ab91dc2ad744c60cd834
Opcode Fuzzy Hash: a28971cf563fc162dbc94362d74cb1ba01aff939504861363a9b69eadb4b444d
Instruction Fuzzy Hash: 2E014C336047285AC2A062346C497FE37C54B82779F254119EB04DB9D3DE60CD81A390

Function 000CDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 000CDB7B
DispatchMessageW.USER32(?), ref: 000CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000CDB9F
Sleep.KERNEL32(0000000A), ref: 000CDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00111CC9

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 65cc1173bde993173c4c3bedad73afbd2bc4109abb64ba1bb540f94fbc09ae33
Instruction ID: 506f5838a1ee4ef7f8c55fc901c628f66792f0d6e46a70e4bec5a621fc9da3e3
Opcode Fuzzy Hash: 65cc1173bde993173c4c3bedad73afbd2bc4109abb64ba1bb540f94fbc09ae33
Instruction Fuzzy Hash: 33F05430644381EBE734CB60CC45FDE73ACEB44311F504529E60A874C0DB3094C89B65

Function 00132FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00132CD4,?,?,?,00000004,00000001), ref: 00132FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00132CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00133006
CloseHandle.KERNEL32(00000000,?,00132CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0013300D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 6f1f7fb82512651a8f7bb13fa1cb66c8e638c945cc0bc77cd58ef007664559ea
Instruction ID: 22f2532761d5082a4e47461fc2e89cf96102b85c9336c17559968974007228c9
Opcode Fuzzy Hash: 6f1f7fb82512651a8f7bb13fa1cb66c8e638c945cc0bc77cd58ef007664559ea
Instruction Fuzzy Hash: 2EE08636680714BBD2302B65BC4DF8B3A1CD786B72F104210F7297D0D046A0154142E8

Function 000D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000D17F6

Strings

CALL, xrefs: 000D17C6

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 3fff2416deaa0d6f9dedea57fed63546307c76c527e1516f8036e271b73765d9
Instruction ID: 308528c44cec28ed306c58f38d0e974840aa8552e43bc58a9241bddc3e1cd597
Opcode Fuzzy Hash: 3fff2416deaa0d6f9dedea57fed63546307c76c527e1516f8036e271b73765d9
Instruction Fuzzy Hash: F1228E70608301EFC714DF14D484AAABBF1BF85314F14856EF49A8B362DB76E985CB62

Function 00136EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00136F6B

Part of subcall function 000C4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00136F5A, 00136F63

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 413ef574ca308b8f000d5713d74a921b8514000d628c856e103fbd50b44edf0e
Instruction ID: 613b19757730c0cf06fa559c240970f6c235cc8b0ff95b3f00c9fc8017bf250e
Opcode Fuzzy Hash: 413ef574ca308b8f000d5713d74a921b8514000d628c856e103fbd50b44edf0e
Instruction Fuzzy Hash: 91B1B4712086019FCB24EF20C491EAEB7E5BF95314F44891DF496972A2EF30ED49CB92

Function 00132557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00132587

Strings

EA06, xrefs: 001325B9

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 739f87796ca766814d8ae3127831beb3bdeb02efc2ff30bfd5764b86e11dbe8b
Instruction ID: 03da882357d9e3199a320617618f157acfe8f27bf4d0ac9c59558d6a81c95175
Opcode Fuzzy Hash: 739f87796ca766814d8ae3127831beb3bdeb02efc2ff30bfd5764b86e11dbe8b
Instruction Fuzzy Hash: 3401B5729042587EDF18D7A9C856EEEBBF89B05301F00455AE152E2182E5B4E7088B60

Function 000C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 000C3908

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 28e8464e715d84ff62ca00f22613d4b59483b02c22f4d3ea83da3c7ac2be768e
Instruction ID: e996329e0dbd43ae21edc3b36fa6cb3e57f568df8d932491f2e056a3fa39fd41
Opcode Fuzzy Hash: 28e8464e715d84ff62ca00f22613d4b59483b02c22f4d3ea83da3c7ac2be768e
Instruction Fuzzy Hash: 8A319170504301DFD760DF24D885B9BBBF8FB49718F00092EF59987680E7B1AA88CB92

Function 00BE63F8 Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00BE5C68: GetFileAttributesW.KERNELBASE(?), ref: 00BE5C73

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00BE6530

Memory Dump Source

Source File: 00000000.00000002.1755722286.0000000000BE5000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be5000_xom6WSISuh.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 1730ffd7e136448da3323d274787253f549e61aa911ff25593395ed30d78e640
Instruction ID: 41038801f741c1db19eb8342974aa530053f0b28ec5c33013bf321f1d87772d3
Opcode Fuzzy Hash: 1730ffd7e136448da3323d274787253f549e61aa911ff25593395ed30d78e640
Instruction Fuzzy Hash: B751B531A1024D97DF14EFB0C945BEF7379EF68700F0045A8A909E7280EB799B48CBA5

Function 000DFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000DFD1F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4f479efec71328087c646c863aee5cfc37b03c68b479304e734d2a7594571fe9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6431F574A0020ADBC768CF59D580969F7A2FF49304B24D6A6E80ACB755D731EDD1CBE0

Function 000C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000C4EDD,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E9C
Part of subcall function 000C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000C4EAE
Part of subcall function 000C4E90: FreeLibrary.KERNEL32(00000000,?,?,000C4EDD,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4EFD

Part of subcall function 000C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00103CDE,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E62
Part of subcall function 000C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000C4E74
Part of subcall function 000C4E59: FreeLibrary.KERNEL32(00000000,?,?,00103CDE,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E87

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ec7771f3d82d571afe96b9d2030049f3a9d035a227491e6e00d28b7063aa63bb
Instruction ID: 82070dd278fd2c6fec7ff5b1fd63f1653bbd557ffe39849652b8979407b5d51b
Opcode Fuzzy Hash: ec7771f3d82d571afe96b9d2030049f3a9d035a227491e6e00d28b7063aa63bb
Instruction Fuzzy Hash: D511E332610305AADB24FF60DC22FED77A5AF50711F20842EF552AA1D2EFB1AA459790

Function 000F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 000F8440

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 544b0cd8e59c201a4d4f0d914284f9386aa8299b636b69c2cd36c4c31226f002
Instruction ID: c98f3178f9e28ae50027352d5168cd0601d15c8055f37839926cfd85a56b326c
Opcode Fuzzy Hash: 544b0cd8e59c201a4d4f0d914284f9386aa8299b636b69c2cd36c4c31226f002
Instruction Fuzzy Hash: 5211487590410AAFCB05DF58E9419EE7BF8FF48304F148059F908AB312DB30EA11DBA4

Function 000EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: f581a561ca329b3a9bce4854d4037c4476bd8fa2bf7fe93f7032546f97956e43
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 81F0F432511A9C9ECA313A6BDC05BEA33989F523B4F100716FA20B35D3DB70D80196A5

Function 000F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00191444), ref: 000F3852

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dcbf13906800e252306d2841bf747753c0ac3232d4fe320570f822de82ff811f
Instruction ID: 83955f0597e0c6aab9be7531c696f51e6a4da2896ce8deffb275a942b3965516
Opcode Fuzzy Hash: dcbf13906800e252306d2841bf747753c0ac3232d4fe320570f822de82ff811f
Instruction Fuzzy Hash: 5CE0E53110036DAAD6712A779D01BFA36C8AB42BF0F090021BE04A6E81DF19DE03A1E0

Function 000C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4F6D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: fcff1a59b8c429fda39caf9a41e32ef10f982e4afe1487452235ca5f4389f515
Instruction ID: 9fe2efde7b695aad62b140791c359ee0754f92812b66b0fa0f9f41747cccc1f0
Opcode Fuzzy Hash: fcff1a59b8c429fda39caf9a41e32ef10f982e4afe1487452235ca5f4389f515
Instruction Fuzzy Hash: 5EF03971105752CFDB349F64D4A0E6ABBE4BF14329320897EE1EA82621CB319885DF50

Function 000C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000C2DC4

Part of subcall function 000C6B57: _wcslen.LIBCMT ref: 000C6B6A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 84bf0497927011b3c2d2ab31c8d1c23799f2231a241cacf36fcd3355976e0aac
Instruction ID: 8eeb0c6cbfad30ec64d43f42d9a94b49a7cbd55a8abe81d4788ed978a1c7198f
Opcode Fuzzy Hash: 84bf0497927011b3c2d2ab31c8d1c23799f2231a241cacf36fcd3355976e0aac
Instruction Fuzzy Hash: 37E0C272A002246BCB20E7989C06FEA77EDDFC8790F0400B5FD09E7248DAA4ADC48690

Function 00132693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 001326B5

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 48e17dec2b32bcca8174410b28f9e0e497ca377802f614f5a08ff54266a67b39
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 12E048F06097005FDF396A28A9517F677D49F49300F10045EF59F93252E6726845865D

Function 000C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000C3908

Part of subcall function 000CD730: GetInputState.USER32 ref: 000CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 000C2B6B

Part of subcall function 000C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 000C314E

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b9288d1cf56e3adf427b2555f6f1a10e82506f6d37c3cca91622fffb789a7043
Instruction ID: be1fc837e0f7f3d01c25b24c65a8b706fe8941f4676c93dc0b1eb71c3887bf43
Opcode Fuzzy Hash: b9288d1cf56e3adf427b2555f6f1a10e82506f6d37c3cca91622fffb789a7043
Instruction Fuzzy Hash: 26E0862230434516CA04BB74A856FFDB7599BD5351F40553EF142471A3DF2489CA4251

Function 00BE5C68 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00BE5C73

Memory Dump Source

Source File: 00000000.00000002.1755722286.0000000000BE5000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be5000_xom6WSISuh.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: f5d61460a7f3a2ca1e5d6001504ce252a46ff57574f3e9a18ef2d291ec199664
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: BBE08C30915B88EBCB20CAA98D54AA973E8EB04324F204A94A806C7380E6309E00E750

Function 0010039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00100704,?,?,00000000,?,00100704,00000000,0000000C), ref: 001003B7

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b361be10b0e00002bae87d68e464da797d7746894510e8ec70cf6ac496f1c008
Instruction ID: 2e89f02ddee3c7705cc33bc6bc8e645745fc4774387fc3c987b322dc5e6a8ec4
Opcode Fuzzy Hash: b361be10b0e00002bae87d68e464da797d7746894510e8ec70cf6ac496f1c008
Instruction Fuzzy Hash: 8CD06C3204020DFFDF029F84DD46EDA3BAAFB48714F014000BE185A020C732E861AB90

Function 00BE5C38 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00BE5C43

Memory Dump Source

Source File: 00000000.00000002.1755722286.0000000000BE5000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be5000_xom6WSISuh.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: a33d2b8e6124ad674301200caefe332ef9ef9d978fd3f3cd4fb44818ac959acb
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 24D05E3090564CABCB20CEE5990499973A8D705324F208794E91983280D63199009750

Function 000C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 000C1CBC

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b09a23bbbe24cd81e790c24804f3d509a3bf5a94f209aa1b9b9955293ddc6caa
Instruction ID: 6786e4fb22ba81df57cf4a6fd9f2fd0cfbc65183e2e0fd3c039f356b7d2295b6
Opcode Fuzzy Hash: b09a23bbbe24cd81e790c24804f3d509a3bf5a94f209aa1b9b9955293ddc6caa
Instruction Fuzzy Hash: 6EC0483A380306AEF2148B90AC4AF507764A348B11F448002F619A99E392B228A0EA90

Function 00BE7624 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00BE7639

Memory Dump Source

Source File: 00000000.00000002.1755722286.0000000000BE5000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be5000_xom6WSISuh.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: fd08f9c987d3e39efb5159a3fcb227e67de217caef8bc4ee973a1a3eea417bb8
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 27E0BF7498414DEFDB00DFA8D5496DD7BB4EF04301F1005A1FD05D7680DB309E549A66

Function 00BE7628 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00BE7639

Memory Dump Source

Source File: 00000000.00000002.1755722286.0000000000BE5000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be5000_xom6WSISuh.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 4feb442dff55fb81b91e4ab8be293d5c28922691da0379c46ee6c550f05f094c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: C5E0E67498414DDFDB00DFB8D54969D7FF4EF04301F1005A1FD01D2280DB309D509A62

Non-executed Functions

Function 00159576 Relevance: 67.1, APIs: 36, Strings: 2, Instructions: 625windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0015961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0015965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0015969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001596C9
SendMessageW.USER32 ref: 001596F2
GetKeyState.USER32(00000011), ref: 0015978B
GetKeyState.USER32(00000009), ref: 00159798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001597AE
GetKeyState.USER32(00000010), ref: 001597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001597E9
SendMessageW.USER32 ref: 00159810
SendMessageW.USER32(?,00001030,?,00157E95), ref: 00159918
SetCapture.USER32(?), ref: 0015994A
ClientToScreen.USER32(?,?), ref: 001599AF
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001599D6
ReleaseCapture.USER32 ref: 001599E1
GetCursorPos.USER32(?), ref: 00159A19
ScreenToClient.USER32(?,?), ref: 00159A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00159A80
SendMessageW.USER32 ref: 00159AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00159AEB
SendMessageW.USER32 ref: 00159B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00159B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00159B4A
GetCursorPos.USER32(?), ref: 00159B68
ScreenToClient.USER32(?,?), ref: 00159B75
GetParent.USER32(?), ref: 00159B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00159BFA
SendMessageW.USER32 ref: 00159C2B
ClientToScreen.USER32(?,?), ref: 00159C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00159CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00159CDE
SendMessageW.USER32 ref: 00159D01
ClientToScreen.USER32(?,?), ref: 00159D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00159D82

Part of subcall function 000D9944: GetWindowLongW.USER32(?,000000EB), ref: 000D9952

GetWindowLongW.USER32(?,000000F0), ref: 00159E05

Strings

@GUI_DRAGID, xrefs: 0015997D
F, xrefs: 00159D07

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease
String ID: @GUI_DRAGID$F
API String ID: 1312020300-4164748364
Opcode ID: e952c505bd22625409e87cce81605b05ec9437295c724cb29dfc4483b7980025
Instruction ID: 5d1c605c6e40d2b424feef0e14b729146206454f46baa6e0fa3d669961f9f85b
Opcode Fuzzy Hash: e952c505bd22625409e87cce81605b05ec9437295c724cb29dfc4483b7980025
Instruction Fuzzy Hash: 8A429C74204301EFDB25CF24CD44AAABBE5FF48315F10061EF9698B6A1D731A998DF92

Function 00154873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00154908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00154927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0015494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0015495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0015497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00154A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00154A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00154A7E
IsMenu.USER32(?), ref: 00154A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00154AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00154B20
GetWindowLongW.USER32(?,000000F0), ref: 00154B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00154BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00154C82
wsprintfW.USER32 ref: 00154CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00154CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00154CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00154D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00154D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00154D5A

Strings

%d/%02d/%02d, xrefs: 00154CA8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: ff6588624eb12c6df381b666f24a097cef73267c397f953d75b03be9586bd911
Instruction ID: f6dbd103fef0e1047808425eb319563f75f11c78759474e50ea748510d39a147
Opcode Fuzzy Hash: ff6588624eb12c6df381b666f24a097cef73267c397f953d75b03be9586bd911
Instruction Fuzzy Hash: F712CF71600314EFEB258F68CC49FEE7BB8EB45719F10411AF926DE2A1DB749A84CB50

Function 000DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 000DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0011F474
IsIconic.USER32(00000000), ref: 0011F47D
ShowWindow.USER32(00000000,00000009), ref: 0011F48A
SetForegroundWindow.USER32(00000000), ref: 0011F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0011F4AA
GetCurrentThreadId.KERNEL32 ref: 0011F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0011F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0011F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0011F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0011F4DE
SetForegroundWindow.USER32(00000000), ref: 0011F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0011F4F6
keybd_event.USER32(00000012,00000000), ref: 0011F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0011F50B
keybd_event.USER32(00000012,00000000), ref: 0011F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0011F519
keybd_event.USER32(00000012,00000000), ref: 0011F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0011F528
keybd_event.USER32(00000012,00000000), ref: 0011F52D
SetForegroundWindow.USER32(00000000), ref: 0011F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0011F557

Strings

Shell_TrayWnd, xrefs: 0011F46F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: fa67de7864ebb8172223bfe342b5ca3bb656711e73e407d3f3b4fb43e5ade5c5
Instruction ID: b6074ddf2ee5d394851224cb2c93f1173152f61514ba9bf3f6673b8149705daf
Opcode Fuzzy Hash: fa67de7864ebb8172223bfe342b5ca3bb656711e73e407d3f3b4fb43e5ade5c5
Instruction Fuzzy Hash: 6D318D71B40318BEEB246FB55C4AFBF7E6DEB44B51F100069FA00EA1D1D7B05981AAA0

Function 00121201 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0012170D
Part of subcall function 001216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0012173A
Part of subcall function 001216C3: GetLastError.KERNEL32 ref: 0012174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00121286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001212A8
CloseHandle.KERNEL32(?), ref: 001212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001212D1
GetProcessWindowStation.USER32 ref: 001212EA
SetProcessWindowStation.USER32(00000000), ref: 001212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00121310

Part of subcall function 001210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001211FC), ref: 001210D4
Part of subcall function 001210BF: CloseHandle.KERNEL32(?,?,001211FC), ref: 001210E9

Strings

winsta0\default, xrefs: 00121392
winsta0, xrefs: 001212CC
, xrefs: 0012125A
default, xrefs: 0012130B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$winsta0\default
API String ID: 22674027-1685893292
Opcode ID: e5b6dd5d5b58a16a34ba666ac145a2402c4af59c618c2efa02f2da4cfe31545c
Instruction ID: a5ec81c4a355613b55f8165e9c946ab9614473473f32ef94565e00f48ed500f4
Opcode Fuzzy Hash: e5b6dd5d5b58a16a34ba666ac145a2402c4af59c618c2efa02f2da4cfe31545c
Instruction Fuzzy Hash: C481AD71900359BFDF20EFA4EC49BEE7BB9EF14700F144129F915A62A0D7708AA4CB60

Function 00120B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00121114
Part of subcall function 001210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 00121120
Part of subcall function 001210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 0012112F
Part of subcall function 001210F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00121136
Part of subcall function 001210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0012114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00120BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00120C00
GetLengthSid.ADVAPI32(?), ref: 00120C17
GetAce.ADVAPI32(?,00000000,?), ref: 00120C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00120C6D
GetLengthSid.ADVAPI32(?), ref: 00120C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00120C8C
RtlAllocateHeap.NTDLL(00000000), ref: 00120C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00120CB4
CopySid.ADVAPI32(00000000), ref: 00120CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00120CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00120D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00120D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120D45
HeapFree.KERNEL32(00000000), ref: 00120D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120D55
HeapFree.KERNEL32(00000000), ref: 00120D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120D65
HeapFree.KERNEL32(00000000), ref: 00120D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00120D78
HeapFree.KERNEL32(00000000), ref: 00120D7F

Part of subcall function 00121193: GetProcessHeap.KERNEL32(00000008,00120BB1,?,00000000,?,00120BB1,?), ref: 001211A1
Part of subcall function 00121193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001211A8
Part of subcall function 00121193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00120BB1,?), ref: 001211B7

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4042927181-0
Opcode ID: e32eff31de3325c9b337da8195d85bfafbac9e399e12f8f8e9c326a62cce97ee
Instruction ID: 4c170a9acf8b738c55cc20a3bd803a9d51d08bcdd59c538f5d8ee7bb87b00b32
Opcode Fuzzy Hash: e32eff31de3325c9b337da8195d85bfafbac9e399e12f8f8e9c326a62cce97ee
Instruction Fuzzy Hash: ED716A7590131AEFDF11DFE4EC44BAEBBB8EF08311F044215F914AA292D771AA55CBA0

Function 0013EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0015CC08), ref: 0013EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0013EB37
GetClipboardData.USER32(0000000D), ref: 0013EB43
CloseClipboard.USER32 ref: 0013EB4F
GlobalLock.KERNEL32(00000000), ref: 0013EB87
CloseClipboard.USER32 ref: 0013EB91
GlobalUnlock.KERNEL32(00000000), ref: 0013EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0013EBC9
GetClipboardData.USER32(00000001), ref: 0013EBD1
GlobalLock.KERNEL32(00000000), ref: 0013EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0013EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0013EC38
GetClipboardData.USER32(0000000F), ref: 0013EC44
GlobalLock.KERNEL32(00000000), ref: 0013EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0013EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0013EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0013ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0013ECF3
CountClipboardFormats.USER32 ref: 0013ED14
CloseClipboard.USER32 ref: 0013ED59

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 8c3ba023c0f42371a27b057261cfa6f3578e18d811f6351b3f5e4e7e8f933977
Instruction ID: 64c18a18df515a6f6d969ca9bba311ca4801362ac9f3bb187aacb7dff6a02174
Opcode Fuzzy Hash: 8c3ba023c0f42371a27b057261cfa6f3578e18d811f6351b3f5e4e7e8f933977
Instruction Fuzzy Hash: EB61AB34204301AFD310EF64D899F6AB7E4EF84714F14455DF4569B2E2CB71EA85CBA2

Function 0015911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00159147

Part of subcall function 00157674: ClientToScreen.USER32(?,?), ref: 0015769A
Part of subcall function 00157674: GetWindowRect.USER32(?,?), ref: 00157710
Part of subcall function 00157674: PtInRect.USER32(?,?,00158B89), ref: 00157720

SendMessageW.USER32(?,000000B0,?,?), ref: 001591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00159225
SendMessageW.USER32(?,000000B0,?,?), ref: 0015923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00159255
SendMessageW.USER32(?,000000B1,?,?), ref: 00159277
DragFinish.SHELL32(?), ref: 0015927E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00159371

Strings

@GUI_DRAGFILE, xrefs: 00159320
@GUI_DRAGID, xrefs: 001592E9
@GUI_DROPID, xrefs: 0015929E

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 4085959399-3440237614
Opcode ID: 078cf8b7e48262ff321ece034b428be1f9f86e958bb145b396c38ba37c21c808
Instruction ID: 8f56bcae9c06a40d9ba44279aef907fe2b3af17fbbcf772b7234567bf0220311
Opcode Fuzzy Hash: 078cf8b7e48262ff321ece034b428be1f9f86e958bb145b396c38ba37c21c808
Instruction Fuzzy Hash: 7D616B71108301EFD701EF64DC85EAFBBE8EF89750F00092EF5A5961A1DB709A49CB92

Function 0013698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001369BE
FindClose.KERNEL32(00000000), ref: 00136A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00136A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00136A75

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00136AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00136ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00136B32
%4d, xrefs: 00136BB1
%03d, xrefs: 00136DA2
%02d, xrefs: 00136C00, 00136C0A, 00136C5A, 00136CAA, 00136CFA, 00136D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00136B6A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: e3639dc052709c74d54c9613c25ece9f9bc040e327591c5eb2902c8287f873e1
Instruction ID: ae95291748b613a023416962041e84ca580752b6d6bfca8e34f67b561b9f8e14
Opcode Fuzzy Hash: e3639dc052709c74d54c9613c25ece9f9bc040e327591c5eb2902c8287f873e1
Instruction Fuzzy Hash: 43D14171508340AFC714EBA4C886EAFB7ECAF88704F44491DF589D7192EB74DA49CB62

Function 00139642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00139663
GetFileAttributesW.KERNEL32(?), ref: 001396A1
SetFileAttributesW.KERNEL32(?,?), ref: 001396BB
FindNextFileW.KERNEL32(00000000,?), ref: 001396D3
FindClose.KERNEL32(00000000), ref: 001396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0013974A
SetCurrentDirectoryW.KERNEL32(00186B7C), ref: 00139768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00139772
FindClose.KERNEL32(00000000), ref: 0013977F
FindClose.KERNEL32(00000000), ref: 0013978F

Strings

*.*, xrefs: 001396F5

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 22cac37931d8a3bd398360795bb55ed5066e73643b7fbc3c96c03bd8f0185c52
Instruction ID: ca328e2ce59952a3fe0ba1af424e2579a1362189401a65fd945e64ebeb9ef132
Opcode Fuzzy Hash: 22cac37931d8a3bd398360795bb55ed5066e73643b7fbc3c96c03bd8f0185c52
Instruction Fuzzy Hash: 1631F13264131AAFDF14AFB4DC49ADE77ACAF09322F144055F915E60E0EBB4DE848E90

Function 0013979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00139819
FindClose.KERNEL32(00000000), ref: 00139824
FindFirstFileW.KERNEL32(*.*,?), ref: 00139840
SetCurrentDirectoryW.KERNEL32(?), ref: 00139890
SetCurrentDirectoryW.KERNEL32(00186B7C), ref: 001398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001398B8
FindClose.KERNEL32(00000000), ref: 001398C5
FindClose.KERNEL32(00000000), ref: 001398D5

Part of subcall function 0012DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0012DB00

Strings

*.*, xrefs: 0013983B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 5eb7a3c5a5a6d2922a9190e7b573a9ce56da2599c7278b2dcfbfce378315a26a
Instruction ID: c4c14ed6f4700d1a6af0bbb87d468a715dab0e2e164c30e89f66f9bf9a11c78f
Opcode Fuzzy Hash: 5eb7a3c5a5a6d2922a9190e7b573a9ce56da2599c7278b2dcfbfce378315a26a
Instruction Fuzzy Hash: 2D31D23250035EAEDF10EFB4EC48ADE77ACAF46325F1441A5E950A60A1DBB4DE84CF60

Function 0014BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0014C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0014B6AE,?,?), ref: 0014C9B5
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014C9F1
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014CA68
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0014BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0014BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0014BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0014C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0014C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0014C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0014C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0014C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0014C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0014C382
RegCloseKey.ADVAPI32(00000000), ref: 0014C38F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 94abd5fe760f0fa32bccb4a530cc491d00ccd5ab25549c727cb8f576fe7bb7f1
Instruction ID: cd0f45c9572e17e7d7f7db2bce3539f81c6be2cbd2c99906dd394873f8886232
Opcode Fuzzy Hash: 94abd5fe760f0fa32bccb4a530cc491d00ccd5ab25549c727cb8f576fe7bb7f1
Instruction Fuzzy Hash: 2B023C716042009FD754DF28C895E2ABBE5EF89318F18C49DF84ACB2A2DB31ED45CB91

Function 00138195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00138257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00138267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00138273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00138310
SetCurrentDirectoryW.KERNEL32(?), ref: 00138324
SetCurrentDirectoryW.KERNEL32(?), ref: 00138356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0013838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00138395

Strings

*.*, xrefs: 0013839B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 0227471207b35da640898383196047b24832fd22777622af880b10d4c5b4da6c
Instruction ID: 85d21375b86c2f073419f34e2cc51610a4901858191ae54d321f1c4cf9de86ca
Opcode Fuzzy Hash: 0227471207b35da640898383196047b24832fd22777622af880b10d4c5b4da6c
Instruction Fuzzy Hash: 226169725043459FCB10EF60C841EAEB3E8FF89314F04892EF98997252DB35E949CB92

Function 0012D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C3A97,?,?,000C2E7F,?,?,?,00000000), ref: 000C3AC2

Part of subcall function 0012E199: GetFileAttributesW.KERNEL32(?,0012CF95), ref: 0012E19A

FindFirstFileW.KERNEL32(?,?), ref: 0012D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0012D1DD
MoveFileW.KERNEL32(?,?), ref: 0012D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0012D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0012D237

Part of subcall function 0012D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0012D21C,?,?), ref: 0012D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0012D253
FindClose.KERNEL32(00000000), ref: 0012D264

Strings

\*.*, xrefs: 0012D0CD, 0012D0D6, 0012D0EB

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 51e93801966d11672305dd84d5ecabb6494d94889eeca28a5070c7e8707d438b
Instruction ID: 6f7c3366f8023294738cedc79e3bf108b9ddda3f654fbfb08451f2ee71fd5cbf
Opcode Fuzzy Hash: 51e93801966d11672305dd84d5ecabb6494d94889eeca28a5070c7e8707d438b
Instruction Fuzzy Hash: 6E615C3190125D9FCF05EBA0EA92EEDB7B5AF15300F608169E40277192EB30AF19CB61

Function 0013ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0013ED91
EmptyClipboard.USER32 ref: 0013ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0013EDAC
CloseClipboard.USER32 ref: 0013EEA3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5ce4e1e0c0381c005689909ee4497b58d7df05a4acc250afbf85b31538a0779a
Instruction ID: 45ddf7d4db2b3db4d5dd696e289fb0e351c12449a1f439e0f4ed8fc0e9369192
Opcode Fuzzy Hash: 5ce4e1e0c0381c005689909ee4497b58d7df05a4acc250afbf85b31538a0779a
Instruction Fuzzy Hash: 5A416A35604711EFE710DF15D888F5ABBE5EF44329F1480A9E4198FAA2C735ED82CB90

Function 0012E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0012170D
Part of subcall function 001216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0012173A
Part of subcall function 001216C3: GetLastError.KERNEL32 ref: 0012174A

ExitWindowsEx.USER32(?,00000000), ref: 0012E932

Strings

SeShutdownPrivilege, xrefs: 0012E902
@, xrefs: 0012E925
, xrefs: 0012E95C
, xrefs: 0012E920

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 83d9d6c01d07755ec08e1bc4ca280104463bb34e2baf8417bb0ac3c54b601a94
Instruction ID: a89eb6d170ddfca038460e8f77f5ec637d4abc1daa477d6aa957b370952dc7ff
Opcode Fuzzy Hash: 83d9d6c01d07755ec08e1bc4ca280104463bb34e2baf8417bb0ac3c54b601a94
Instruction Fuzzy Hash: 9801D672A10331AFEF5466B8BC8ABBF729CA724759F150423F902E61D1E7A05CE4C6D4

Function 00141204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00141276
WSAGetLastError.WS2_32 ref: 00141283
bind.WS2_32(00000000,?,00000010), ref: 001412BA
WSAGetLastError.WS2_32 ref: 001412C5
closesocket.WS2_32(00000000), ref: 001412F4
listen.WS2_32(00000000,00000005), ref: 00141303
WSAGetLastError.WS2_32 ref: 0014130D
closesocket.WS2_32(00000000), ref: 0014133C

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f9679bd45e53834dda22d521b08eb8560b06dccd83a2d7f98d718ebed6c76f1f
Instruction ID: 328f79ed3a120bed43919b1aed8ea51e3b189a4dcc9f1ed55a3d42eb6d1d934c
Opcode Fuzzy Hash: f9679bd45e53834dda22d521b08eb8560b06dccd83a2d7f98d718ebed6c76f1f
Instruction Fuzzy Hash: 9D414E31600200AFD714DF64C485F69BBE6BF46318F288198E8569F2A6C771EDC2CBE1

Function 00128298 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001282AA

Strings

AddRef, xrefs: 00128581
|, xrefs: 001282DA
InterfaceDispatch, xrefs: 00128461
(, xrefs: 001282F0
Release, xrefs: 001285C9
QueryInterface, xrefs: 001284F4

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: lstrlen
String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
API String ID: 1659193697-2318614619
Opcode ID: 33d203fba6ed5718d4a4644130a92062c1e739db583ce0dc3777b78ff891ef3c
Instruction ID: de142dacf061b0bcea1a70d23d5400b6179f202124812df7364798c8645f5f2e
Opcode Fuzzy Hash: 33d203fba6ed5718d4a4644130a92062c1e739db583ce0dc3777b78ff891ef3c
Instruction Fuzzy Hash: 78323474A007159FCB28CF19D481AAAB7F0FF48710B15C46EE49ADB3A1EB70E991CB50

Function 0012D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C3A97,?,?,000C2E7F,?,?,?,00000000), ref: 000C3AC2

Part of subcall function 0012E199: GetFileAttributesW.KERNEL32(?,0012CF95), ref: 0012E19A

FindFirstFileW.KERNEL32(?,?), ref: 0012D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0012D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0012D481
FindClose.KERNEL32(00000000), ref: 0012D498
FindClose.KERNEL32(00000000), ref: 0012D4A1

Strings

\*.*, xrefs: 0012D3F2

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: eab70205fa86c4af982cd8ac11435cdae5922b17e51e0314b32b093cf02392b1
Instruction ID: ca41c5c4da0b3f02345ba387cd78b02c9f1eee507c027a6e337c0c728e175678
Opcode Fuzzy Hash: eab70205fa86c4af982cd8ac11435cdae5922b17e51e0314b32b093cf02392b1
Instruction Fuzzy Hash: 41316F310083959FC204EF64E855DEF77A8AF96314F444A1DF4D153192EB30AA19CB63

Function 000FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000FE645

Strings

1#SNAN, xrefs: 000FF844
1#QNAN, xrefs: 000FF84B
1#IND, xrefs: 000FF83D
1#INF, xrefs: 000FF852

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 34d9f2d45f9533c6b358f12e7917ce322b9070a1e395aa0335b0c3b43628a890
Instruction ID: facc1f046acf5843595898a69fe43feaab5f4c898d87d0ecd95efaec6ec0be1b
Opcode Fuzzy Hash: 34d9f2d45f9533c6b358f12e7917ce322b9070a1e395aa0335b0c3b43628a890
Instruction Fuzzy Hash: A4C25872E086298FDB64CE28DD407FAB7B5EB44304F1441EADA0DE7651E778AE819F40

Function 0013648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001364DC
CoInitialize.OLE32(00000000), ref: 00136639
CoCreateInstance.COMBASE(0015FCF8,00000000,00000001,0015FB68,?), ref: 00136650
CoUninitialize.COMBASE ref: 001368D4

Strings

.lnk, xrefs: 001364BA, 00136524, 001365E0

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d6b0996d9206fc375cdee839d500a71eb8b814238760d8010bbc8952bb88a228
Instruction ID: ce5be1620e316509957a47a630d095e63d83f84d983e290b7717e0c6659eb2b3
Opcode Fuzzy Hash: d6b0996d9206fc375cdee839d500a71eb8b814238760d8010bbc8952bb88a228
Instruction Fuzzy Hash: 2BD12A71508301AFD314EF24C881EABB7E8EF99704F50896DF5558B292DB71E906CB92

Function 001422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001422E8

Part of subcall function 0013E4EC: GetWindowRect.USER32(?,?), ref: 0013E504

GetDesktopWindow.USER32 ref: 00142312
GetWindowRect.USER32(00000000), ref: 00142319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00142355
GetCursorPos.USER32(?), ref: 00142381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001423DF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 8bcbea19aaf3aa5cd6231f3c552353996514b9c512a5bc241ea563266d5c2cf2
Instruction ID: 34249d109f7c249f7585bf60807f20b4b3efabb2c542f6a6f981bb03cbf00d97
Opcode Fuzzy Hash: 8bcbea19aaf3aa5cd6231f3c552353996514b9c512a5bc241ea563266d5c2cf2
Instruction Fuzzy Hash: B131DE72504315AFCB20DF54D849B9BBBE9FF88314F400A19F9859B191DB74EA88CBD2

Function 00139B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00139B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00139C8B

Part of subcall function 00133874: GetInputState.USER32 ref: 001338CB
Part of subcall function 00133874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00133966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00139BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00139C75

Strings

*.*, xrefs: 00139B5D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 31f5ca7a8258982ab6b8af381bd1cf3a964912dd2c84318730d2fe3734d4770f
Instruction ID: 84e00c77be1a4f644101be8d447ee1ff954f64f310b71f49594754ac97c27627
Opcode Fuzzy Hash: 31f5ca7a8258982ab6b8af381bd1cf3a964912dd2c84318730d2fe3734d4770f
Instruction Fuzzy Hash: 1F41407190420A9FDF15DFA4C989EEEBBB8EF05311F244159E815A7191EB709E84CFA0

Function 000D997D Relevance: 7.9, APIs: 5, Instructions: 375nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 000D9A4E
GetSysColor.USER32(0000000F), ref: 000D9B23
SetBkColor.GDI32(?,00000000), ref: 000D9B36

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Color$DialogLongNtdllProc_Window
String ID:
API String ID: 1958858920-0
Opcode ID: 48c011ad5ecc2b97f36ea975d01babe8c9866c361953640fca2d578ea7dfac06
Instruction ID: c3ab8990297ea0961d8dc42fe186d89394f93761fe7e66a009944c2a2610ac99
Opcode Fuzzy Hash: 48c011ad5ecc2b97f36ea975d01babe8c9866c361953640fca2d578ea7dfac06
Instruction Fuzzy Hash: E9A1F771208604FEE739AA2C8C59DBF36ADDB42350F15021BF512DABD1DB259D81D2B3

Function 00141806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0014304E: inet_addr.WS2_32(?), ref: 0014307A
Part of subcall function 0014304E: _wcslen.LIBCMT ref: 0014309B

socket.WS2_32(00000002,00000002,00000011), ref: 0014185D
WSAGetLastError.WS2_32 ref: 00141884
bind.WS2_32(00000000,?,00000010), ref: 001418DB
WSAGetLastError.WS2_32 ref: 001418E6
closesocket.WS2_32(00000000), ref: 00141915

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 491d9c86a2d6e8d2d4530bac21b3b5c31f1591f8a5136992f6971d62ce9714a9
Instruction ID: d743a702904d5f1eac80f92ddf855cca5d642b8fb4d5128690956551c9e690f7
Opcode Fuzzy Hash: 491d9c86a2d6e8d2d4530bac21b3b5c31f1591f8a5136992f6971d62ce9714a9
Instruction Fuzzy Hash: DB518275A00210AFEB10AF24C886F6E77E5AF44718F58845CF91A5F3D3D771AD828BA1

Function 00151C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00151CC0
IsWindowEnabled.USER32 ref: 00151CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00151CDB
IsIconic.USER32 ref: 00151CE9
IsZoomed.USER32 ref: 00151CF7

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 13a66b7beb6374fab52516edf751ddb28216864d788645bef08e4b7307368efe
Instruction ID: 7eaf7446c71c640527b3a4b6254985b7820eff138de8e003c54c855acc3a8c2c
Opcode Fuzzy Hash: 13a66b7beb6374fab52516edf751ddb28216864d788645bef08e4b7307368efe
Instruction Fuzzy Hash: 59219131740211EFD7228F1AC884F6A7BA5AF95326B59806CEC5A8F351D772EC46CB90

Function 000C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000C83E8
VUUU, xrefs: 000C843C
VUUU, xrefs: 000C83FA
ERCP, xrefs: 000C813C
VUUU, xrefs: 00105DF0

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 0ac5fca57935855bef588b8e1e422e2c109edec0d239854d71dd5114d4a01200
Instruction ID: bcb9f5da3d53189d31ad1bfc75a8ed28ccc248fb836e8312290ebb979463bdca
Opcode Fuzzy Hash: 0ac5fca57935855bef588b8e1e422e2c109edec0d239854d71dd5114d4a01200
Instruction Fuzzy Hash: E6A28470E0061ACBDF34CF58C944BAEB7B2BF54310F2481AAE855A7285EBB49D91CF54

Function 0014A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0014A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0014A6BA

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0014A79C
CloseHandle.KERNEL32(00000000), ref: 0014A7AB

Part of subcall function 000DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00103303,?), ref: 000DCE8A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: b8e05f29fb15c69b446e410cf257442d784840ad87bdf86fb7c3afec91dda3d3
Instruction ID: e16b1ae372f47376193db9afcd8ea7ffa8e1e89b6d6fe7ad8de9fb20bd11fbfc
Opcode Fuzzy Hash: b8e05f29fb15c69b446e410cf257442d784840ad87bdf86fb7c3afec91dda3d3
Instruction Fuzzy Hash: 895108715083019FD710DF24C886EAEBBE8FF89754F40491DF59A972A2EB31D905CBA2

Function 0012AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0012AAAC
SetKeyboardState.USER32(00000080), ref: 0012AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0012AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0012AB88

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0db559f4b03878ec7e1a2c6d28bd689e3a5a77039898dc7a9b1ca5d4e7bf34da
Instruction ID: 54da06744b220e1ca42f67a3b4830adb48a13c7bbdabfeab80d90d2aa51dc230
Opcode Fuzzy Hash: 0db559f4b03878ec7e1a2c6d28bd689e3a5a77039898dc7a9b1ca5d4e7bf34da
Instruction Fuzzy Hash: C6314B30A40328AFFF35CB68EC05BFE7BA6AF54310F84421AF581961D0D37599A5C7A2

Function 000FBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000FBB7F

Part of subcall function 000F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000), ref: 000F29DE
Part of subcall function 000F29C8: GetLastError.KERNEL32(00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000,00000000), ref: 000F29F0

GetTimeZoneInformation.KERNEL32 ref: 000FBB91
WideCharToMultiByte.KERNEL32(00000000,?,0019121C,000000FF,?,0000003F,?,?), ref: 000FBC09
WideCharToMultiByte.KERNEL32(00000000,?,00191270,000000FF,?,0000003F,?,?,?,0019121C,000000FF,?,0000003F,?,?), ref: 000FBC36

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 90aa526f38ae39ac14c3b668bccdb05885322536b6ca227edbc99cd758e670d4
Instruction ID: b52ce7266dbe96fa00a77154ddad002a8e3adff342dc029dea6753d5e5afef01
Opcode Fuzzy Hash: 90aa526f38ae39ac14c3b668bccdb05885322536b6ca227edbc99cd758e670d4
Instruction Fuzzy Hash: 5131A27090420AEFCB11EF69DC8047EBBF8BF45750724429AE150DBAA1D7709A80EF90

Function 00158FC9 Relevance: 6.1, APIs: 4, Instructions: 78nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

GetCursorPos.USER32(?), ref: 00159001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00117711,?,?,?,?,?), ref: 00159016
GetCursorPos.USER32(?), ref: 0015905E
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00117711,?,?,?), ref: 00159094

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 154f570a801746f7022aeb44770450b0f631019da8c63c48abe7b944f6167111
Instruction ID: cf22a47d30bdf5b855917b3c525a431db38ae4eff93a76b6030cb80bf5059dec
Opcode Fuzzy Hash: 154f570a801746f7022aeb44770450b0f631019da8c63c48abe7b944f6167111
Instruction Fuzzy Hash: 86219F35600118FFCB258F94CC58EEB7BB9EB49352F044555F9154F2A1D3319990EBA1

Function 0013CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0013CE89
GetLastError.KERNEL32(?,00000000), ref: 0013CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0013CEFE

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: bbc772686462004a84a4fcca903c857c03f7f69c5bec48bd7ffd1422f7e9ec06
Instruction ID: c6be232bac8370517148c79276cf7bdb498aca5f1b8d4203b6c2f6c7288562ea
Opcode Fuzzy Hash: bbc772686462004a84a4fcca903c857c03f7f69c5bec48bd7ffd1422f7e9ec06
Instruction Fuzzy Hash: 6A21BAB1500705EFEB20DFA5C948BAABBFCEB40358F10442EE646A6151E770EE448BA0

Function 00135C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00135CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00135D17
FindClose.KERNEL32(?), ref: 00135D5F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 5ab90fd189ef964972b0bf39a30d8b5f3d414be77f9a72bf1417a8e9244de93c
Instruction ID: d6588f328656fa5a9ff5216632ccc0ed825dc2bc19ce010cfd1c18eca090a039
Opcode Fuzzy Hash: 5ab90fd189ef964972b0bf39a30d8b5f3d414be77f9a72bf1417a8e9244de93c
Instruction Fuzzy Hash: 19518874604B019FC718CF68C494E9AB7E5FF49324F14855EE99A8B3A2CB30ED45CB91

Function 000F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 000F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 000F2731

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2ed8c6f8099ee39833d07d86007028c6d7428354f2c686701a00e6e74d1fa1a6
Instruction ID: 503d0e49cdbd4f5d9859389cdbedd17b651b57b5171377a6f43db7bef4a3651d
Opcode Fuzzy Hash: 2ed8c6f8099ee39833d07d86007028c6d7428354f2c686701a00e6e74d1fa1a6
Instruction Fuzzy Hash: 2F31B47491131CDBCB61EF65DC897D9B7B8AF18310F5041EAE41CA6261E7709F818F45

Function 001351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00135238
SetErrorMode.KERNEL32(00000000), ref: 001352A1

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f431f0b672b50d54a61cd643490acfcdb6c9bf345541bd30f7ff82880df4b6f6
Instruction ID: da583d01b93b81c1d22b092f28e4ab961b2920ed3efca2804f5f2d6a22019db5
Opcode Fuzzy Hash: f431f0b672b50d54a61cd643490acfcdb6c9bf345541bd30f7ff82880df4b6f6
Instruction Fuzzy Hash: B6312F75A00618DFDB00DF54D884FAEBBB5FF49314F448099E8099B352DB71E856CB90

Function 001216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 000DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000E0668
Part of subcall function 000DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0012170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0012173A
GetLastError.KERNEL32 ref: 0012174A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 52ba3a08c991e767019e25994730ab2c6d764abcb9f1367d7babd09cc3bc4253
Instruction ID: dd6456e5fb9edd36784c2567934c126a314c7690a2b819000fe6adbe30d57025
Opcode Fuzzy Hash: 52ba3a08c991e767019e25994730ab2c6d764abcb9f1367d7babd09cc3bc4253
Instruction Fuzzy Hash: 4F1191B2404305BFD718DF54EC86DABB7BAEB44725B20852EF05657641EB70BC51CA60

Function 0012D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0012D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0012D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0012D650

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: dc30ee7cee2f6e1cc73734792fcc4bf832d1de54d8b1fc552a12676bb6fb3753
Instruction ID: 175c35e730bdfe0af6229cc78e2c436d0b275f9c6f266c8003388e706aa71db5
Opcode Fuzzy Hash: dc30ee7cee2f6e1cc73734792fcc4bf832d1de54d8b1fc552a12676bb6fb3753
Instruction Fuzzy Hash: D4112A75A05328BFDB108F95EC45BAFBBBCEB45B50F108115F914A7290D6704A058BE1

Function 00121663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0012168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001216A1
FreeSid.ADVAPI32(?), ref: 001216B1

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 76124bd3b3aa1ffe34d436ba771debc7ec2139a71cf29ea34f3be660b1919f2e
Instruction ID: 9755391efd243871cd512cf0776f58ce490adcc57a80c436b7057bc31fb146d8
Opcode Fuzzy Hash: 76124bd3b3aa1ffe34d436ba771debc7ec2139a71cf29ea34f3be660b1919f2e
Instruction Fuzzy Hash: F1F0F475950309FFDB00DFE49C89AAEBBBCFB08605F504565E501E6181E774AA848A90

Function 000E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F28E9,?,000E4CBE,000F28E9,001888B8,0000000C,000E4E15,000F28E9,00000002,00000000,?,000F28E9), ref: 000E4D09
TerminateProcess.KERNEL32(00000000,?,000E4CBE,000F28E9,001888B8,0000000C,000E4E15,000F28E9,00000002,00000000,?,000F28E9), ref: 000E4D10
ExitProcess.KERNEL32 ref: 000E4D22

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 66f8686cbf4736b9a9c41be0c083c6917ea6fb9b471e8d7654a85c7517337271
Instruction ID: 7de24a0c3dc984b89390039695ef4fcf811715bcdd8066b4b8912559b1620468
Opcode Fuzzy Hash: 66f8686cbf4736b9a9c41be0c083c6917ea6fb9b471e8d7654a85c7517337271
Instruction Fuzzy Hash: B2E0B631005788EFCF51AF55DD09A983F69FF81792B108054FD05DA623CB35DD82DA80

Function 0011D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0011D28C

Strings

X64, xrefs: 0011D2A8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: b3f74d578713cff5cf66f419bd28fa7afd30c0439f0c257ef254a4031173e3f2
Instruction ID: 10607fe7b41f377026fca243f8ce891669d7aba2b04a70328e63fd852b3f4a07
Opcode Fuzzy Hash: b3f74d578713cff5cf66f419bd28fa7afd30c0439f0c257ef254a4031173e3f2
Instruction Fuzzy Hash: AFD0C9B480121DEECF94CB90EC88DDDB7BCBB04305F100152F106A2140D77495888F20

Function 000ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d18c819ce543c4553193f1225d589858fb06fe27032c3b3b226e889b80d46367
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 48020D71E012599FEF14CFA9C880AADFBF1EF48314F25416AD919F7384D731A9428B94

Function 000D97C0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

Part of subcall function 000D9944: GetWindowLongW.USER32(?,000000EB), ref: 000D9952

GetParent.USER32(?), ref: 001173A3
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?), ref: 0011742D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 96cbfb0f31c73e947292ad9f2e3efa4ba3af7499425afa2bf6889cf39f8ab991
Instruction ID: 487850fd49fbad327cf6b24c655d2cb0436644851d9b7d05ed36468fe167e419
Opcode Fuzzy Hash: 96cbfb0f31c73e947292ad9f2e3efa4ba3af7499425afa2bf6889cf39f8ab991
Instruction Fuzzy Hash: 3221BF30604204AFCB299F28CC59DE93BE5EF0A370F040266F9264B7E2C7309D91EA60

Function 001368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00136918
FindClose.KERNEL32(00000000), ref: 00136961

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fd4d00c8339d3d0e4042de8339e9f728785c9dbcc44cd741728abd310edd19c0
Instruction ID: 703e1f863f072150b11493b37a1c503e39af75cc562169807cc7e8405bd257ce
Opcode Fuzzy Hash: fd4d00c8339d3d0e4042de8339e9f728785c9dbcc44cd741728abd310edd19c0
Instruction Fuzzy Hash: 02117C31604600AFD710DF29D484F1ABBE5EF85329F15C6ADE4699F6A2C730EC46CB91

Function 001590A1 Relevance: 3.0, APIs: 2, Instructions: 44nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0011769C,?,?,?), ref: 00159111

Part of subcall function 000D9944: GetWindowLongW.USER32(?,000000EB), ref: 000D9952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 001590F7

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 478128bd247f11fdcaf57522b6ea3075e84d8b4336c007102832590237d1f723
Instruction ID: d4185811e3ad8856f4d14e24213059989fcacdf8cd47dfc842dfa615354606f1
Opcode Fuzzy Hash: 478128bd247f11fdcaf57522b6ea3075e84d8b4336c007102832590237d1f723
Instruction Fuzzy Hash: 8601BC30200315FBDB219F14DC89FA63BA6FB86376F140429FD611E6E1CB726885DB61

Function 001337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00144891,?,?,00000035,?), ref: 001337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00144891,?,?,00000035,?), ref: 001337F4

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 69ccb1a7daa97922d89db1ea53b22e383d8e830240b9da6f4e6c85b54fb4e6f2
Instruction ID: bdd302aa19936d476591579ccafcd3cbe5b466602637b4926f352a6ce12977cd
Opcode Fuzzy Hash: 69ccb1a7daa97922d89db1ea53b22e383d8e830240b9da6f4e6c85b54fb4e6f2
Instruction Fuzzy Hash: 13F0E5B06043296AE72017668C4DFEB3AAEEFC4761F000165F519D2691DA609944C7F0

Function 00159400 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00159423
NtdllDialogWndProc_W.NTDLL(?,00000200,?,00000000,?,?,00000000,00000000,?,0011776C,?,?,?,?,?), ref: 0015944C

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: a6c976802bc856d7de361a0dec3d40140abc1e93379961bd9c7d04bbae6319f2
Instruction ID: f16d733cf793ccdce0c6517e9e7d664b4e160be26ab346b579881fbecb769a62
Opcode Fuzzy Hash: a6c976802bc856d7de361a0dec3d40140abc1e93379961bd9c7d04bbae6319f2
Instruction Fuzzy Hash: 7FF03A72510218FFEF058F95DC09DAE7BB8EB44352F00415AF905A6160D375AA90DBA0

Function 0012B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0012B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0012B270

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 6c1696db836a9d3458c763f15b59b799c60b0132ef55df125931a3a6008623c0
Instruction ID: 4c2b865533df043d283452ff297b6f8029bb191b6ab6b04389a22c32e88b160b
Opcode Fuzzy Hash: 6c1696db836a9d3458c763f15b59b799c60b0132ef55df125931a3a6008623c0
Instruction Fuzzy Hash: 87F01D7190438EEFDB059FA0D805BAE7FB4FF08305F008009F965A9192D3799651DF94

Function 001210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001211FC), ref: 001210D4
CloseHandle.KERNEL32(?,?,001211FC), ref: 001210E9

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 177dc07f7a10f2a4f54d087e80821476dac0ba2ff54ea4df786c68301998564f
Instruction ID: dceaa8d01bf5b5fc6d5ed2aa3b99623eb69282d3441e4142f1ed522b2b7e2c56
Opcode Fuzzy Hash: 177dc07f7a10f2a4f54d087e80821476dac0ba2ff54ea4df786c68301998564f
Instruction Fuzzy Hash: 64E04F32004711EEE7252B51FC05EB377A9EB04311B10C82EF4A6844B2DB626CE0DB60

Function 0015953A Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00159542
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,001176FB,?,?,?,?), ref: 0015956C

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 81cef1f0458ba7c10b108d08770fb8d3509347c392ae47a4ce8827ba0c25e8e2
Instruction ID: 3e44ac85458806e770e2bfa422724f58e8c66d9324a471e955d64fde850b5ef3
Opcode Fuzzy Hash: 81cef1f0458ba7c10b108d08770fb8d3509347c392ae47a4ce8827ba0c25e8e2
Instruction Fuzzy Hash: 44E04F30104314FAEB150F19DC09FB93B54E700B92F104116F9669C0E1E7B195E0D260

Function 000CCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00110C40

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 792fed0c3a862d251ecd8234586a3c2e8859c6fba0acd55bbc824090f440411c
Instruction ID: 9979707c0b50a7abf1641d50c85473d600861e4d040bd5c92c532e790d046c47
Opcode Fuzzy Hash: 792fed0c3a862d251ecd8234586a3c2e8859c6fba0acd55bbc824090f440411c
Instruction Fuzzy Hash: 66327E74900218DBEF18DF94D881FEDB7B5BF09304F14406DE80AAB292D775AE86CB61

Function 000F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000F6766,?,?,00000008,?,?,000FFEFE,00000000), ref: 000F6998

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3d38beff9b730ad736290ed9ddfe32c8526d361d6fc7438ce93ee7d1cde36725
Instruction ID: 895153ecf58358ce0267c247208f493558a8d0cf2063f83394a9e3ce3737edc8
Opcode Fuzzy Hash: 3d38beff9b730ad736290ed9ddfe32c8526d361d6fc7438ce93ee7d1cde36725
Instruction Fuzzy Hash: BEB16C31610608DFD755CF28C486B647BE0FF45364F29865CE99ACF6A2C736E982DB40

Function 000DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0011851F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2df3c592bf445074fe3cd051023d91f9f603b7fd656f093ed65bd13792bc200a
Instruction ID: e4f8145430d1d2876609337952a3140a967ae97fae00ba0bd1c44ae1e3f2fbc7
Opcode Fuzzy Hash: 2df3c592bf445074fe3cd051023d91f9f603b7fd656f093ed65bd13792bc200a
Instruction Fuzzy Hash: F7124175900229DBDB64CF58C881AEEB7F5FF48710F15816AE849EB255DB309E81CBA0

Function 0015A2D7 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 0015A38F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 8358955304abba47a3ac037e82e1d427075d5ece26e02ccfde14c02af62179bd
Instruction ID: 35391ca75ae36d7db2ccd82c610f3d1598c6ae9f87b738338c57f627eeb81316
Opcode Fuzzy Hash: 8358955304abba47a3ac037e82e1d427075d5ece26e02ccfde14c02af62179bd
Instruction Fuzzy Hash: C3110331244211FAFB295B28CD15B7D3A54FF41B6AF644325FD310E5E2C7605D88D256

Function 001587B2 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 000D9944: GetWindowLongW.USER32(?,000000EB), ref: 000D9952

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 001587F3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 3cff4edf2cb98d4dfe337b33e317939ce90886db3915e8015b21f62357b47809
Instruction ID: 4350ed3890eb579a7c2fa26e2bf9ce32a8026904cc2dab852382afc66cbc320e
Opcode Fuzzy Hash: 3cff4edf2cb98d4dfe337b33e317939ce90886db3915e8015b21f62357b47809
Instruction Fuzzy Hash: 60F0F931604209EFCF05AF94EC54DB93BA6EB09362B148515FD256E661DB32ACA0EB90

Function 00158AAA Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

Part of subcall function 000D912D: GetCursorPos.USER32(?), ref: 000D9141
Part of subcall function 000D912D: ScreenToClient.USER32(00000000,?), ref: 000D915E
Part of subcall function 000D912D: GetAsyncKeyState.USER32(00000001), ref: 000D9183
Part of subcall function 000D912D: GetAsyncKeyState.USER32(00000002), ref: 000D919D

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00117818,?,?,?,?,?,00000001,?), ref: 00158AF8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: a8e30813f4b9481312ba7e3bf09b43a0563564e2451f617c60249c75a55770be
Instruction ID: 4b4ff15e5029b655c60a05bb43ae0215eff1cbacd12a27dd55f07cbc1f83b221
Opcode Fuzzy Hash: a8e30813f4b9481312ba7e3bf09b43a0563564e2451f617c60249c75a55770be
Instruction Fuzzy Hash: 7CF01274240219EBDB146F15D81AAAA3F65EB007A1F004016FD262A292DBB699E4DBE4

Function 000D9052 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 000D9096

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 4aed3d8b8631e1e59129bd37f05200153910bd65b149f877ceca8e1d259aea39
Instruction ID: 44c9f1c36e31d808e4c94815b475177974bee72abcfc7e5b41fe90db69fc2050
Opcode Fuzzy Hash: 4aed3d8b8631e1e59129bd37f05200153910bd65b149f877ceca8e1d259aea39
Instruction Fuzzy Hash: B4F01234600319EFDB188F15E855A763BA2FB413A1F60811EF8520A7E1D77399D1EBA0

Function 0013EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0013EABD

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ab50f7b015be60922e0a89240a31b1c3c955a0f76ed630dc861c9d0d85335104
Instruction ID: 1dd19c41904bc87e2d50f6432a8098db728ad200409080f89841ac4314d389d7
Opcode Fuzzy Hash: ab50f7b015be60922e0a89240a31b1c3c955a0f76ed630dc861c9d0d85335104
Instruction Fuzzy Hash: B2E04F312003059FD710EF59D805E9AF7E9AF98760F00842AFC49CB391DB70E8418B90

Function 00159380 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 001593C0

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 17af1cede34318ab8c968c29d59db5129b57dc88b86a5d7d4d724a88a928f97f
Instruction ID: bf5e4ea7ae1defe0da0511d87953307c2de335aafbc7b61754a999beccd86707
Opcode Fuzzy Hash: 17af1cede34318ab8c968c29d59db5129b57dc88b86a5d7d4d724a88a928f97f
Instruction Fuzzy Hash: ADF03931644355FFDB21DF58DC05FC63BA5AB06761F044009BA252B2E1CB7179A0E7A0

Function 000D90A7 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 000D90D5

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 6b78c477f1c673c15a196fc4db101f25ab162b56db125de3e085ee058e2e9253
Instruction ID: 9191080e99da5ccc90a411c58c042d49c8eb44cd13bb210b95d5e439e7cb1611
Opcode Fuzzy Hash: 6b78c477f1c673c15a196fc4db101f25ab162b56db125de3e085ee058e2e9253
Instruction Fuzzy Hash: 99E0EC35650304FBDF15AF90DC11EA43B26FB49395F108019FA151A6A2CB73A9A1DB60

Function 001593CB Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00117723,?,?,?,?,?,?), ref: 001593F6

Part of subcall function 00158172: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00193018,0019305C), ref: 001581BF
Part of subcall function 00158172: CloseHandle.KERNEL32 ref: 001581D1

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 4178364262-0
Opcode ID: 86b0313ca78f6fb2be531b3f3a3720cca70710112b3740fbfa8e92a9394e579a
Instruction ID: fa512816eb5bab08f447149c597b7ee9734bd95f5c61170ec922bbbc82e293dd
Opcode Fuzzy Hash: 86b0313ca78f6fb2be531b3f3a3720cca70710112b3740fbfa8e92a9394e579a
Instruction Fuzzy Hash: 75E0B631214209EFCB01AF54DC95E963BB6FB08352F014055FE255B2B2CB32A9A5EF51

Function 000D8BA4 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

Part of subcall function 000D8BCD: DestroyWindow.USER32(?), ref: 000D8C81
Part of subcall function 000D8BCD: KillTimer.USER32(00000000,?,?,?,?,000D8BBA,00000000,?), ref: 000D8D1B

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?), ref: 000D8BC3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 56d6c093a90ea2709f1e99019684394011259aa81ed6aa6966a073b76ad7809b
Instruction ID: 646c6740ea0e7f4350ba6d2dbe364a7204b549271151c57dd5ef164202c04ae0
Opcode Fuzzy Hash: 56d6c093a90ea2709f1e99019684394011259aa81ed6aa6966a073b76ad7809b
Instruction Fuzzy Hash: ADD01270290308BBEE102BA1DC07F893A199B007A1F008022F604392D2CBB2649055A8

Function 000E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000E03EE), ref: 000E09DA

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03391f66fb04785be65405be740459772f58e877bccce36d50f0432b68ca1e3a
Instruction ID: dcf4ef48895afd9597ad5215be1ea7a8f1ab6bdb81cc765ab5c9fb2bc9d243ec
Opcode Fuzzy Hash: 03391f66fb04785be65405be740459772f58e877bccce36d50f0432b68ca1e3a
Instruction Fuzzy Hash:

Function 000E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 000E798B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 09da0e2873799e4f8b458868389a39aa8fd1336a06e8cfb83cf2f498919d77fb
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2451977168C6C55FDBB8856B8A597FE23C99F62300F18051AD98EF7283CE11DE01D352

Function 000F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed164f075aef45cbf62344498d9acb0b56fd6f53942877fa71c08462a0db5d79
Instruction ID: 83e1b719a77c3f9e1b37c8abd5cf33fa2eed58322d96203af69dad9430a4ed7f
Opcode Fuzzy Hash: ed164f075aef45cbf62344498d9acb0b56fd6f53942877fa71c08462a0db5d79
Instruction Fuzzy Hash: C2323222D29F054DD7639634CC22336A289AFB73C5F15C737E81AB5EAAEB69C4C35101

Function 000DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1daeb65b9b887988e0d5492a9fe2890e00cdc49ec5d53346e7f0deafe4ef91a
Instruction ID: 9ec4cc2e1abdf30387b77ddf22867a9f6e50c9886598dcb02bb9aeeaa7b6b11a
Opcode Fuzzy Hash: a1daeb65b9b887988e0d5492a9fe2890e00cdc49ec5d53346e7f0deafe4ef91a
Instruction Fuzzy Hash: B5320131A842168BDF2CCA28C594AFD7BA1AF45300F29817BD95A8B791E330DDC1DBD1

Function 000C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40355665c450f3b8d901c6d13e2ccb658f71da38bcd1dbfe25ed76a46c75a411
Instruction ID: 3c31fdb879a3ca499b5864be6133bd625d96bae0837d560d6aa964c72ef2455d
Opcode Fuzzy Hash: 40355665c450f3b8d901c6d13e2ccb658f71da38bcd1dbfe25ed76a46c75a411
Instruction Fuzzy Hash: 41227D70A0460A9FDF14CFA4C881BEEB7B6FF44300F144529E856AB291EB76AE55CF50

Function 000C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6932331081c36afc38f8bf15ce0ae304d0cd7e4bb77a1c9779c35e4e0cb5908
Instruction ID: 527bba27562e6b7fee4cf4fab65104abc428ae5ca697ed64da699e87014f551e
Opcode Fuzzy Hash: e6932331081c36afc38f8bf15ce0ae304d0cd7e4bb77a1c9779c35e4e0cb5908
Instruction Fuzzy Hash: 0E02C5B0A0020AEBDB04DF55D981BAEB7F5FF44300F118569E8569B3D1EB71EA60CB91

Function 000E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 83586e4f31aa9770d4b25d885616c28e0874cee028d1af9f8970685c8eb0108f
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 7091757260D0E34EDB69463B85744BEFFE15F923A131A079EE4F2EA1C1EE348954D620

Function 000E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 930e137f5fe05022a88224b11b57d7163c88818408e11b138ed99675d706f060
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 5A9110722090E34EDBA9467B85740BEFFE15B923A131E07AED4F2EA1C1FE348554D620

Function 000E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4ed5df518b71ff1141161c4ca5776b39a58ea48c0641888a82d93f6dd532c0
Instruction ID: 43e36337a6b00c3a361aec025f8c72ffa79d6bd9efd61115ee6c8d4604ec960c
Opcode Fuzzy Hash: 2a4ed5df518b71ff1141161c4ca5776b39a58ea48c0641888a82d93f6dd532c0
Instruction Fuzzy Hash: F5616A716087C99EDAB4992B4855BFF33D8DF81700F28492DE94EFB282D7119E42C316

Function 000E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3676d619fea96b7672b781962a8bd76f7ee755a8a224e947ea0908db589811d
Instruction ID: 0175598e64e41a756dca68d92176390ebbe10a6eced97735d38570edcbc48924
Opcode Fuzzy Hash: a3676d619fea96b7672b781962a8bd76f7ee755a8a224e947ea0908db589811d
Instruction Fuzzy Hash: 1E61897120C7C96EDAB84A2B4C91BFE23E9DF46700F10495AE84FFB382DA129D428311

Function 000E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 851cbf7890a22c5ec2f426a73c8a012cebcbc9b46d1f71a18e656659bbd6678b
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 888150726090E34EDBAD423B85744BEFFE15B923A131A079ED4F2DA1C2EE348554E620

Function 00132046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee4ba6130d4f83a450e2360fc425a827998d09906dc4116e31f1cd4938c05e9
Instruction ID: 6a96f9a6200a82dd70e9322c4ec9f8a680acdde617eb360df9d1431bad13ed2b
Opcode Fuzzy Hash: 5ee4ba6130d4f83a450e2360fc425a827998d09906dc4116e31f1cd4938c05e9
Instruction Fuzzy Hash: 9E21E7322216118BDB2CCF79C8236BE73E5A754320F14862EE4A7C37D0DE39A944CB80

Function 00142ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00142B30
DeleteObject.GDI32(00000000), ref: 00142B43
DestroyWindow.USER32 ref: 00142B52
GetDesktopWindow.USER32 ref: 00142B6D
GetWindowRect.USER32(00000000), ref: 00142B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00142CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00142CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142CF8
GetClientRect.USER32(00000000,?), ref: 00142D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00142D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142D80
GlobalLock.KERNEL32(00000000), ref: 00142D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142D98
GlobalUnlock.KERNEL32(00000000), ref: 00142DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142DA8
GlobalFree.KERNEL32(00000000), ref: 00142DB3
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00142DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0015FC38,00000000), ref: 00142DDB
GlobalFree.KERNEL32(00000000), ref: 00142DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00142E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00142E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0014303F

Strings

static, xrefs: 00142D3A, 00142E91
DISPLAY, xrefs: 00142EA2
AutoIt v3, xrefs: 00142CF2
, xrefs: 00142FC5

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 7363406f8dcebc8360c5071a2104ff5fb8dcd94dc4e7ec7224bdaa4fea7c5db3
Instruction ID: 4de34e1fb412a2601c910401f35bf77e640deb5981bd2cc4c83d74c21d60fe5b
Opcode Fuzzy Hash: 7363406f8dcebc8360c5071a2104ff5fb8dcd94dc4e7ec7224bdaa4fea7c5db3
Instruction Fuzzy Hash: 52025A71900205EFDB14DF64CC89EAE7BB9FB48711F048158F915AB2A1CB70AE81CFA0

Function 001570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0015712F
GetSysColorBrush.USER32(0000000F), ref: 00157160
GetSysColor.USER32(0000000F), ref: 0015716C
SetBkColor.GDI32(?,000000FF), ref: 00157186
SelectObject.GDI32(?,?), ref: 00157195
InflateRect.USER32(?,000000FF,000000FF), ref: 001571C0
GetSysColor.USER32(00000010), ref: 001571C8
CreateSolidBrush.GDI32(00000000), ref: 001571CF
FrameRect.USER32(?,?,00000000), ref: 001571DE
DeleteObject.GDI32(00000000), ref: 001571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00157230
FillRect.USER32(?,?,?), ref: 00157262
GetWindowLongW.USER32(?,000000F0), ref: 00157284

Part of subcall function 001573E8: GetSysColor.USER32(00000012), ref: 00157421
Part of subcall function 001573E8: SetTextColor.GDI32(?,?), ref: 00157425
Part of subcall function 001573E8: GetSysColorBrush.USER32(0000000F), ref: 0015743B
Part of subcall function 001573E8: GetSysColor.USER32(0000000F), ref: 00157446
Part of subcall function 001573E8: GetSysColor.USER32(00000011), ref: 00157463
Part of subcall function 001573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00157471
Part of subcall function 001573E8: SelectObject.GDI32(?,00000000), ref: 00157482
Part of subcall function 001573E8: SetBkColor.GDI32(?,00000000), ref: 0015748B
Part of subcall function 001573E8: SelectObject.GDI32(?,?), ref: 00157498
Part of subcall function 001573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001574B7
Part of subcall function 001573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001574CE
Part of subcall function 001573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001574DB

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: fafc460a748f85480da77716e9b764c03ea723f2a60cfea6aa960a49ec87d581
Instruction ID: 02c6def1ba9cedb79cbe5dbbef64dfce3deb2ab31fdc2b09f191e32d9507cd87
Opcode Fuzzy Hash: fafc460a748f85480da77716e9b764c03ea723f2a60cfea6aa960a49ec87d581
Instruction Fuzzy Hash: F1A1A572108701FFD7019F60DC49E5BBBAAFF89322F100A19F9629A5E1D771E984CB91

Function 00142711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0014273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0014286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00142900
GetClientRect.USER32(00000000,?), ref: 0014290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00142955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00142964
GetStockObject.GDI32(00000011), ref: 00142974
SelectObject.GDI32(00000000,00000000), ref: 00142978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00142988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00142991
DeleteDC.GDI32(00000000), ref: 0014299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00142A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00142A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00142A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00142A77
GetStockObject.GDI32(00000011), ref: 00142A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00142A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00142A97

Strings

static, xrefs: 0014294F, 00142A71
DISPLAY, xrefs: 0014295A
AutoIt v3, xrefs: 001428F8
msctls_progress32, xrefs: 00142A13

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: d304f10a05baa41aef717d988d6c1cede47e82a92efcc6413cba94fab0fbce39
Instruction ID: 19d972074b38e38aa07cca1a40d5eff3890e5c26af8a50782d8d77fb41b9c231
Opcode Fuzzy Hash: d304f10a05baa41aef717d988d6c1cede47e82a92efcc6413cba94fab0fbce39
Instruction Fuzzy Hash: D9B13C71A00615AFEB14DF68CC86FAE7BB9FB08711F004519F915EB6A1D774AD80CB90

Function 00134ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00134AED
GetDriveTypeW.KERNEL32(?,0015CB68,?,\\.\,0015CC08), ref: 00134BCA
SetErrorMode.KERNEL32(00000000,0015CB68,?,\\.\,0015CC08), ref: 00134D36

Strings

Fibre, xrefs: 00134CAD
PhysicalDrive, xrefs: 00134B76
RAMDisk, xrefs: 00134BF4
\\.\, xrefs: 00134B3F
1394, xrefs: 00134C9F
SCSI, xrefs: 00134C8A
RAID, xrefs: 00134CBB
ATAPI, xrefs: 00134C91
Virtual, xrefs: 00134CE5
Removable, xrefs: 00134C10, 00134C15
ATA, xrefs: 00134C98
SSA, xrefs: 00134CA6
Unknown, xrefs: 00134BED, 00134C83
SAS, xrefs: 00134CC9
SSD, xrefs: 00134C4A
Fixed, xrefs: 00134C09
iSCSI, xrefs: 00134CC2
MMC, xrefs: 00134CDE
USB, xrefs: 00134CB4
Network, xrefs: 00134C02
CDROM, xrefs: 00134BFB
FileBackedVirtual, xrefs: 00134CEC
SATA, xrefs: 00134CD0

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 705fd964072f7b21da1d4968fbfd4a3d21cebe2b6701bb111003581b73454c21
Instruction ID: 998e03fb4a306c50beadfce79322d0515ef682594c7de93f43e773dff12036af
Opcode Fuzzy Hash: 705fd964072f7b21da1d4968fbfd4a3d21cebe2b6701bb111003581b73454c21
Instruction Fuzzy Hash: D661B030605205DFCB08EF64CA82EADB7A0EB04340F249519F846AB692DB76FE45DF81

Function 000D8D85 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 000D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00116AC5
6F550200.COMCTL32(?,000000FF,?), ref: 00116AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00116F43

Part of subcall function 000D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000D8BE8,?,00000000,?,?,?,?,000D8BBA,00000000,?), ref: 000D8FC5

SendMessageW.USER32(?,00001053), ref: 00116F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00116F96

Strings

0, xrefs: 00116DCF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$Window$DestroyF550200InvalidateMoveRect
String ID: 0
API String ID: 268457297-4108050209
Opcode ID: 08baadfc898c45e0640acd6cb7c42f2ac840e1681ffea36970423f2431de854f
Instruction ID: b8aa2e3e0aeb097bd7c1089dd375ae34cdd0dc0c80e05c1aedd0b743d68694cf
Opcode Fuzzy Hash: 08baadfc898c45e0640acd6cb7c42f2ac840e1681ffea36970423f2431de854f
Instruction Fuzzy Hash: 2B128C30205312EFDB29CF14D858BEAB7E5FB44305F14856AF4858B661CB32A8D2DFA1

Function 001573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00157421
SetTextColor.GDI32(?,?), ref: 00157425
GetSysColorBrush.USER32(0000000F), ref: 0015743B
GetSysColor.USER32(0000000F), ref: 00157446
CreateSolidBrush.GDI32(?), ref: 0015744B
GetSysColor.USER32(00000011), ref: 00157463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00157471
SelectObject.GDI32(?,00000000), ref: 00157482
SetBkColor.GDI32(?,00000000), ref: 0015748B
SelectObject.GDI32(?,?), ref: 00157498
InflateRect.USER32(?,000000FF,000000FF), ref: 001574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0015752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00157554
InflateRect.USER32(?,000000FD,000000FD), ref: 00157572
DrawFocusRect.USER32(?,?), ref: 0015757D
GetSysColor.USER32(00000011), ref: 0015758E
SetTextColor.GDI32(?,00000000), ref: 00157596
DrawTextW.USER32(?,001570F5,000000FF,?,00000000), ref: 001575A8
SelectObject.GDI32(?,?), ref: 001575BF
DeleteObject.GDI32(?), ref: 001575CA
SelectObject.GDI32(?,?), ref: 001575D0
DeleteObject.GDI32(?), ref: 001575D5
SetTextColor.GDI32(?,?), ref: 001575DB
SetBkColor.GDI32(?,?), ref: 001575E5

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: dcd00b8342f3da1167ab114473afe68b281e4630394f6b363963aeaaeef4747e
Instruction ID: 25e42a27f3b71664d526bb835423b42d41127c5a032021fce651c8bedc5e7b25
Opcode Fuzzy Hash: dcd00b8342f3da1167ab114473afe68b281e4630394f6b363963aeaaeef4747e
Instruction Fuzzy Hash: 13613B72904318EFDB019FA4EC49AEEBFB9EB08322F114115F915AB2E1D7759980CB90

Function 00150FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00151128
GetDesktopWindow.USER32 ref: 0015113D
GetWindowRect.USER32(00000000), ref: 00151144
GetWindowLongW.USER32(?,000000F0), ref: 00151199
DestroyWindow.USER32(?), ref: 001511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0015120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0015121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00151232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00151245
IsWindowVisible.USER32(00000000), ref: 001512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001512D0
GetWindowRect.USER32(00000000,?), ref: 001512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0015130E
GetMonitorInfoW.USER32(00000000,?), ref: 00151328
CopyRect.USER32(?,?), ref: 0015133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001513AA

Strings

tooltips_class32, xrefs: 001511E6
0, xrefs: 001510D3
(, xrefs: 0015131B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0d856d7f3562eef8f9a171aef7f1fafcf2ca1908a0be60a59e4fdf918fec7237
Instruction ID: e569b84d83ba31c074701402a7c62c3421f1caa326d5d55af9177731a0552f2a
Opcode Fuzzy Hash: 0d856d7f3562eef8f9a171aef7f1fafcf2ca1908a0be60a59e4fdf918fec7237
Instruction Fuzzy Hash: 22B15771604341EFD705DF64C885BAABBE4FF88351F00891CF9A99B2A2D771E849CB91

Function 000D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000D8968
GetSystemMetrics.USER32(00000007), ref: 000D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000D899B
GetSystemMetrics.USER32(00000008), ref: 000D89A3
GetSystemMetrics.USER32(00000004), ref: 000D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 000D8A5A
GetStockObject.GDI32(00000011), ref: 000D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 000D8A81

Part of subcall function 000D912D: GetCursorPos.USER32(?), ref: 000D9141
Part of subcall function 000D912D: ScreenToClient.USER32(00000000,?), ref: 000D915E
Part of subcall function 000D912D: GetAsyncKeyState.USER32(00000001), ref: 000D9183
Part of subcall function 000D912D: GetAsyncKeyState.USER32(00000002), ref: 000D919D

SetTimer.USER32(00000000,00000000,00000028,000D90FC), ref: 000D8AA8

Strings

AutoIt v3 GUI, xrefs: 000D8A20

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 1f78814a1e22475077a8b61667a4015b93e3a52c6824e92c2c763fb39e0d9543
Instruction ID: 645244f3f7e8e79d5ac68d25678058ebd5b2a51b972d79b111b419c0005ef56b
Opcode Fuzzy Hash: 1f78814a1e22475077a8b61667a4015b93e3a52c6824e92c2c763fb39e0d9543
Instruction Fuzzy Hash: C2B16F75A0030AEFDB14DFA8CC55BEE7BB5FB48315F10412AFA15AB290DB70A981CB51

Function 00120D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00121114
Part of subcall function 001210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 00121120
Part of subcall function 001210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 0012112F
Part of subcall function 001210F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00121136
Part of subcall function 001210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0012114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00120DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00120E29
GetLengthSid.ADVAPI32(?), ref: 00120E40
GetAce.ADVAPI32(?,00000000,?), ref: 00120E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00120E96
GetLengthSid.ADVAPI32(?), ref: 00120EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00120EB5
RtlAllocateHeap.NTDLL(00000000), ref: 00120EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00120EDD
CopySid.ADVAPI32(00000000), ref: 00120EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00120F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00120F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00120F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120F6E
HeapFree.KERNEL32(00000000), ref: 00120F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120F7E
HeapFree.KERNEL32(00000000), ref: 00120F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120F8E
HeapFree.KERNEL32(00000000), ref: 00120F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00120FA1
HeapFree.KERNEL32(00000000), ref: 00120FA8

Part of subcall function 00121193: GetProcessHeap.KERNEL32(00000008,00120BB1,?,00000000,?,00120BB1,?), ref: 001211A1
Part of subcall function 00121193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001211A8
Part of subcall function 00121193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00120BB1,?), ref: 001211B7

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4042927181-0
Opcode ID: da880f43b62944f5c6a9a5d1690f618fa77749f5845f190df08a65cf3efe32e0
Instruction ID: 19652e365b2a03c1d3318dc9a9e76091de2655cdd5446f682e5a368ccdf26ebf
Opcode Fuzzy Hash: da880f43b62944f5c6a9a5d1690f618fa77749f5845f190df08a65cf3efe32e0
Instruction Fuzzy Hash: E3717D7290031AEFDF219FA4ED44BAEBBB8FF08311F044215F919A6192D7319955CBA0

Function 0014C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0014C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0015CC08,00000000,?,00000000,?,?), ref: 0014C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0014C5A4
_wcslen.LIBCMT ref: 0014C5F4
_wcslen.LIBCMT ref: 0014C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0014C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0014C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0014C84D
RegCloseKey.ADVAPI32(?), ref: 0014C881
RegCloseKey.ADVAPI32(00000000), ref: 0014C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0014C960

Strings

REG_EXPAND_SZ, xrefs: 0014C5CD
REG_DWORD, xrefs: 0014C804
REG_BINARY, xrefs: 0014C913
REG_MULTI_SZ, xrefs: 0014C6F5
REG_QWORD, xrefs: 0014C8C3
REG_SZ, xrefs: 0014C644

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 77e905f6c23d57f3048600c1796c7ea5ec93a0c4dc23331d9ce4d8dad7a75478
Instruction ID: e6687634511ce4ecaddcc61b7109a915ac0af0a325da96162150e83c2df140d9
Opcode Fuzzy Hash: 77e905f6c23d57f3048600c1796c7ea5ec93a0c4dc23331d9ce4d8dad7a75478
Instruction Fuzzy Hash: C91224356046019FD754DF14C891F6EB7E5EF88724F15889CF88A9B2A2DB31ED41CB81

Function 0015091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001509C6
_wcslen.LIBCMT ref: 00150A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00150A54
_wcslen.LIBCMT ref: 00150A8A
_wcslen.LIBCMT ref: 00150B06
_wcslen.LIBCMT ref: 00150B81

Part of subcall function 000DF9F2: _wcslen.LIBCMT ref: 000DF9FD

Part of subcall function 00122BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00122BFA

Strings

GETTOTALCOUNT, xrefs: 001509F2, 00150A17
EXISTS, xrefs: 00150B7C, 00150B97
EXPAND, xrefs: 00150BF8
SELECT, xrefs: 00150D11
GETITEMCOUNT, xrefs: 00150C1E
CHECK, xrefs: 00150A85, 00150AA0
COLLAPSE, xrefs: 00150B01, 00150B1C
GETSELECTED, xrefs: 00150C4E
UNCHECK, xrefs: 00150D3E
ISCHECKED, xrefs: 00150CE1
GETTEXT, xrefs: 00150C97

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 564603bfcaae9d8d021baa178de388b252c216d8d8c328c0d6c8893ff4600f06
Instruction ID: 2408238242c4c18d087d56b1da5a220560f726e0fbc177d3ac40108de0f904c8
Opcode Fuzzy Hash: 564603bfcaae9d8d021baa178de388b252c216d8d8c328c0d6c8893ff4600f06
Instruction Fuzzy Hash: F7E1DF35208301CFC715DFA4C49096EB7E1BF98314B15895CF8AAAB3A2D730EE49CB81

Function 0014C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0014B6AE,?,?), ref: 0014C9B5
_wcslen.LIBCMT ref: 0014C9F1
_wcslen.LIBCMT ref: 0014CA68
_wcslen.LIBCMT ref: 0014CA9E
_wcslen.LIBCMT ref: 0014CAF9
_wcslen.LIBCMT ref: 0014CB2F
_wcslen.LIBCMT ref: 0014CB7F

Strings

HKLM, xrefs: 0014CA98, 0014CA9D
HKEY_CURRENT_CONFIG, xrefs: 0014CB79, 0014CB7E
HKEY_CURRENT_USER, xrefs: 0014CBBD
HKCC, xrefs: 0014CBAC
HKEY_CLASSES_ROOT, xrefs: 0014CAF3, 0014CAF8
HKCU, xrefs: 0014CBCE
HKEY_LOCAL_MACHINE, xrefs: 0014CA62, 0014CA67
HKU, xrefs: 0014CBF0
HKCR, xrefs: 0014CB29, 0014CB2E
HKEY_USERS, xrefs: 0014CBDF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f1de206829bd1dd1a826f9a0a3adbfd3d9effb525288620209695e5970b5d5b3
Instruction ID: ba71192b8de4c67bc6f792799368609e041d7518f69318802a0f1b4c6feaa0ae
Opcode Fuzzy Hash: f1de206829bd1dd1a826f9a0a3adbfd3d9effb525288620209695e5970b5d5b3
Instruction Fuzzy Hash: 0671F33260116A8BCB60DF7CC9915FE3391AFA1794B350528F866A72A5FB31CE44C7E0

Function 0015833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0015835A
_wcslen.LIBCMT ref: 0015836E
_wcslen.LIBCMT ref: 00158391
_wcslen.LIBCMT ref: 001583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0015361A,?), ref: 0015844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00158487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00158501
FreeLibrary.KERNEL32(?), ref: 0015850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0015851D
DestroyCursor.USER32(?), ref: 0015852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00158549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00158555

Strings

.icl, xrefs: 00158368
.dll, xrefs: 001583AB
.exe, xrefs: 00158388

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Load$Image_wcslen$LibraryMessageSend$CursorDestroyExtractFreeIcon
String ID: .dll$.exe$.icl
API String ID: 391920613-1154884017
Opcode ID: 7c8febbf0462ab4d417c2be88dcc23c9df3043737ea7ba66f33515b9295a8dd1
Instruction ID: 7df2516ab6c7da0ac2d8d2d898f3f6545676ad3b5ec096f8992cb94430fc5223
Opcode Fuzzy Hash: 7c8febbf0462ab4d417c2be88dcc23c9df3043737ea7ba66f33515b9295a8dd1
Instruction Fuzzy Hash: A2619E71510715FEEB149F64CC85BFE77A8BB08722F104509FD25EA1D1EBB4AA84CBA0

Function 000C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 0010519A
#pragma compile, xrefs: 000C77D3
Cannot parse #include, xrefs: 00105279
#include-once, xrefs: 000C782F
#requireadmin, xrefs: 000C77FF
#comments-start, xrefs: 000C785F, 000C78B1
#cs, xrefs: 000C7873, 000C78C5
#ce, xrefs: 000C78ED
Unterminated group of comments, xrefs: 0010528C
', xrefs: 00105169
#include, xrefs: 000C7847
#OnAutoItStartRegister, xrefs: 000C7817
#notrayicon, xrefs: 000C77E7
", xrefs: 00105153
#comments-end, xrefs: 000C78D9

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f74fc39db8702e612afef512c5a5071e7d5a648e9ec9b76fa6c7204e392e6f64
Instruction ID: 1e6e35bf46f4cc2f33a3c10eb107cdc4cc941da42b55dc8f86a87f3617b15e56
Opcode Fuzzy Hash: f74fc39db8702e612afef512c5a5071e7d5a648e9ec9b76fa6c7204e392e6f64
Instruction Fuzzy Hash: 6781C671644605BFDB20AF60DD42FEF37A9AF15300F044029F949AA2D7EBB0DA15DBA1

Function 00125A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00125A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00125A40
SetWindowTextW.USER32(?,?), ref: 00125A57
GetDlgItem.USER32(?,000003EA), ref: 00125A6C
SetWindowTextW.USER32(00000000,?), ref: 00125A72
GetDlgItem.USER32(?,000003E9), ref: 00125A82
SetWindowTextW.USER32(00000000,?), ref: 00125A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00125AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00125AC3
GetWindowRect.USER32(?,?), ref: 00125ACC
_wcslen.LIBCMT ref: 00125B33
SetWindowTextW.USER32(?,?), ref: 00125B6F
GetDesktopWindow.USER32 ref: 00125B75
GetWindowRect.USER32(00000000), ref: 00125B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00125BD3
GetClientRect.USER32(?,?), ref: 00125BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00125C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00125C2F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 4dc8b35a2e6ac1b94ede25e18b5fe45451c9df37b958aa25a92dd932edd23ae1
Instruction ID: 01ead19fd84c7799bd9ebce1306edf65559687e8f77d4d2c062cf4c5e9ef6f6e
Opcode Fuzzy Hash: 4dc8b35a2e6ac1b94ede25e18b5fe45451c9df37b958aa25a92dd932edd23ae1
Instruction Fuzzy Hash: 9771AD31900B19EFDB20DFA8DE85AAEBBF6FF48705F104518E182A76A0D770E950CB50

Function 0013FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0013FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0013FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0013FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0013FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0013FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0013FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0013FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0013FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0013FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0013FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0013FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0013FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0013FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0013FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0013FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0013FECC
GetCursorInfo.USER32(?), ref: 0013FEDC
GetLastError.KERNEL32 ref: 0013FF1E

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 130314c53f0f07a21846f1a16862ed3e01115641dcb6f91f4cb622a145191ae0
Instruction ID: 8227b8106438cdfcf4e1ad1017a549735355ed5643a1fb5fb64055f5f4fa9014
Opcode Fuzzy Hash: 130314c53f0f07a21846f1a16862ed3e01115641dcb6f91f4cb622a145191ae0
Instruction Fuzzy Hash: 5D4124B1D04319AADB109FBA8C89C5EBFE8FF04754B50452AE51DEB281DB78D901CF91

Function 000E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000E00C6

Part of subcall function 000E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0019070C,00000FA0,22B2A029,?,?,?,?,001023B3,000000FF), ref: 000E011C
Part of subcall function 000E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001023B3,000000FF), ref: 000E0127
Part of subcall function 000E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001023B3,000000FF), ref: 000E0138
Part of subcall function 000E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 000E014E
Part of subcall function 000E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 000E015C
Part of subcall function 000E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 000E016A
Part of subcall function 000E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000E0195
Part of subcall function 000E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000E01A0

___scrt_fastfail.LIBCMT ref: 000E00E7

Part of subcall function 000E00A3: __onexit.LIBCMT ref: 000E00A9

Strings

InitializeConditionVariable, xrefs: 000E0148
SleepConditionVariableCS, xrefs: 000E0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 000E0122
kernel32.dll, xrefs: 000E0133
WakeAllConditionVariable, xrefs: 000E0162

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 26e65e38a2f44680226cb1aaa118c2b64b68557c9429de40b6aab6cf343669a4
Instruction ID: 236bb34a75d5f244cce21c7547222afc45e7153933c5d9457546064ce3327cfc
Opcode Fuzzy Hash: 26e65e38a2f44680226cb1aaa118c2b64b68557c9429de40b6aab6cf343669a4
Instruction Fuzzy Hash: 1C21F932645751EFE7115FB5AC45B6A33E4EB04B62F00012AF841BE692DFF09C808AD0

Function 001230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0012318D
_wcslen.LIBCMT ref: 001231F8

Strings

CLASSNN, xrefs: 001231F3, 00123204
INSTANCE, xrefs: 00123453
REGEXPCLASS, xrefs: 00123255, 00123266
TEXT, xrefs: 0012347C
CLASS, xrefs: 00123188, 001231A5
NAME, xrefs: 00123335, 00123346

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: a771a8b1e975bc68a8d638ce15fa0c04d306d7778fb1707652916b50bf49db4c
Instruction ID: 247c8405862d2c4b2935202e5087541e389075fec99b45b63e3c799692ec0870
Opcode Fuzzy Hash: a771a8b1e975bc68a8d638ce15fa0c04d306d7778fb1707652916b50bf49db4c
Instruction Fuzzy Hash: F3E11632A00626ABCB18EF64D451BEDFBB1FF14710F15811AE466F7241DB34AFA58B90

Function 001344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0015CC08), ref: 00134527
_wcslen.LIBCMT ref: 0013453B
_wcslen.LIBCMT ref: 00134599
_wcslen.LIBCMT ref: 001345F4
_wcslen.LIBCMT ref: 0013463F
_wcslen.LIBCMT ref: 001346A7

Part of subcall function 000DF9F2: _wcslen.LIBCMT ref: 000DF9FD

GetDriveTypeW.KERNEL32(?,00186BF0,00000061), ref: 00134743

Strings

removable, xrefs: 001345EA, 001345EF
unknown, xrefs: 00134708
network, xrefs: 0013469D, 001346A2
fixed, xrefs: 00134635, 0013463A
ramdisk, xrefs: 001346F1
all, xrefs: 00134531, 00134536
cdrom, xrefs: 0013458F, 00134594

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 2127f6bc74b640b8963e7d8681bed4e05849ef2b17e58b909fcae07ad9ec63c9
Instruction ID: c103ab668acc3ceb852348c2e8eb574703daf677a8d59328495e2b5f83d6b7f0
Opcode Fuzzy Hash: 2127f6bc74b640b8963e7d8681bed4e05849ef2b17e58b909fcae07ad9ec63c9
Instruction Fuzzy Hash: 51B122716083029FC710DF28C891AAEB7E4BFA5764F50491DF496D7292E730E944CB92

Function 0014AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0014B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0014B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0014B1D4
_wcslen.LIBCMT ref: 0014B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0014B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0014B236
_wcslen.LIBCMT ref: 0014B332

Part of subcall function 001305A7: GetStdHandle.KERNEL32(000000F6), ref: 001305C6

_wcslen.LIBCMT ref: 0014B34B
_wcslen.LIBCMT ref: 0014B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0014B3B6
GetLastError.KERNEL32(00000000), ref: 0014B407
CloseHandle.KERNEL32(?), ref: 0014B439
CloseHandle.KERNEL32(00000000), ref: 0014B44A
CloseHandle.KERNEL32(00000000), ref: 0014B45C
CloseHandle.KERNEL32(00000000), ref: 0014B46E
CloseHandle.KERNEL32(?), ref: 0014B4E3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e1bd089915e519e5022ef41f9630f87cf4465fe57cbfd3f87efea58e2fe7e4dc
Instruction ID: 57007b457383b4ece040b3c5ecc82f850602d4a5b9f61c2d314e7d55f49cdb79
Opcode Fuzzy Hash: e1bd089915e519e5022ef41f9630f87cf4465fe57cbfd3f87efea58e2fe7e4dc
Instruction Fuzzy Hash: 4BF18B316083409FC714EF24C891B6EBBE5BF85714F18855DF89A9B2A2CB71EC45CB92

Function 000C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00191990), ref: 00102F8D
GetMenuItemCount.USER32(00191990), ref: 0010303D
GetCursorPos.USER32(?), ref: 00103081
SetForegroundWindow.USER32(00000000), ref: 0010308A
TrackPopupMenuEx.USER32(00191990,00000000,?,00000000,00000000,00000000), ref: 0010309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001030A9

Strings

0, xrefs: 000C327D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 4ce8080633882b9bf8d667f4ca5e7d6ed969b2afa6dd39ee71560d541c9fffdc
Instruction ID: 3a08711eb1169e27aa523df3b0738d10d8216f2ce975fdcf56c8612a88a28428
Opcode Fuzzy Hash: 4ce8080633882b9bf8d667f4ca5e7d6ed969b2afa6dd39ee71560d541c9fffdc
Instruction Fuzzy Hash: 2371F370644216BFEB259F64DC89FAEBF68FF05364F208216F5256A1E0C7B1A950CB90

Function 00156CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00156DEB

Part of subcall function 000C6B57: _wcslen.LIBCMT ref: 000C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00156E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00156E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00156E94
DestroyWindow.USER32(?), ref: 00156EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000C0000,00000000), ref: 00156EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00156EFD
GetDesktopWindow.USER32 ref: 00156F16
GetWindowRect.USER32(00000000), ref: 00156F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00156F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00156F4D

Part of subcall function 000D9944: GetWindowLongW.USER32(?,000000EB), ref: 000D9952

Strings

tooltips_class32, xrefs: 00156E58, 00156EDD
0, xrefs: 00156D98

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 7eaa074694f524a8d4f232a1e85890d5640e446b0e7a9fb2d493316559fde984
Instruction ID: d2980b75ff6e75737208885cc1f0d7b50dc683c001117cde9582acf292676948
Opcode Fuzzy Hash: 7eaa074694f524a8d4f232a1e85890d5640e446b0e7a9fb2d493316559fde984
Instruction Fuzzy Hash: 34717970504341EFDB21CF18DC54FAABBE9FB99305F44051EF9998B261C770A98ACB91

Function 0013C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0013C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0013C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0013C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0013C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0013C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0013C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0013C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0013C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0013C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0013C5F0
InternetCloseHandle.WININET(00000000), ref: 0013C5FB

Strings

, xrefs: 0013C575

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d19888c2a921183d54c650650c8e2e847c450c8aa866fa2d91dd59d42f53eed4
Instruction ID: 5f23fd5e2e8e4be735ef458e4e079bc816384679c890b866a131984e1052eb96
Opcode Fuzzy Hash: d19888c2a921183d54c650650c8e2e847c450c8aa866fa2d91dd59d42f53eed4
Instruction Fuzzy Hash: BC514AB1600709FFDB219FA4CD88AAB7BBCFF08755F004419F945AA610DB35E944DBA0

Function 0015856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00158592
GetFileSize.KERNEL32(00000000,00000000), ref: 001585A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001585AD
CloseHandle.KERNEL32(00000000), ref: 001585BA
GlobalLock.KERNEL32(00000000), ref: 001585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001585D7
GlobalUnlock.KERNEL32(00000000), ref: 001585E0
CloseHandle.KERNEL32(00000000), ref: 001585E7
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 001585F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0015FC38,?), ref: 00158611
GlobalFree.KERNEL32(00000000), ref: 00158621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00158641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00158671
DeleteObject.GDI32(00000000), ref: 00158699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001586AF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0c8fa17a97642f755febb525b334915dbabbf168e3137a1df8689729a8cbff3e
Instruction ID: b0f1f65f32c0a6856486671a90a9eadb47acc76410925d20c70a015f5acbdc6c
Opcode Fuzzy Hash: 0c8fa17a97642f755febb525b334915dbabbf168e3137a1df8689729a8cbff3e
Instruction Fuzzy Hash: 4D411975600308EFDB119FA5CC88EAA7BB8FF89716F104158F916EB260DB309945CF60

Function 001314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00131502
VariantCopy.OLEAUT32(?,?), ref: 0013150B
VariantClear.OLEAUT32(?), ref: 00131517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00131657
VariantInit.OLEAUT32(?), ref: 00131708
SysFreeString.OLEAUT32(?), ref: 0013178C
VariantClear.OLEAUT32(?), ref: 001317D8
VariantClear.OLEAUT32(?), ref: 001317E7
VariantInit.OLEAUT32(00000000), ref: 00131823

Strings

Default, xrefs: 001316AF
%4d%02d%02d%02d%02d%02d, xrefs: 00131625

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a963ae4dec32ccb1c3ffc7a9ca06357a2eb3dca015b14d1d0add0b7f35a5e770
Instruction ID: 0915a7c330b09240b3886f15c830174774ab2cfe60df5b1d81c46a24b7f5bf9a
Opcode Fuzzy Hash: a963ae4dec32ccb1c3ffc7a9ca06357a2eb3dca015b14d1d0add0b7f35a5e770
Instruction Fuzzy Hash: CFD11031A00205FFDB18AF65E885BBDB7B5BF46700F15845AF806AB681DB30EC45DBA1

Function 0014B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

Part of subcall function 0014C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0014B6AE,?,?), ref: 0014C9B5
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014C9F1
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014CA68
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0014B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0014B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0014B80A
RegCloseKey.ADVAPI32(?), ref: 0014B87E
RegCloseKey.ADVAPI32(?), ref: 0014B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0014B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0014B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0014B922
FreeLibrary.KERNEL32(00000000), ref: 0014B983
RegCloseKey.ADVAPI32(00000000), ref: 0014B994

Strings

RegDeleteKeyExW, xrefs: 0014B8FE
advapi32.dll, xrefs: 0014B8ED

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 9831ea940f98b0bb5a766eb9f57377bb0f9076e8aaf65bcaa6403cd1ba629fe5
Instruction ID: 8fbe726e8f38adfeba607226fa23e26b618d025a73c7fa4f196586af40bcc72d
Opcode Fuzzy Hash: 9831ea940f98b0bb5a766eb9f57377bb0f9076e8aaf65bcaa6403cd1ba629fe5
Instruction Fuzzy Hash: A4C17874208202EFD714DF24C4D5F6ABBE5BF84318F14849CF49A8B6A2CB71E946CB91

Function 0014255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001425E8
CreateCompatibleDC.GDI32(?), ref: 001425F4
SelectObject.GDI32(00000000,?), ref: 00142601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0014266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001426D0
SelectObject.GDI32(?,?), ref: 001426D8
DeleteObject.GDI32(?), ref: 001426E1
DeleteDC.GDI32(?), ref: 001426E8
ReleaseDC.USER32(00000000,?), ref: 001426F3

Strings

(, xrefs: 0014268D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 9faa27f8c4f938f22f3dae77f1e1fce4fd8242f457e1028f1aa126633318a41a
Instruction ID: 4c2e3508312c2c9584858dc80d611fe734d5d996d389a6372e76109831cfebda
Opcode Fuzzy Hash: 9faa27f8c4f938f22f3dae77f1e1fce4fd8242f457e1028f1aa126633318a41a
Instruction Fuzzy Hash: C861C2B5D00319EFCF04CFA4D884AAEBBB6FF58310F208529E955A7250D774A991CFA4

Function 000FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 000FDAA1

Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD659
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD66B
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD67D
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD68F
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD6A1
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD6B3
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD6C5
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD6D7
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD6E9
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD6FB
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD70D
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD71F
Part of subcall function 000FD63C: _free.LIBCMT ref: 000FD731

_free.LIBCMT ref: 000FDA96

Part of subcall function 000F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000), ref: 000F29DE
Part of subcall function 000F29C8: GetLastError.KERNEL32(00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000,00000000), ref: 000F29F0

_free.LIBCMT ref: 000FDAB8
_free.LIBCMT ref: 000FDACD
_free.LIBCMT ref: 000FDAD8
_free.LIBCMT ref: 000FDAFA
_free.LIBCMT ref: 000FDB0D
_free.LIBCMT ref: 000FDB1B
_free.LIBCMT ref: 000FDB26
_free.LIBCMT ref: 000FDB5E
_free.LIBCMT ref: 000FDB65
_free.LIBCMT ref: 000FDB82
_free.LIBCMT ref: 000FDB9A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 44a7414a05fab99229b56e84bab1b8cc108dcfb15be0be11828b64f3651803f2
Instruction ID: 54801464c650d73b0089b187211de4d4d6f7d060ebbdc5af317783c079803a48
Opcode Fuzzy Hash: 44a7414a05fab99229b56e84bab1b8cc108dcfb15be0be11828b64f3651803f2
Instruction Fuzzy Hash: 1C315D31648209DFDB61AA38E845BBA77EAFF00311F11451AE648D7992DB71EC40A724

Function 0012365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0012369C
_wcslen.LIBCMT ref: 001236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00123797
GetClassNameW.USER32(?,?,00000400), ref: 0012380C
GetDlgCtrlID.USER32(?), ref: 0012385D
GetWindowRect.USER32(?,?), ref: 00123882
GetParent.USER32(?), ref: 001238A0
ScreenToClient.USER32(00000000), ref: 001238A7
GetClassNameW.USER32(?,?,00000100), ref: 00123921
GetWindowTextW.USER32(?,?,00000400), ref: 0012395D

Strings

%s%u, xrefs: 00123734

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 4c29a931e738e4808f190d22340e9b05e30fac877a4454042bfe443007a01f95
Instruction ID: 480a31db8b32b5e535182d0387b0e098785cb1b9e162939a7e21de1952dec1e7
Opcode Fuzzy Hash: 4c29a931e738e4808f190d22340e9b05e30fac877a4454042bfe443007a01f95
Instruction Fuzzy Hash: 1E91E371204316AFDB08DF24D884BEAF7A9FF45304F004619F9A9D6190DB34EAA5CB91

Function 00124954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00124994
GetWindowTextW.USER32(?,?,00000400), ref: 001249DA
_wcslen.LIBCMT ref: 001249EB
CharUpperBuffW.USER32(?,00000000), ref: 001249F7
_wcsstr.LIBVCRUNTIME ref: 00124A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00124A64
GetWindowTextW.USER32(?,?,00000400), ref: 00124A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00124AE6
GetClassNameW.USER32(?,?,00000400), ref: 00124B20
GetWindowRect.USER32(?,?), ref: 00124B8B

Strings

ThumbnailClass, xrefs: 00124A6F, 00124AF1

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 31b9fa371e1b0d72fe2db54b8167bee07a998a42a8ff2241dfdd5f70c5fed088
Instruction ID: 5090bb3938485a6161690a36c5c875d10435fc34155902632d65c64268a50c82
Opcode Fuzzy Hash: 31b9fa371e1b0d72fe2db54b8167bee07a998a42a8ff2241dfdd5f70c5fed088
Instruction Fuzzy Hash: 3D91DE710043259FDB04DF14E985FAA77E8FF84314F048469FD869A196EB30EE65CBA1

Function 0014CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0014CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0014CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0014CD48

Part of subcall function 0014CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0014CCAA
Part of subcall function 0014CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0014CCBD
Part of subcall function 0014CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0014CCCF
Part of subcall function 0014CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0014CD05
Part of subcall function 0014CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0014CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0014CCF3

Strings

RegDeleteKeyExW, xrefs: 0014CCC9
advapi32.dll, xrefs: 0014CCB8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: d0af634a031b4a05b1823aec30b54fa9eda5a19ba3d89a7935f3658f370c6403
Instruction ID: 17e2d857282f53764eb53dca7a893d6bf258bca37461a61be06c5ec37b728b77
Opcode Fuzzy Hash: d0af634a031b4a05b1823aec30b54fa9eda5a19ba3d89a7935f3658f370c6403
Instruction Fuzzy Hash: C2316975902229FBDB209F94DC88EEFBB7CEF45751F000165B906E6260DB309A85DAE0

Function 00133D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00133D40
_wcslen.LIBCMT ref: 00133D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00133D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00133DBE
RemoveDirectoryW.KERNEL32(?), ref: 00133DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00133E55
CloseHandle.KERNEL32(00000000), ref: 00133E60
CloseHandle.KERNEL32(00000000), ref: 00133E6B

Strings

\, xrefs: 00133D77
:, xrefs: 00133D82
\??\%s, xrefs: 00133D5B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 21052ed78f8976ef8c42b254ab20782d18b9ce5efeb2a1dfca83cf245a85a6ba
Instruction ID: ef5e767c80928eb84f85cfa2056a9666bc53ce23669ed370d4d7d9ffa64e9293
Opcode Fuzzy Hash: 21052ed78f8976ef8c42b254ab20782d18b9ce5efeb2a1dfca83cf245a85a6ba
Instruction Fuzzy Hash: 6F31A171900209ABDB219FA0DC49FEB37BDEF88701F5040B6F619E6061EB7497848B68

Function 0012E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0012E6B4

Part of subcall function 000DE551: timeGetTime.WINMM(?,?,0012E6D4), ref: 000DE555

Sleep.KERNEL32(0000000A), ref: 0012E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0012E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0012E727
SetActiveWindow.USER32 ref: 0012E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0012E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0012E773
Sleep.KERNEL32(000000FA), ref: 0012E77E
IsWindow.USER32 ref: 0012E78A
EndDialog.USER32(00000000), ref: 0012E79B

Strings

BUTTON, xrefs: 0012E719

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f1666b891133d20e7e25230337679ec41063a87a9ab86da56b3d1505cc3b3cef
Instruction ID: a58cd018d3710180bd8d65ffac8d44d0f9de0e42b03d2402974624867fe727ad
Opcode Fuzzy Hash: f1666b891133d20e7e25230337679ec41063a87a9ab86da56b3d1505cc3b3cef
Instruction Fuzzy Hash: 6A21A570204315FFEB105F60FCC9A253BA9F75474AF200426F91686EB2DB71ADE08BA4

Function 0012E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0012EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0012EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0012EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0012EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0012EAA7

Strings

play PlayMe, xrefs: 0012EAA2
alias PlayMe, xrefs: 0012EA36
status PlayMe mode, xrefs: 0012EA58
play PlayMe wait, xrefs: 0012EA91
open , xrefs: 0012EA0C
close PlayMe, xrefs: 0012EA6E, 0012EA9B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 1dfca27f5a58021df260711dac489fa1f97455885068bfbad56fc66fc92344d4
Instruction ID: 4fea441773fe8b1a09985cf6a30ba43b2cd82b4a57931bd6c05a91cf430b7c37
Opcode Fuzzy Hash: 1dfca27f5a58021df260711dac489fa1f97455885068bfbad56fc66fc92344d4
Instruction Fuzzy Hash: DE112131A902697DD724B7A1EC4AEFF6ABCEBD1B04F400429B411A20D1EF705A55CAB0

Function 00125CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00125CE2
GetWindowRect.USER32(00000000,?), ref: 00125CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00125D59
GetDlgItem.USER32(?,00000002), ref: 00125D69
GetWindowRect.USER32(00000000,?), ref: 00125D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00125DCF
GetDlgItem.USER32(?,000003E9), ref: 00125DDD
GetWindowRect.USER32(00000000,?), ref: 00125DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00125E31
GetDlgItem.USER32(?,000003EA), ref: 00125E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00125E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00125E67

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d24021537454a9bf3f907bff1e5ebea5b89bb2bab4d9252a0a944edb1858ad3e
Instruction ID: e0b0a436e47fad12bc0bf8fb4459cd6f825917ef28f508afe612e0341c615152
Opcode Fuzzy Hash: d24021537454a9bf3f907bff1e5ebea5b89bb2bab4d9252a0a944edb1858ad3e
Instruction Fuzzy Hash: 23510E71A00719AFDB18CFA8DD89AAEBBB6FB48301F148129F515E6690D7709E50CB60

Function 000D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 000D9944: GetWindowLongW.USER32(?,000000EB), ref: 000D9952

GetSysColor.USER32(0000000F), ref: 000D9862

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 96ca41e5ccdc8fe27e111c38c50eef29cd3f8d4002b39584020aa135d6538297
Instruction ID: 14cfb096628b35d54e8bcd075968483ad8bad871b7f520c589705faf64c6e289
Opcode Fuzzy Hash: 96ca41e5ccdc8fe27e111c38c50eef29cd3f8d4002b39584020aa135d6538297
Instruction Fuzzy Hash: 35418331104740EFDB205F389C84BB977A6AB46731F144616F9A28B3E1DB319D81EB70

Function 001296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0010F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00129717
LoadStringW.USER32(00000000,?,0010F7F8,00000001), ref: 00129720

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0010F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00129742
LoadStringW.USER32(00000000,?,0010F7F8,00000001), ref: 00129745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00129866

Strings

Line %d:, xrefs: 001297A0
Error: , xrefs: 0012981D
%s (%d) : ==> %s: %s %s, xrefs: 0012984A
Line %d (File "%s"):, xrefs: 0012978F
^ ERROR, xrefs: 001297FB

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 73bd4626f949658e1063a74fe7813a0414de72b3a519012fd1fe5544b951b54c
Instruction ID: 5876df78d53a17464e70d115a336cc4da9f8bdc0eb4f0bc5b85f1fca4be8a5fe
Opcode Fuzzy Hash: 73bd4626f949658e1063a74fe7813a0414de72b3a519012fd1fe5544b951b54c
Instruction Fuzzy Hash: 0A413D72900219AADF14FBE4DD86EEE7778AF15340F504129F60672092EF356F58CB61

Function 001206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 000C6B57: _wcslen.LIBCMT ref: 000C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00120804
CLSIDFromString.COMBASE(?,000001FE), ref: 0012082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00120837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0012083C

Strings

SOFTWARE\Classes\, xrefs: 0012070E
\IPC$, xrefs: 00120784
\CLSID, xrefs: 00120724

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: e7bb84deb7c7d46b452e0bdee9842d7b18432f9cedc8e3d7933187b5b4fc5934
Instruction ID: de6f8bf96aeee6857be974838c53e2b797d65c6300a1f1f802d0518801f81bc0
Opcode Fuzzy Hash: e7bb84deb7c7d46b452e0bdee9842d7b18432f9cedc8e3d7933187b5b4fc5934
Instruction Fuzzy Hash: E341E476D10229AFDB11EFA4DC85DEEB778FF48354B044129F901A71A2EB309E54CBA0

Function 00143C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00143C5C
CoInitialize.OLE32(00000000), ref: 00143C8A
CoUninitialize.COMBASE ref: 00143C94
_wcslen.LIBCMT ref: 00143D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00143DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00143ED5
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00143F0E
CoGetObject.OLE32(?,00000000,0015FB98,?), ref: 00143F2D
SetErrorMode.KERNEL32(00000000), ref: 00143F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00143FC4
VariantClear.OLEAUT32(?), ref: 00143FD8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 64d539cc5923861363a3e7a4ee649bfee4e7a47708f6b0935473b26b355ae156
Instruction ID: bf9b1c57f587a15db3651fe17e555c5cfcb80080e9e6a9a1d19609d508ccd787
Opcode Fuzzy Hash: 64d539cc5923861363a3e7a4ee649bfee4e7a47708f6b0935473b26b355ae156
Instruction Fuzzy Hash: A9C123716083019FD700DF68C88496BB7E9FF89744F10491DF99A9B261D731EE46CB92

Function 00137A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00137AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00137B8F
SHGetDesktopFolder.SHELL32(?), ref: 00137BA3
CoCreateInstance.COMBASE(0015FD08,00000000,00000001,00186E6C,?), ref: 00137BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00137C74
CoTaskMemFree.COMBASE(?), ref: 00137CCC
SHBrowseForFolderW.SHELL32(?), ref: 00137D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00137D7A
CoTaskMemFree.COMBASE(00000000), ref: 00137D81
CoTaskMemFree.COMBASE(00000000), ref: 00137DD6
CoUninitialize.COMBASE ref: 00137DDC

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 770ba2876210c985b64a3c8f980c91b5efb81036ec947262a5d6652c9539d3ba
Instruction ID: f0c3504625483b165e4b9c42c63b18c625737d6a8c6a15e751a433dda88d5b96
Opcode Fuzzy Hash: 770ba2876210c985b64a3c8f980c91b5efb81036ec947262a5d6652c9539d3ba
Instruction Fuzzy Hash: 17C1EA75A04209AFCB14DFA4C884DAEBBF9FF48314F148499E8199B662D731EE45CB90

Function 0015541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00155504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00155515
CharNextW.USER32(00000158), ref: 00155544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00155585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0015559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001555AC

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 83d219cf19cbecc2664d0542190cbe8101a6dd89b29bb22dab4dae0e2dd0b32c
Instruction ID: 7ee0a0b14d8fb4fd04923b4e9f5abff2cb74e370b505bf5d8549d86ed8c4a423
Opcode Fuzzy Hash: 83d219cf19cbecc2664d0542190cbe8101a6dd89b29bb22dab4dae0e2dd0b32c
Instruction Fuzzy Hash: 37617C30904609EFDF109F94CC95AFE7BBAFB09726F104145F935AE290E7749A88DB60

Function 0011FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0011FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0011FB08
VariantInit.OLEAUT32(?), ref: 0011FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0011FB3A
VariantCopy.OLEAUT32(?,?), ref: 0011FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0011FBA1
VariantClear.OLEAUT32(?), ref: 0011FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0011FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0011FBCC
VariantClear.OLEAUT32(?), ref: 0011FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0011FBE9

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 082b2d5789c76123f3dbcd7ccc3cd8418d3ab4388c67b923e339d15f11c049c6
Instruction ID: b4cb496ccc4a2975796af34420fc9f6ad9b866fa8f6d292d2dd75eb1752ee07c
Opcode Fuzzy Hash: 082b2d5789c76123f3dbcd7ccc3cd8418d3ab4388c67b923e339d15f11c049c6
Instruction Fuzzy Hash: E0415F75A00319DFCB04DF64D854DEEBBB9FF58345F008079E945AB261DB30A986CBA0

Function 00129C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00129CA1
GetAsyncKeyState.USER32(000000A0), ref: 00129D22
GetKeyState.USER32(000000A0), ref: 00129D3D
GetAsyncKeyState.USER32(000000A1), ref: 00129D57
GetKeyState.USER32(000000A1), ref: 00129D6C
GetAsyncKeyState.USER32(00000011), ref: 00129D84
GetKeyState.USER32(00000011), ref: 00129D96
GetAsyncKeyState.USER32(00000012), ref: 00129DAE
GetKeyState.USER32(00000012), ref: 00129DC0
GetAsyncKeyState.USER32(0000005B), ref: 00129DD8
GetKeyState.USER32(0000005B), ref: 00129DEA

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1b620b3900e70a997cfca1c9bf225d2bec416e30a6ca06fcfdb947a8610949a0
Instruction ID: 7c9cd0d0256c75f54ab36da518254ac273a8ebc6ac2c2c9a1e88b229d29df6eb
Opcode Fuzzy Hash: 1b620b3900e70a997cfca1c9bf225d2bec416e30a6ca06fcfdb947a8610949a0
Instruction Fuzzy Hash: 0741FC345047DE6DFF348BA8E4043B5BEE06F11344F04805ED6C65A5C2E7A499F4D7A2

Function 0014055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 001405BC
inet_addr.WS2_32(?), ref: 0014061C
gethostbyname.WS2_32(?), ref: 00140628
IcmpCreateFile.IPHLPAPI ref: 00140636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001407B9
WSACleanup.WS2_32 ref: 001407BF

Strings

Ping, xrefs: 00140676

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f9b179868e743058f004f38be05464fb2a1b8478e69da7192f989c5b05436641
Instruction ID: 46ec6937932cda903066112976072cb269d454940828f2c1cd91040e92de4694
Opcode Fuzzy Hash: f9b179868e743058f004f38be05464fb2a1b8478e69da7192f989c5b05436641
Instruction Fuzzy Hash: 1C916E355047019FD321DF16C889F1ABBE0EF48319F1585A9E5AA8BAB2C730ED45CF92

Function 00148CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00148CF3

Part of subcall function 00128E54: _wcslen.LIBCMT ref: 00128E77

_wcslen.LIBCMT ref: 00148D4E
_wcslen.LIBCMT ref: 00148D9C
_wcslen.LIBCMT ref: 00148DDC
_wcslen.LIBCMT ref: 00148E6E

Strings

cdecl, xrefs: 00148D48, 00148D4D
stdcall, xrefs: 00148DD6, 00148DDB
winapi, xrefs: 00148D96, 00148D9B
none, xrefs: 00148E65, 00148E6A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: ef318721eb9d5c716075c5778dc8577478464d0ff75a005459014c75eb7b8596
Instruction ID: 37b8f98a9e250c87da76ce246a956fe6c76d74ab0641e8e85e6da8600c6f535a
Opcode Fuzzy Hash: ef318721eb9d5c716075c5778dc8577478464d0ff75a005459014c75eb7b8596
Instruction Fuzzy Hash: 82519F31A011169BCB24EFACC9509BEB7A5BF64724B214229E826F72D5EF31DE41C790

Function 0014372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00143774
CoUninitialize.COMBASE ref: 0014377F
CoCreateInstance.COMBASE(?,00000000,00000017,0015FB78,?), ref: 001437D9
IIDFromString.COMBASE(?,?), ref: 0014384C
VariantInit.OLEAUT32(?), ref: 001438E4
VariantClear.OLEAUT32(?), ref: 00143936

Strings

NULL Pointer assignment, xrefs: 0014381E
Failed to create object, xrefs: 001437E4, 0014389A
Invalid parameter, xrefs: 00143865

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 2e7437a3d2fcc0e8b871e3c7107ad67787b4a1c4c021b8f4029a94717d489747
Instruction ID: a68b9cca5c21f14b03ff3c3909b64a83985707390734239b18386596a754176e
Opcode Fuzzy Hash: 2e7437a3d2fcc0e8b871e3c7107ad67787b4a1c4c021b8f4029a94717d489747
Instruction Fuzzy Hash: 1E619F70608302AFD311DF54C849F6ABBE4EF48715F10091DF9A59B2A1D770EE49CBA2

Function 00133388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001333CF

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001333F0

Strings

Error: , xrefs: 001334D1
^ ERROR , xrefs: 0013349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00133504
"%s" (%d) : ==> %s:, xrefs: 00133522
Line %d (File "%s"):, xrefs: 00133443, 0013345C
Incorrect parameters to object property !, xrefs: 001334AB

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: c76d42b2d6fa52795d703616c603ceab5055287d248ea341790d9475b756ae7d
Instruction ID: 36e924fd50358d9118c302788eddd9b6c2222d9d206992a04a254c8bf0dac739
Opcode Fuzzy Hash: c76d42b2d6fa52795d703616c603ceab5055287d248ea341790d9475b756ae7d
Instruction Fuzzy Hash: EA517C7290020ABADF15EBA0DD46EEEB778AF14340F204169F515720A2EB356F98DF61

Function 0012B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0012B5FC
_wcslen.LIBCMT ref: 0012B608
_wcslen.LIBCMT ref: 0012B64D
_wcslen.LIBCMT ref: 0012B68C
_wcslen.LIBCMT ref: 0012B6C7

Strings

EXISTS, xrefs: 0012B686, 0012B68B
APPEND, xrefs: 0012B6C1, 0012B6C6
REMOVE, xrefs: 0012B602, 0012B607
KEYS, xrefs: 0012B647, 0012B64C

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: eaea5beaf37c46bc4668043aeae304462023cd6af258af6a5eb41f5cd69c88db
Instruction ID: d3bcebea20d4e0d57a056aa1387da062dee46b0589d058004ca93f7bf07b3795
Opcode Fuzzy Hash: eaea5beaf37c46bc4668043aeae304462023cd6af258af6a5eb41f5cd69c88db
Instruction Fuzzy Hash: A241F632A081379BCB206F7DD9D05BE77A5BFA0B54B254229E422EB285F731CD91C790

Function 00135393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00135416
GetLastError.KERNEL32 ref: 00135420
SetErrorMode.KERNEL32(00000000,READY), ref: 001354A7

Strings

UNKNOWN, xrefs: 00135444
INVALID, xrefs: 00135459
NOTREADY, xrefs: 0013544B
READONLY, xrefs: 00135452
READY, xrefs: 00135460, 00135468

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 317eebec5950d56496e408d98c591dc87f91546ec3334faf253e5ddcd9014334
Instruction ID: 0315036e26ba01cc1ce12fe7910c2a295f220f09759db5f0bde4934cd67933d9
Opcode Fuzzy Hash: 317eebec5950d56496e408d98c591dc87f91546ec3334faf253e5ddcd9014334
Instruction Fuzzy Hash: FF318D35A00604DFC718DF68C984FAABBB5EB45715F148069E805DB292EB71DE86CBA0

Function 00153C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00153C79
SetMenu.USER32(?,00000000), ref: 00153C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00153D10
IsMenu.USER32(?), ref: 00153D24
CreatePopupMenu.USER32 ref: 00153D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00153D5B
DrawMenuBar.USER32 ref: 00153D63

Strings

F, xrefs: 00153D4E
0, xrefs: 00153C54

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 6772cbe6385cfe6006e3d71b71bc939022e5bd81208c55377085fe4f47a40b1a
Instruction ID: 9f46a3dc4b3be3834a698d122e9fd438318998bec5941e9d471f1785ca7643af
Opcode Fuzzy Hash: 6772cbe6385cfe6006e3d71b71bc939022e5bd81208c55377085fe4f47a40b1a
Instruction Fuzzy Hash: 64415675A01309EFDB14CFA4D844BAA7BB5FF49391F140029ED66AB360D770AA54CF90

Function 00153A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00153A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00153AA0
GetWindowLongW.USER32(?,000000F0), ref: 00153AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00153AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00153B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00153BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00153BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00153BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00153BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00153C13

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 97c6b780b65a7baa71be3588a47845351c25f9d6d7f777e22cc685d9a9d1acd8
Instruction ID: 155fd9d9a430ba34d66c5c31a73d9773ebc8ebe6383cab2034a8a8e962f4848e
Opcode Fuzzy Hash: 97c6b780b65a7baa71be3588a47845351c25f9d6d7f777e22cc685d9a9d1acd8
Instruction Fuzzy Hash: 03617D75900248EFDB11DF68CC81EEE77B8EB09704F10019AFA25EB291C770AE85DB50

Function 0012B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0012B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B165
GetWindowThreadProcessId.USER32(00000000), ref: 0012B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0012B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B21D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ce6ce91d7e0a40c5bf98e1defffd55e89edd840974f165ba5ad9ac37fe9e1282
Instruction ID: 1b4a304dbdd65811d61518f5bfa29920f329e0232cb87178a1fbf0754cbc6ab4
Opcode Fuzzy Hash: ce6ce91d7e0a40c5bf98e1defffd55e89edd840974f165ba5ad9ac37fe9e1282
Instruction Fuzzy Hash: FB319C75514314FFDB10DF24EC88B7EBBA9BB51312F144006FA11DA691D7B4AAA0CFA0

Function 000F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000F2C94

Part of subcall function 000F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000), ref: 000F29DE
Part of subcall function 000F29C8: GetLastError.KERNEL32(00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000,00000000), ref: 000F29F0

_free.LIBCMT ref: 000F2CA0
_free.LIBCMT ref: 000F2CAB
_free.LIBCMT ref: 000F2CB6
_free.LIBCMT ref: 000F2CC1
_free.LIBCMT ref: 000F2CCC
_free.LIBCMT ref: 000F2CD7
_free.LIBCMT ref: 000F2CE2
_free.LIBCMT ref: 000F2CED
_free.LIBCMT ref: 000F2CFB

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bd737444ddd361eafb8904c17dcadaf450d54171f6ce728c3f809bb29af24c87
Instruction ID: 10e61f7a2a8d8b55aa6a3d7b340f591bd50aa01bd28e6629b71deda7e320edcf
Opcode Fuzzy Hash: bd737444ddd361eafb8904c17dcadaf450d54171f6ce728c3f809bb29af24c87
Instruction Fuzzy Hash: 6711937614410DAFCB02EF94D982CED3BA5FF05350F4144A5FA489BA22DA71EA50AB90

Function 000C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000C1459
OleUninitialize.OLE32(?,00000000), ref: 000C14F8
UnregisterHotKey.USER32(?), ref: 000C16DD
DestroyWindow.USER32(?), ref: 001024B9
FreeLibrary.KERNEL32(?), ref: 0010251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0010254B

Strings

close all, xrefs: 000C1454

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ab30452b3a1efa69e28c6a09b889c074a53c5f6bf2717011352ced76deb8ccae
Instruction ID: 69568ff0d45a32e05222bfa901ecd9196ce48dd209dfc150f9f58caf9732078f
Opcode Fuzzy Hash: ab30452b3a1efa69e28c6a09b889c074a53c5f6bf2717011352ced76deb8ccae
Instruction Fuzzy Hash: 0ED13B31601212CFCB29EF14C899FADF7A5BF05700F14429DE84A6B292DB71AD16CF94

Function 00144523 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00144648
VariantInit.OLEAUT32(?), ref: 00144749
VariantClear.OLEAUT32(?), ref: 00144753
VariantClear.OLEAUT32(?), ref: 001447B0

Strings

get__NewEnum, xrefs: 0014454F
Null Object assignment in FOR..IN loop, xrefs: 001445D8, 00144706, 001447BE
Incorrect Object type in FOR..IN loop, xrefs: 0014472C
_NewEnum, xrefs: 00144531

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2610073882-1765764032
Opcode ID: 76d6461a9b3ce9253613b4f9592c1cf18047c53d903bbdc5de75d3f460d24ed6
Instruction ID: ec64ac9a27f8e10f4ca013c4686039c73c99d06a22362a9447157b3e7a5b21ed
Opcode Fuzzy Hash: 76d6461a9b3ce9253613b4f9592c1cf18047c53d903bbdc5de75d3f460d24ed6
Instruction Fuzzy Hash: 9C91AC71A00219EFDF24CFA4C888FAEBBB8EF46715F108559F515AB291D7709942CFA0

Function 00137DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00137FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00137FC1
GetFileAttributesW.KERNEL32(?), ref: 00137FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00138005
SetCurrentDirectoryW.KERNEL32(?), ref: 00138017
SetCurrentDirectoryW.KERNEL32(?), ref: 00138060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001380B0

Strings

*.*, xrefs: 00138066

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 2ed917cfa46cb8277091c4e2ca0c83bfdcf7832e4faf74d404c52fb9ebad72c6
Instruction ID: d3cfabf06bea43877c9611cab75aa950619295a45d52e43f727a5da45fda1ec4
Opcode Fuzzy Hash: 2ed917cfa46cb8277091c4e2ca0c83bfdcf7832e4faf74d404c52fb9ebad72c6
Instruction Fuzzy Hash: A68180B15083459FCB34EF14C484AAEB3E8BB89310F544C6EF889D7291EB74DD498B52

Function 000C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 000C5C7A

Part of subcall function 000C5D0A: GetClientRect.USER32(?,?), ref: 000C5D30
Part of subcall function 000C5D0A: GetWindowRect.USER32(?,?), ref: 000C5D71
Part of subcall function 000C5D0A: ScreenToClient.USER32(?,?), ref: 000C5D99

GetDC.USER32 ref: 001046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00104708
SelectObject.GDI32(00000000,00000000), ref: 00104716
SelectObject.GDI32(00000000,00000000), ref: 0010472B
ReleaseDC.USER32(?,00000000), ref: 00104733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001047C4

Strings

U, xrefs: 00104693

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e9f44db0ad0e20cbba9f19b31094491e436849df21067a95843f472e4de7cfc7
Instruction ID: ed9c3d65080ecc21a18956f814609104b622abf71877b90327dd0a5af63a33c7
Opcode Fuzzy Hash: e9f44db0ad0e20cbba9f19b31094491e436849df21067a95843f472e4de7cfc7
Instruction Fuzzy Hash: A971DCB5400205EFCF258F64C9C4AAE3BB1FF4A361F14426AEE955A2A6D3719881DF60

Function 000FAF88 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 000FAFAB

Strings

acos, xrefs: 000FB123
pow, xrefs: 000FB08F, 000FB13B, 000FB14E
log10, xrefs: 000FAFF5, 000FB045
log, xrefs: 000FB051, 000FB05D
exp, xrefs: 000FB070, 000FB0D2
sqrt, xrefs: 000FB12F
asin, xrefs: 000FB117

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 5e8b45f4278365749dfc9b6d4ed3bc3ee7909beb9c1f33b8e68a18e1d2feeff5
Instruction ID: 9a123bac9b6655c0eea369b71df5d68a24ef7f6193d0207c9484c21a94be0a03
Opcode Fuzzy Hash: 5e8b45f4278365749dfc9b6d4ed3bc3ee7909beb9c1f33b8e68a18e1d2feeff5
Instruction Fuzzy Hash: 6251AEB490060EDBCF24DFA8EA581FDBBF0FF49300F640195E641BBA64CB758924AB54

Function 0013359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001335E4

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

LoadStringW.USER32(00192390,?,00000FFF,?), ref: 0013360A

Strings

Error: , xrefs: 001336EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00133724
"%s" (%d) : ==> %s:, xrefs: 00133742
Line %d (File "%s"):, xrefs: 0013366B
^ ERROR, xrefs: 001336C9

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: bcab51b95ccef12eac51082f8789f3813ac5567622a38f2f10dff88eae133e1b
Instruction ID: 97258a77b6899eb3afcdadafcdfaf3260ebad47467ced5a418a91b5238550aae
Opcode Fuzzy Hash: bcab51b95ccef12eac51082f8789f3813ac5567622a38f2f10dff88eae133e1b
Instruction Fuzzy Hash: 59518C7190020ABBDF14EBA0DC46EEEBB38EF14310F144129F515721A2EB311B99DFA5

Function 00153886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00153925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0015393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00153954
_wcslen.LIBCMT ref: 00153999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001539F4

Strings

SysListView32, xrefs: 001538F7
-----, xrefs: 001539A7

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: -----$SysListView32
API String ID: 2147712094-3975388722
Opcode ID: 8cb3435bdf83625a07715b08f8d85c88d0762276cc53ad83f8bb556faa2a650e
Instruction ID: 3a6734ca8262f1d2ed308ce464a18402a90e447581a6f4bbd291f97a8967ccf7
Opcode Fuzzy Hash: 8cb3435bdf83625a07715b08f8d85c88d0762276cc53ad83f8bb556faa2a650e
Instruction Fuzzy Hash: 9E417571A00319EFEF259F64CC49BEA77A9EF08395F100526F964EB281D7719A84CB90

Function 0013C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0013C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0013C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0013C2CA
GetLastError.KERNEL32 ref: 0013C322
SetEvent.KERNEL32(?), ref: 0013C336
InternetCloseHandle.WININET(00000000), ref: 0013C341

Strings

, xrefs: 0013C2BB

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f79b2d60727768b4f87db2701d24218ccc4097968cbfe0bd547a4f1f18c1a9c9
Instruction ID: 846196c0a4b16945b09b7f847e2c5e67bb288682ba752bb066b08fb4231971ea
Opcode Fuzzy Hash: f79b2d60727768b4f87db2701d24218ccc4097968cbfe0bd547a4f1f18c1a9c9
Instruction Fuzzy Hash: 273167B1600708AFD7219FA4DC88AAB7BFCFB59744F14851EF486A6600DB30ED459BA1

Function 0012989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00103AAF,?,?,Bad directive syntax error,0015CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001298BC
LoadStringW.USER32(00000000,?,00103AAF,?), ref: 001298C3

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00129987

Strings

Error: , xrefs: 00129955
Line %d:, xrefs: 00129912
., xrefs: 0012996D
%s (%d) : ==> %s.: %s %s, xrefs: 001298F1
Line %d (File "%s"):, xrefs: 0012992D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8687f94c29bdc1d57df0fd0352d695c5614df166d97bcdbcf000ad40e4385b67
Instruction ID: b52d75b8fb4f9e480e476e349ce8621b6a51e4b50ab61e978a96b90c76079f78
Opcode Fuzzy Hash: 8687f94c29bdc1d57df0fd0352d695c5614df166d97bcdbcf000ad40e4385b67
Instruction Fuzzy Hash: 95217A3290031AEBCF15AF90DC4AEEE7739BF18304F04446AF515660A2EB719A68CB60

Function 0012209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0012214D

Strings

largeicons, xrefs: 001220E1
details, xrefs: 001220FB
SHELLDLL_DefView, xrefs: 001220CC
list, xrefs: 0012212F
smallicons, xrefs: 00122115

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c5d9cda3c2ff0f80a7b91dee083709a3e5694dcf5044125fc412c7498b283899
Instruction ID: 1b0a663158db1bec42ec69730e131653b2be9d2aff3c0a4a2ba5d1fc86c43f36
Opcode Fuzzy Hash: c5d9cda3c2ff0f80a7b91dee083709a3e5694dcf5044125fc412c7498b283899
Instruction Fuzzy Hash: FC11367A688316BEF7053620FC06CEA379DCF15324B200026FB04B80E2FFB169715A18

Function 000FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000FCEB7
_free.LIBCMT ref: 000FCF22
_free.LIBCMT ref: 000FCF48
_free.LIBCMT ref: 000FCF71
_free.LIBCMT ref: 000FCFA9
_free.LIBCMT ref: 000FCFDA
_free.LIBCMT ref: 000FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 000FD09C
_free.LIBCMT ref: 000FD0B5

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 2c83627b8ea9d1f00d35c9e6dc784d1cb5857c8de7b8c126f4c2b45da50d36ad
Instruction ID: 096757201bcd504dbe08e805e8524526ce3ad8ea3be0b5c119f375e88a999b69
Opcode Fuzzy Hash: 2c83627b8ea9d1f00d35c9e6dc784d1cb5857c8de7b8c126f4c2b45da50d36ad
Instruction Fuzzy Hash: ED61587190430DAFEB21AFB49942ABDBBE5EF05310F04017EFB4597A82DB319E05A790

Function 000D8BCD Relevance: 13.7, APIs: 9, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000D8BE8,?,00000000,?,?,?,?,000D8BBA,00000000,?), ref: 000D8FC5

DestroyWindow.USER32(?), ref: 000D8C81
KillTimer.USER32(00000000,?,?,?,?,000D8BBA,00000000,?), ref: 000D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00116973
DeleteObject.GDI32(00000000), ref: 001169E6

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 4a060a5a6ba761a35917cdb94e5adba54827bc5c7a44a6de5f4502540710a681
Instruction ID: 4a78b3fe1fae012fc03417ef33207089292cc313ab8526b2cb5d0c57e93de223
Opcode Fuzzy Hash: 4a060a5a6ba761a35917cdb94e5adba54827bc5c7a44a6de5f4502540710a681
Instruction Fuzzy Hash: BD615B31512705EFCB359F14D958B69B7F1FB40316F14952EE0429BAA0CB72A9D0DFA0

Function 001550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00155186
ShowWindow.USER32(?,00000000), ref: 001551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001551D1

Part of subcall function 00156FBA: DeleteObject.GDI32(00000000), ref: 00156FE6

GetWindowLongW.USER32(?,000000F0), ref: 0015520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0015521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0015524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00155287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00155296

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 1f6a4373d65ae7faadea8daf00e39b5ba6bc2a6ffb65e487bdd970dd852fba1f
Instruction ID: 2be3f9921045e0ee7d05fa634d7f8eeca7b28cfd13fe4134e44494d41bdaf0e8
Opcode Fuzzy Hash: 1f6a4373d65ae7faadea8daf00e39b5ba6bc2a6ffb65e487bdd970dd852fba1f
Instruction Fuzzy Hash: 7F519330A50A08FEEF249F24CC95BD83BA6EB05366F144012FD359E6E1C775A988DB51

Function 000D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00116890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001168F2
DestroyCursor.USER32(00000000), ref: 00116901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0011691E
DestroyCursor.USER32(00000000), ref: 0011692D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: df8e03b2a282dd3cbc9a2629144c1a87732eb658ef22cce2bd744cb5aab1db4c
Instruction ID: 05a86f7bd44232ac5bda3e038f24a77ce8073ae15134c40ea2819405fedb60e2
Opcode Fuzzy Hash: df8e03b2a282dd3cbc9a2629144c1a87732eb658ef22cce2bd744cb5aab1db4c
Instruction Fuzzy Hash: CD51AD70600309EFDB24CF24CC95FAA7BB5FB58365F10452AF9129B2A0DB71E990DB60

Function 0013C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0013C182
GetLastError.KERNEL32 ref: 0013C195
SetEvent.KERNEL32(?), ref: 0013C1A9

Part of subcall function 0013C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0013C272
Part of subcall function 0013C253: GetLastError.KERNEL32 ref: 0013C322
Part of subcall function 0013C253: SetEvent.KERNEL32(?), ref: 0013C336
Part of subcall function 0013C253: InternetCloseHandle.WININET(00000000), ref: 0013C341

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: e92734f7963f5c3ee264b2a13b4f0023b1ac7c63df8147b1bb7e6666b3d9fde0
Instruction ID: 91cd3892d9de3af1224d18c596258b5aa7596f2fe483bc1b95dca5771195e1d3
Opcode Fuzzy Hash: e92734f7963f5c3ee264b2a13b4f0023b1ac7c63df8147b1bb7e6666b3d9fde0
Instruction Fuzzy Hash: DD315571200705EFDB219FA5DC44A6BBBE9FF28301F04442DF956AAA10D730E854ABE0

Function 001225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00123A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00123A57
Part of subcall function 00123A3D: GetCurrentThreadId.KERNEL32 ref: 00123A5E
Part of subcall function 00123A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001225B3), ref: 00123A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00122601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00122605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0012260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00122623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00122627

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c063b1bfe7626b3168496e279a520b2bb8aa5c3fcbd659550e495a7a0f875562
Instruction ID: 5238e2bbca56fa7482d1b51a506223c2399eed1995a5425b821074dc0de9b0de
Opcode Fuzzy Hash: c063b1bfe7626b3168496e279a520b2bb8aa5c3fcbd659550e495a7a0f875562
Instruction Fuzzy Hash: F301D831390720FBFB106B689CCAF993F99DB5EB12F100011F314AF1D1CAF114948AA9

Function 00121803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00121449,?,?,00000000), ref: 0012180C
RtlAllocateHeap.NTDLL(00000000,?,00121449), ref: 00121813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00121449,?,?,00000000), ref: 00121828
GetCurrentProcess.KERNEL32(?,00000000,?,00121449,?,?,00000000), ref: 00121830
DuplicateHandle.KERNEL32(00000000,?,00121449,?,?,00000000), ref: 00121833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00121449,?,?,00000000), ref: 00121843
GetCurrentProcess.KERNEL32(00121449,00000000,?,00121449,?,?,00000000), ref: 0012184B
DuplicateHandle.KERNEL32(00000000,?,00121449,?,?,00000000), ref: 0012184E
CreateThread.KERNEL32(00000000,00000000,00121874,00000000,00000000,00000000), ref: 00121868

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 25717365dbf7c1601a03762abf0a4181ec91d930a971a04beac4b5bf82f0651b
Instruction ID: f4f62a5016e28510474150d323d7d553f30869cbc9a08aca43b4ff09b47cb344
Opcode Fuzzy Hash: 25717365dbf7c1601a03762abf0a4181ec91d930a971a04beac4b5bf82f0651b
Instruction Fuzzy Hash: 6101A8B5640708FFE610AFA5DC89F6B3BACEB89B11F004411FA05DB5A1CA709850CB60

Function 0014A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0012D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0012D501
Part of subcall function 0012D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0012D50F
Part of subcall function 0012D4DC: CloseHandle.KERNEL32(00000000), ref: 0012D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0014A16D
GetLastError.KERNEL32 ref: 0014A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0014A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0014A268
GetLastError.KERNEL32(00000000), ref: 0014A273
CloseHandle.KERNEL32(00000000), ref: 0014A2C4

Strings

SeDebugPrivilege, xrefs: 0014A18F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: cc3b777caf70abd482958a207ad2e47e74a798613f4cc9756244fdb50965ee0f
Instruction ID: 1991ec38b69463bdb303b94b8df2ed44868bb0e79c72d88fbd54574294b1d95a
Opcode Fuzzy Hash: cc3b777caf70abd482958a207ad2e47e74a798613f4cc9756244fdb50965ee0f
Instruction Fuzzy Hash: EF61A1302442429FD720DF14C494F5ABBE1AF54318F55849CE45A4FBA3C7B2ED46DB92

Function 0012BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0012BCFD
IsMenu.USER32(00000000), ref: 0012BD1D
CreatePopupMenu.USER32 ref: 0012BD53
GetMenuItemCount.USER32(00B624A8), ref: 0012BDA4
InsertMenuItemW.USER32(00B624A8,?,00000001,00000030), ref: 0012BDCC

Strings

2, xrefs: 0012BD37
0, xrefs: 0012BCA8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 5d756c6dc87960146e066497a85d9ef1b239bf75c9ecfb182502c871ed741ec9
Instruction ID: 358162839800437becc528399c11af99555505faf420b107be65c636df597a3c
Opcode Fuzzy Hash: 5d756c6dc87960146e066497a85d9ef1b239bf75c9ecfb182502c871ed741ec9
Instruction Fuzzy Hash: 6751BE70A08329DBDB14CFE8E8C4BEEBBF4AF55318F148119E4519B291E7709961CB91

Function 0012C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0012C913

Strings

blank, xrefs: 0012C895
info, xrefs: 0012C8B4
question, xrefs: 0012C8CC
stop, xrefs: 0012C8E4
warning, xrefs: 0012C8FC

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8538c6b751da78a53ab26b6986da8a43e8126dd480e837a77e403de60b234f5b
Instruction ID: 778f995ddd844a5860f66f27ba50125c1bda71767bbf062825a6b27a47645c7d
Opcode Fuzzy Hash: 8538c6b751da78a53ab26b6986da8a43e8126dd480e837a77e403de60b234f5b
Instruction Fuzzy Hash: C2112B31689316BEEB046B54EC83CEE379CDF15328B10003EF700A6182E7E05E5057E9

Function 0012DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 0012DE42
gethostname.WS2_32(?,00000100), ref: 0012DE5C
gethostbyname.WS2_32(?), ref: 0012DE69
inet_ntoa.WS2_32(?), ref: 0012DEAB
_strcat.LIBCMT ref: 0012DEB9
WSACleanup.WS2_32 ref: 0012DEDE

Strings

0.0.0.0, xrefs: 0012DE87

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 4daa23b1020a7e1e8975b470f194405010b4dd504f10785cdd87e26b843bea06
Instruction ID: 47812cca35bcafcb028ed85f54bf3c3a7e9909d4bf1d161a0f6da0069eb46505
Opcode Fuzzy Hash: 4daa23b1020a7e1e8975b470f194405010b4dd504f10785cdd87e26b843bea06
Instruction Fuzzy Hash: 33110A71504315AFDB24AF60FC0ADEE77ACDF15711F020169F445AA092EF718AC18AA0

Function 0012ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0012ED2A
_wcslen.LIBCMT ref: 0012ED3B
_wcslen.LIBCMT ref: 0012ED79
_wcslen.LIBCMT ref: 0012EDAF
_wcslen.LIBCMT ref: 0012EDDF
_wcslen.LIBCMT ref: 0012EDEF
_wcslen.LIBCMT ref: 0012EE2B
_wcslen.LIBCMT ref: 0012EE5A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 603063719d66416ba8c44ac90524bf28eea8685f6f07173cef914686b8cffd58
Instruction ID: 963cfaae5ed4a3639e7813f67bf5cb50e9ddf7933afac642a05a5ed9a44d2e86
Opcode Fuzzy Hash: 603063719d66416ba8c44ac90524bf28eea8685f6f07173cef914686b8cffd58
Instruction Fuzzy Hash: CC41A065C1026879CB11EBF5988A9CFB7A8AF45310F518466E618F3123FB34E255C3E6

Function 000DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0011682C,00000004,00000000,00000000), ref: 000DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0011682C,00000004,00000000,00000000), ref: 0011F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0011682C,00000004,00000000,00000000), ref: 0011F454

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b799a95c609f48f6772fb42368679f9a777a42b9a793b1cff0db28c97ff0908f
Instruction ID: 93c2a7e17507d82b741b8280daab1e168e4b731a529cda5cafac9e8a7e8d58e1
Opcode Fuzzy Hash: b799a95c609f48f6772fb42368679f9a777a42b9a793b1cff0db28c97ff0908f
Instruction Fuzzy Hash: BB410830A18782BEC7799F2988A877ABAD2BB56314F14C03EE05796B61D73198C1C771

Function 00152D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00152D1B
GetDC.USER32(00000000), ref: 00152D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00152D2E
ReleaseDC.USER32(00000000,00000000), ref: 00152D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00152D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00152D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00155A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00152DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00152DE1

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5f648900b2d9542f8eb0846feadb6ffa097d7874e65c8ac19d021933f44189f2
Instruction ID: 13a4eb7a97b2d39ffd6d2766b3332759e6cca400fe7f9219a6cc118c5c7b05bc
Opcode Fuzzy Hash: 5f648900b2d9542f8eb0846feadb6ffa097d7874e65c8ac19d021933f44189f2
Instruction Fuzzy Hash: BA316B76201314BFEB118F50DC8AFEB3BA9EB0A716F044055FE089E291C6759C90CBA4

Function 00125622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00125637
_memcmp.LIBVCRUNTIME ref: 00125659
_memcmp.LIBVCRUNTIME ref: 00125671
_memcmp.LIBVCRUNTIME ref: 00125684
_memcmp.LIBVCRUNTIME ref: 0012569E
_memcmp.LIBVCRUNTIME ref: 001256B1
_memcmp.LIBVCRUNTIME ref: 001256C9
_memcmp.LIBVCRUNTIME ref: 001256E4

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 252e04f149c8be5bfdd42ded95327a202b5cb28326f7fef45b61312b40e6e601
Instruction ID: 8e50aa856a7f87f65c8d821ebcbad64cd829a5eb0e8da2db773df015ada695c9
Opcode Fuzzy Hash: 252e04f149c8be5bfdd42ded95327a202b5cb28326f7fef45b61312b40e6e601
Instruction Fuzzy Hash: 8D21C571A41A69BFD3189521AEC2FFB335EAF60385F440034FD04AA582F770EE2581A5

Function 00144FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0014502E, 00145383
Not an Object type, xrefs: 00145007

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: da742ad1442b8089a4c472cca2722d6346b3e71ff685ea2e53ac99a4f2a75326
Instruction ID: 161d618f11385ace130256a57af93d08e949ca7e86c034dfb39ef538a4240264
Opcode Fuzzy Hash: da742ad1442b8089a4c472cca2722d6346b3e71ff685ea2e53ac99a4f2a75326
Instruction Fuzzy Hash: 7CD1B175A0060AAFDF14CFA8C881FAEB7B6BF48344F148169F915AB292D770DD45CB90

Function 00101522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 001015CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00101651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001016E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001016FB

Part of subcall function 000F3820: RtlAllocateHeap.NTDLL(00000000,?,00191444), ref: 000F3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00101777
__freea.LIBCMT ref: 001017A2
__freea.LIBCMT ref: 001017AE

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 90bfda338b1ba8e6eaa45d6083ba38386e030a2d4301080a893419cf339ac5a6
Instruction ID: f8be285625cee7443e95183db45a9465af8db08009a14df5df5d36f5144d9a75
Opcode Fuzzy Hash: 90bfda338b1ba8e6eaa45d6083ba38386e030a2d4301080a893419cf339ac5a6
Instruction Fuzzy Hash: 8391B872E00216BEDB248EB4CC81AFE7BB5AF49710F184659E941EB1C1DBB9DD40CB60

Function 00131187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0013125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00131284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0013135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00131430

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: cc93ba9a526841e7423782fceb8b7fbe853a030e317cc42617f63156cb41e3cd
Instruction ID: 6a86d7165b7cd48fc157f423cb8ae9082e80987363798c1e62f61fbfdbe9b6fc
Opcode Fuzzy Hash: cc93ba9a526841e7423782fceb8b7fbe853a030e317cc42617f63156cb41e3cd
Instruction Fuzzy Hash: 8991F472A00309AFEB00DFA4C894BFEB7B5FF44325F214029E911EB292D774A941CB90

Function 000D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 58c9497992c06d74d0e1b9618d40dd3a3376b85374c1c8acdd62b8e597798724
Instruction ID: a0a61dfe4b63d4b5cff9ce9aed77343e10b9d2119dc72a63d0b34f243fd8ffac
Opcode Fuzzy Hash: 58c9497992c06d74d0e1b9618d40dd3a3376b85374c1c8acdd62b8e597798724
Instruction Fuzzy Hash: A9911571900219EFCB15CFA9C884AEEBBB8FF49320F144556E515B7295D374AA82CBA0

Function 00143947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0014396B
CharUpperBuffW.USER32(?,?), ref: 00143A7A
_wcslen.LIBCMT ref: 00143A8A
VariantClear.OLEAUT32(?), ref: 00143C1F

Part of subcall function 00130CDF: VariantInit.OLEAUT32(00000000), ref: 00130D1F
Part of subcall function 00130CDF: VariantCopy.OLEAUT32(?,?), ref: 00130D28
Part of subcall function 00130CDF: VariantClear.OLEAUT32(?), ref: 00130D34

Strings

Incorrect Parameter format, xrefs: 001439A6, 00143BA1
AUTOIT.ERROR, xrefs: 00143A80, 00143A85

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b26973907b8de3f517bace3b31d39635ec398f35b2be6dc2a8b61de0e95d7799
Instruction ID: a5eeabbf296c99287b7b7f102e4a67b3c506a2c4bbbdad69c5b7c0342d22ff80
Opcode Fuzzy Hash: b26973907b8de3f517bace3b31d39635ec398f35b2be6dc2a8b61de0e95d7799
Instruction Fuzzy Hash: C59149756083059FC704EF24C48596AB7E5FF89314F14892EF89A9B362DB30EE45CB92

Function 00144BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0012000E: CLSIDFromProgID.COMBASE ref: 0012002B
Part of subcall function 0012000E: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00120046
Part of subcall function 0012000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?,?), ref: 00120054
Part of subcall function 0012000E: CoTaskMemFree.COMBASE(00000000), ref: 00120064

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00144C51
_wcslen.LIBCMT ref: 00144D59
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,?), ref: 00144DCF
CoTaskMemFree.COMBASE(?), ref: 00144DDA

Strings

NULL Pointer assignment, xrefs: 00144E23, 00144E52

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 19ef7cd509e95810460373d4ba022e3fe5644facca11a2572e15b9cab9ed56d7
Instruction ID: baa187ed3fcc7da20255eaa633f5c4631003cac80c956213d8170fe21f57eca3
Opcode Fuzzy Hash: 19ef7cd509e95810460373d4ba022e3fe5644facca11a2572e15b9cab9ed56d7
Instruction Fuzzy Hash: 1D910471D0021DAFDF14DFA4D891EEEB7B9BF08314F108169E915BB291EB349A458FA0

Function 001520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00152183
GetMenuItemCount.USER32(00000000), ref: 001521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001521DD
_wcslen.LIBCMT ref: 00152213
GetMenuItemID.USER32(?,?), ref: 0015224D
GetSubMenu.USER32(?,?), ref: 0015225B

Part of subcall function 00123A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00123A57
Part of subcall function 00123A3D: GetCurrentThreadId.KERNEL32 ref: 00123A5E
Part of subcall function 00123A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001225B3), ref: 00123A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001522E3

Part of subcall function 0012E97B: Sleep.KERNEL32 ref: 0012E9F3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 60ff867e6f15969ae56bb67b892e0cc0051b2d97fde22cf183bd1dc662117720
Instruction ID: 936fcd5311247ee3161152232bd2fca4a8e1c0ca32aefea7a3efc42b8a3b7d82
Opcode Fuzzy Hash: 60ff867e6f15969ae56bb67b892e0cc0051b2d97fde22cf183bd1dc662117720
Instruction Fuzzy Hash: E8718176A00205EFCB14DF64C885AAEB7F1EF49311F158469E826EF341D774EE458B90

Function 0012AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0012AEF9
GetKeyboardState.USER32(?), ref: 0012AF0E
SetKeyboardState.USER32(?), ref: 0012AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0012AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0012AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0012AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0012B020

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 044b760c130b1c9da1712c7539e926b8e23d7212e9389633e10eba8a27f3057f
Instruction ID: 668bd037bc214fadaef956dffbe724aedf795881648c6070fc9e3d064966e660
Opcode Fuzzy Hash: 044b760c130b1c9da1712c7539e926b8e23d7212e9389633e10eba8a27f3057f
Instruction Fuzzy Hash: B851D3A06087E53EFB3742349D45BBABFE95F06304F088589F2E9958C2D398ACE4D751

Function 0012ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0012AD19
GetKeyboardState.USER32(?), ref: 0012AD2E
SetKeyboardState.USER32(?), ref: 0012AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0012ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0012ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0012AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0012AE38

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5d41d95becc887495fd85e120e48dfae792844b4aefc9e47c6b9e7a1bb461574
Instruction ID: 2690a2b1d71472dd989c9426b568d13c8089910add7ab7ee1289065eb8ffeb28
Opcode Fuzzy Hash: 5d41d95becc887495fd85e120e48dfae792844b4aefc9e47c6b9e7a1bb461574
Instruction Fuzzy Hash: 865116A05087E53EFB3683749C95B7ABEA85F05300F488488E1D5468C3D394ECA4D352

Function 000F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00103CD6,?,?,?,?,?,?,?,?,000F5BA3,?,?,00103CD6,?,?), ref: 000F5470
__fassign.LIBCMT ref: 000F54EB
__fassign.LIBCMT ref: 000F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00103CD6,00000005,00000000,00000000), ref: 000F552C
WriteFile.KERNEL32(?,00103CD6,00000000,000F5BA3,00000000,?,?,?,?,?,?,?,?,?,000F5BA3,?), ref: 000F554B
WriteFile.KERNEL32(?,?,00000001,000F5BA3,00000000,?,?,?,?,?,?,?,?,?,000F5BA3,?), ref: 000F5584

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 78e7a72796f5a7db176ed3f702ec89f072a77de78797331b14a0c5eafc5c19a8
Instruction ID: 3048e01e5ca1c9f96a3417db456f294170786604d621d840916531a00690361f
Opcode Fuzzy Hash: 78e7a72796f5a7db176ed3f702ec89f072a77de78797331b14a0c5eafc5c19a8
Instruction Fuzzy Hash: DE51D171A00B099FDB11CFA8DC95AEEBBF9EF08701F14411AF655E7691D730AA41CBA0

Function 000E2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 000E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 000E2D53
_ValidateLocalCookies.LIBCMT ref: 000E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 000E2E0C
_ValidateLocalCookies.LIBCMT ref: 000E2E61

Strings

csm, xrefs: 000E2DF6

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 1b96fd6f2f419f7aa969869e582ae4f19208ffd7e4cd15e9d371f172b1570e76
Instruction ID: af7009df11dc28df686a8fba2a795a7f3e8c3dd7d002afd457df0cd797841db5
Opcode Fuzzy Hash: 1b96fd6f2f419f7aa969869e582ae4f19208ffd7e4cd15e9d371f172b1570e76
Instruction Fuzzy Hash: 6341A035A04289AFCF10DF6ACC45ADEBBB9BF44324F148155E914BB392D771AA41CBD0

Function 001410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0014304E: inet_addr.WS2_32(?), ref: 0014307A
Part of subcall function 0014304E: _wcslen.LIBCMT ref: 0014309B

socket.WS2_32(00000002,00000001,00000006), ref: 00141112
WSAGetLastError.WS2_32 ref: 00141121
WSAGetLastError.WS2_32 ref: 001411C9
closesocket.WS2_32(00000000), ref: 001411F9

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: a148fc080fe32b85c7ef708125b1a5564054f6a8b754f6a5fca03cd2aaa08083
Instruction ID: 6c596987b9b1539883a633ba33ec0d8346ffacdf1924ff8921597c5026ee1ae4
Opcode Fuzzy Hash: a148fc080fe32b85c7ef708125b1a5564054f6a8b754f6a5fca03cd2aaa08083
Instruction Fuzzy Hash: E741D431600604AFDB109F24C885BA9BBE9EF45765F148069FD199F2A2D770AD81CBE1

Function 0012CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0012DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0012CF22,?), ref: 0012DDFD

Part of subcall function 0012DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0012CF22,?), ref: 0012DE16

lstrcmpiW.KERNEL32(?,?), ref: 0012CF45
MoveFileW.KERNEL32(?,?), ref: 0012CF7F
_wcslen.LIBCMT ref: 0012D005
_wcslen.LIBCMT ref: 0012D01B
SHFileOperationW.SHELL32(?), ref: 0012D061

Strings

\*.*, xrefs: 0012CFF3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 91c7937493a4d5a440a246d38bedcb238519c7f6476c64f70b484a4836229f68
Instruction ID: a9dc0f05ac89c7189675b353ac249182715ddd9c877ba556f4baff35c5a5ac70
Opcode Fuzzy Hash: 91c7937493a4d5a440a246d38bedcb238519c7f6476c64f70b484a4836229f68
Instruction Fuzzy Hash: 154139719452299FDF12EFA4EA81EDD77F9AF18340F1000E6E645EB142EB34A794CB50

Function 00152DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00152E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00152E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00152E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00152EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00152EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00152EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00152F0B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6f7c54423381fd2a4aa3785af95d3c23092b04b54e0cfdb9fcddc9cb364c9ad1
Instruction ID: cb3d0e8f9bf0489908b66315e480422ab10c483ba5b40510b4002791d308e958
Opcode Fuzzy Hash: 6f7c54423381fd2a4aa3785af95d3c23092b04b54e0cfdb9fcddc9cb364c9ad1
Instruction Fuzzy Hash: F3310332604251EFDB21CF58EC86FA537E1EB9A716F150165F9208F6B1CB71A884DB41

Function 00127726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00127769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0012778F
SysAllocString.OLEAUT32(00000000), ref: 00127792
SysAllocString.OLEAUT32(?), ref: 001277B0
SysFreeString.OLEAUT32(?), ref: 001277B9
StringFromGUID2.COMBASE(?,?,00000028), ref: 001277DE
SysAllocString.OLEAUT32(?), ref: 001277EC

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bbc6d125faedf83491b2ebd39d933f4b97636c3bf79e52a5f63ab07f202a25f6
Instruction ID: 4ddc2cfd5814d5ee38cedaf068ddf658eb88066009213ccb1234a5616badc4ba
Opcode Fuzzy Hash: bbc6d125faedf83491b2ebd39d933f4b97636c3bf79e52a5f63ab07f202a25f6
Instruction Fuzzy Hash: 37219076604329AFDB10EFA8DC88CBB77ACEB097647048425FA15DB291D770DC8187A0

Function 001277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00127842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00127868
SysAllocString.OLEAUT32(00000000), ref: 0012786B
SysAllocString.OLEAUT32 ref: 0012788C
SysFreeString.OLEAUT32 ref: 00127895
StringFromGUID2.COMBASE(?,?,00000028), ref: 001278AF
SysAllocString.OLEAUT32(?), ref: 001278BD

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7fde03d66839ec8f5e9e1fd2f58a9c8449a401beb5563deef866742a80f688a8
Instruction ID: f2ac9fa84040c262c73329a76ec2b18a8b094b4640c963bbdcdd0ddd77bc8c56
Opcode Fuzzy Hash: 7fde03d66839ec8f5e9e1fd2f58a9c8449a401beb5563deef866742a80f688a8
Instruction Fuzzy Hash: 17215E35608324EF9B149FA9EC88DBB77ECEB097607108125B915CB2A1EB70DC91CB64

Function 001304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0013052E

Strings

nul, xrefs: 00130567

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 26faac6b26199f791f29c9d8a9e43665b73130be0b16de393a48e719232af554
Instruction ID: a29fdd237d1c634576f10ba25353e571f5e09643214323a0854b3d1db24c47bf
Opcode Fuzzy Hash: 26faac6b26199f791f29c9d8a9e43665b73130be0b16de393a48e719232af554
Instruction Fuzzy Hash: A3216975600305EFDB219F29DC54A9A7BE4BF49724F204A19F8A1E72E0E7709980CF60

Function 001305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00130601

Strings

nul, xrefs: 00130639

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 229484b413e76c7b237600f3efc7b1344ec7a4393b7a41b3b59423d1f7bb0d51
Instruction ID: 155ae74feca98e453800ce45ff7101bff5b3f2ddf1ec756d9bc72578fef147db
Opcode Fuzzy Hash: 229484b413e76c7b237600f3efc7b1344ec7a4393b7a41b3b59423d1f7bb0d51
Instruction Fuzzy Hash: 8E21B6B5500305DFDB219F69CC55A9A77E8BF99B30F200B19F8A1E72E4E77099A0CB50

Function 001540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000C604C
Part of subcall function 000C600E: GetStockObject.GDI32(00000011), ref: 000C6060
Part of subcall function 000C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 000C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00154112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0015411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0015412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00154139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00154145

Strings

Msctls_Progress32, xrefs: 001540E3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 44b9338130ac7a3dad3041d40d04b5be3ff0d407451e54c7182dbd6684c95f1d
Instruction ID: 7fa1a342841da37fea852ef565ae46693d5c9ecf4c18ad3c6412427958ec7553
Opcode Fuzzy Hash: 44b9338130ac7a3dad3041d40d04b5be3ff0d407451e54c7182dbd6684c95f1d
Instruction Fuzzy Hash: 8711B2B2140219BFEF119F64CC85EE77F9DEF18798F114111BA28A6190C772DC61DBA4

Function 000FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000FD7A3: _free.LIBCMT ref: 000FD7CC

_free.LIBCMT ref: 000FD82D

Part of subcall function 000F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000), ref: 000F29DE
Part of subcall function 000F29C8: GetLastError.KERNEL32(00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000,00000000), ref: 000F29F0

_free.LIBCMT ref: 000FD838
_free.LIBCMT ref: 000FD843
_free.LIBCMT ref: 000FD897
_free.LIBCMT ref: 000FD8A2
_free.LIBCMT ref: 000FD8AD
_free.LIBCMT ref: 000FD8B8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: cd737ba26dfaf364654ed884dac576c2ddce0bbd380adf366fd1631b6ff96c75
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 0B11247158470CAAD521BFB0CC47FEF7BDD6F04700F404816B399AA8A3EA69B5056650

Function 0012DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0012DA74
LoadStringW.USER32(00000000), ref: 0012DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0012DA91
LoadStringW.USER32(00000000), ref: 0012DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0012DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0012DAB9

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: acc24c99aee3ace133152996904fa33267099c1f2d02d06dce9d6a52beb15937
Instruction ID: 78eb0b45c965ffbe37c210bee044b665fd8401d8b5230c93d391a7c72cebb541
Opcode Fuzzy Hash: acc24c99aee3ace133152996904fa33267099c1f2d02d06dce9d6a52beb15937
Instruction Fuzzy Hash: 170162F6500318BFE710ABA4ED89EEB326CE708306F404491B706E6041EA749E848FB4

Function 0013096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00B5E518,00B5E518), ref: 0013097B
RtlEnterCriticalSection.NTDLL(00B5E4F8), ref: 0013098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0013099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 001309A9
CloseHandle.KERNEL32(00000000), ref: 001309B8
InterlockedExchange.KERNEL32(00B5E518,000001F6), ref: 001309C8
RtlLeaveCriticalSection.NTDLL(00B5E4F8), ref: 001309CF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3983d6e2fac9bc02f441799608a172fcc5c024d38e4ee20712033a7c805944e4
Instruction ID: 43c5c5f7abc80535bf27e359d93da0cd1bce38b4868b5938310de4cf3721ecae
Opcode Fuzzy Hash: 3983d6e2fac9bc02f441799608a172fcc5c024d38e4ee20712033a7c805944e4
Instruction Fuzzy Hash: 2AF0CD31442B12EFD7525F94EE89BDA7A65FF05706F401015F10258CA1CB7594A5CFD0

Function 000C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 000C5D30
GetWindowRect.USER32(?,?), ref: 000C5D71
ScreenToClient.USER32(?,?), ref: 000C5D99
GetClientRect.USER32(?,?), ref: 000C5ED7
GetWindowRect.USER32(?,?), ref: 000C5EF8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: bf33e4a210cfdc4ee52079a21212455f98a967e19b1b1d5bd6d4ee396daa081c
Instruction ID: e54b078a6e1da10e557f958f70b922ac0471bb1e978b059a782feb0031d4abfa
Opcode Fuzzy Hash: bf33e4a210cfdc4ee52079a21212455f98a967e19b1b1d5bd6d4ee396daa081c
Instruction Fuzzy Hash: 7BB14C78A0074ADBDB14CFA9C880BEEB7F1BF58311F14841EE999D7250D730AA91DB54

Function 000F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F00D6
__allrem.LIBCMT ref: 000F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F010B
__allrem.LIBCMT ref: 000F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F0140

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 867f9c68ce14ac78fe5e4b8ed0ad9f3a007cfcac25d1ab3ecb33374e853bd332
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 1C811972600B0AAFE7209F69CC41BBB73E9AF41724F24453EF651D7A82EB75D9009B50

Function 000F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000E82D9,000E82D9,?,?,?,000F644F,00000001,00000001,8BE85006), ref: 000F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000F644F,00000001,00000001,8BE85006,?,?,?), ref: 000F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000F63D8
__freea.LIBCMT ref: 000F63E5

Part of subcall function 000F3820: RtlAllocateHeap.NTDLL(00000000,?,00191444), ref: 000F3852

__freea.LIBCMT ref: 000F63EE
__freea.LIBCMT ref: 000F6413

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f28c1c16d1ff3ba0e72b006e36294361971dc75b40992cb30a268b959ef837d3
Instruction ID: 468905e7c5e34dc74cddaeb9976564366b4f5e20deeaf729453268d612ed4288
Opcode Fuzzy Hash: f28c1c16d1ff3ba0e72b006e36294361971dc75b40992cb30a268b959ef837d3
Instruction Fuzzy Hash: 76512172A0021AAFEB258F64CC81EBF77AAEF50750F144228FE05D7941DB36DD44E6A0

Function 0014BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

Part of subcall function 0014C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0014B6AE,?,?), ref: 0014C9B5
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014C9F1
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014CA68
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0014BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0014BD25
RegCloseKey.ADVAPI32(00000000), ref: 0014BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0014BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0014BDF3
RegCloseKey.ADVAPI32(?), ref: 0014BDFF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 258a863ccf6eea7e01afbe030d091d4fa0869c6ffc678cc1b6cb02862ec03065
Instruction ID: 93b73353a5ad5b78578e5b75113ca385663f30635170631e707224cc9d04f98f
Opcode Fuzzy Hash: 258a863ccf6eea7e01afbe030d091d4fa0869c6ffc678cc1b6cb02862ec03065
Instruction Fuzzy Hash: 6E815870608241AFD714DF64C8D5E6ABBE5FF84308F14899CF4598B2A2DB32ED45CB92

Function 0011F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0011F7B9
SysAllocString.OLEAUT32(00000001), ref: 0011F860
VariantCopy.OLEAUT32(0011FA64,00000000), ref: 0011F889
VariantClear.OLEAUT32(0011FA64), ref: 0011F8AD
VariantCopy.OLEAUT32(0011FA64,00000000), ref: 0011F8B1
VariantClear.OLEAUT32(?), ref: 0011F8BB

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: bc0bb3ba9b66e9fe0405214b53051db75369824d1c424185ea12f77a095829db
Instruction ID: 2992341bb49fbbb7f6dca69eea46391a9ace7a0f05503d457158162ceb60f2be
Opcode Fuzzy Hash: bc0bb3ba9b66e9fe0405214b53051db75369824d1c424185ea12f77a095829db
Instruction Fuzzy Hash: 7251D531500314BACF18AF65D895BA9B3A5EF55314F24847FF806DF292DB708C85CBA6

Function 000D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

BeginPaint.USER32(?,?,?), ref: 000D9241
GetWindowRect.USER32(?,?), ref: 000D92A5
ScreenToClient.USER32(?,?), ref: 000D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000D92D3
EndPaint.USER32(?,?,?,?,?), ref: 000D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001171EA

Part of subcall function 000D9339: BeginPath.GDI32(00000000), ref: 000D9357

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c0dde96bb26a5ab6da80b49bb6d34a42260cc9956b43bde0c08b2060d6a9af77
Instruction ID: fe58bf18ef468a28c720816b4975a0ba12778f7b0172ea05f48cfa81f726611f
Opcode Fuzzy Hash: c0dde96bb26a5ab6da80b49bb6d34a42260cc9956b43bde0c08b2060d6a9af77
Instruction Fuzzy Hash: 75419A70108301EFD721DF24CC84FBA7BB8EB59725F14062AF9A59B2E2C7319985DB61

Function 001307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0013080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00130847
RtlEnterCriticalSection.NTDLL(?), ref: 00130863
RtlLeaveCriticalSection.NTDLL(?), ref: 001308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00130921

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 018bdb57c250cc9cac73ea0c5f566ca626bef162b84412f1963cf065c242ddf6
Instruction ID: 9b8bf10acc6a2c636bea4ccf6c89fe996cad8873df4d5f84b07060516f36b075
Opcode Fuzzy Hash: 018bdb57c250cc9cac73ea0c5f566ca626bef162b84412f1963cf065c242ddf6
Instruction Fuzzy Hash: 59415871900305EFDF159F54DC85AAA77B8FF08300F1480A5E905AA29BDB70DEA0DBA0

Function 001581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0011F3AB,00000000,?,?,00000000,?,0011682C,00000004,00000000,00000000), ref: 0015824C
EnableWindow.USER32(00000000,00000000), ref: 00158272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001582D1
ShowWindow.USER32(00000000,00000004), ref: 001582E5
EnableWindow.USER32(00000000,00000001), ref: 0015830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0015832F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6f9441cb30a9e3c2db0e3ba51e875167f790f32ca589b125dd6ea5847cdf9bc6
Instruction ID: 978aa05f20b3c989f60731ed994b4721ac9b9a1b68464a62cccaf19999193766
Opcode Fuzzy Hash: 6f9441cb30a9e3c2db0e3ba51e875167f790f32ca589b125dd6ea5847cdf9bc6
Instruction Fuzzy Hash: 2A41B430601745EFDF12DF15C899BE47BF1FB0A716F184169E9289F662CB31A889CB50

Function 00124C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00124C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00124CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00124CEA
_wcslen.LIBCMT ref: 00124D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00124D10
_wcsstr.LIBVCRUNTIME ref: 00124D1A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 57d4485a1f01ff04398bfa774eeb4733e6bb28e828cf3acabd8acea63d606c78
Instruction ID: 8dbd6ce5c9765f034e19d983246c83c806fb076ffc363d4126ffb37a6d0fba78
Opcode Fuzzy Hash: 57d4485a1f01ff04398bfa774eeb4733e6bb28e828cf3acabd8acea63d606c78
Instruction Fuzzy Hash: 4C210472204325BFEB155B79AC09EBB7B9CDF55750F10802AF809DA292EB61CD5086A0

Function 0013581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 000C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C3A97,?,?,000C2E7F,?,?,?,00000000), ref: 000C3AC2

_wcslen.LIBCMT ref: 0013587B
CoInitialize.OLE32(00000000), ref: 00135995
CoCreateInstance.COMBASE(0015FCF8,00000000,00000001,0015FB68,?), ref: 001359AE
CoUninitialize.COMBASE ref: 001359CC

Strings

.lnk, xrefs: 00135876, 001358C1, 00135985

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 37899cfd718ec703756e9818332733efa08b8ab25d87c94295b90aded969cc9c
Instruction ID: d046deeca5c90afedf59c3c2adf6e577c98fc09c0d523a38f3b7b8c8d7ec895b
Opcode Fuzzy Hash: 37899cfd718ec703756e9818332733efa08b8ab25d87c94295b90aded969cc9c
Instruction Fuzzy Hash: 42D13071608601DFC714DF24C484A6EBBE6EF89B14F14885DF88A9B362DB31ED45CB92

Function 0012175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00120FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00120FCA
Part of subcall function 00120FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00120FD6
Part of subcall function 00120FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00120FE5
Part of subcall function 00120FB4: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00120FEC
Part of subcall function 00120FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00121002

GetLengthSid.ADVAPI32(?,00000000,00121335), ref: 001217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001217BA
RtlAllocateHeap.NTDLL(00000000), ref: 001217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001217DA
GetProcessHeap.KERNEL32(00000000,00000000,00121335), ref: 001217EE
HeapFree.KERNEL32(00000000), ref: 001217F5

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: c04f5c9b13312f08b4d3a402fbbac83fe7326c350e97db0d274652ca4fabc9cc
Instruction ID: 0c5800aaaefb06f968b2cb46d916b8a7412ab1525de1c3831444a0ea47b257d5
Opcode Fuzzy Hash: c04f5c9b13312f08b4d3a402fbbac83fe7326c350e97db0d274652ca4fabc9cc
Instruction Fuzzy Hash: 8611BE32500715FFDB10DFA4EC89BAF7BA9EB95356F104018F4419B211D735A990CBA0

Function 000E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000E3379,000E2FE5), ref: 000E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000E33B7
SetLastError.KERNEL32(00000000,?,000E3379,000E2FE5), ref: 000E3409

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: bc5969bffdea15a252fd918b92677569509e45cecad89dcd845bd58eae17c418
Instruction ID: 0bc8454ad8873f3bae8e458ed4395308fd4058566c977cf5ac6c9872a72d0b1f
Opcode Fuzzy Hash: bc5969bffdea15a252fd918b92677569509e45cecad89dcd845bd58eae17c418
Instruction Fuzzy Hash: 8E016832208351BFA76627777C8D9AA2FD4EB003B9330422AF110B31F2EF210F4156A0

Function 000F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000F5686,00103CD6,?,00000000,?,000F5B6A,?,?,?,?,?,000EE6D1,?,00188A48), ref: 000F2D78
_free.LIBCMT ref: 000F2DAB
_free.LIBCMT ref: 000F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,000EE6D1,?,00188A48,00000010,000C4F4A,?,?,00000000,00103CD6), ref: 000F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,000EE6D1,?,00188A48,00000010,000C4F4A,?,?,00000000,00103CD6), ref: 000F2DEC
_abort.LIBCMT ref: 000F2DF2

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7384b7a6d7e61fa1d8e66b92adfa2f16337979cfdd45b4b5ab7188c9e98fba23
Instruction ID: 150b754d0c2b868b899910d3c637a7b2aa0368bdd56779b048cdda8f8ad00414
Opcode Fuzzy Hash: 7384b7a6d7e61fa1d8e66b92adfa2f16337979cfdd45b4b5ab7188c9e98fba23
Instruction Fuzzy Hash: ECF02831545B0C6BC2A22734BC0AEBF2599BFC17B1F210019FB2496DE3EF34894171A0

Function 00158A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000D9693
Part of subcall function 000D9639: SelectObject.GDI32(?,00000000), ref: 000D96A2
Part of subcall function 000D9639: BeginPath.GDI32(?), ref: 000D96B9
Part of subcall function 000D9639: SelectObject.GDI32(?,00000000), ref: 000D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00158A4E
LineTo.GDI32(?,00000003,00000000), ref: 00158A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00158A70
LineTo.GDI32(?,00000000,00000003), ref: 00158A80
EndPath.GDI32(?), ref: 00158A90
StrokePath.GDI32(?), ref: 00158AA0

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 0a436127f96b2605cd492b6ea63efb7475c20d536123c269ef515d3d8348eb01
Instruction ID: 00fc4ea27f3dd2740896ec9ff000e6c8f6033f9ecdf4bc16844f7ba07392d7fb
Opcode Fuzzy Hash: 0a436127f96b2605cd492b6ea63efb7475c20d536123c269ef515d3d8348eb01
Instruction Fuzzy Hash: 4B11DB7600024DFFDF129F94DC88EAA7F6DEB08395F048012BA199A5A1C7729D95DFA0

Function 001251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00125218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00125229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00125230
ReleaseDC.USER32(00000000,00000000), ref: 00125238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0012524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00125261

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0e3d60ab88a7e83b1d90d89dae25d6986ba8201ffe02f3d95925257107060d25
Instruction ID: 50f7f041a162a1b02f2db3579a4a5a281bcd9e85fdfde33cb3c28032558eb89b
Opcode Fuzzy Hash: 0e3d60ab88a7e83b1d90d89dae25d6986ba8201ffe02f3d95925257107060d25
Instruction Fuzzy Hash: 7C018F75A00718FFEB109FA59C49A4EBFB8EB48752F044065FA04AB281D6709900CBA0

Function 000C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 000C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 000C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 000C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 000C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 000C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 000C1C22

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8899023dfc6eaa812f40f6bc09d7b9cbb1a888a27505193debebbfaaf8cbc333
Instruction ID: 24a0b788c56c8f607e7fe5927ad736ab38ce076df7499988714f3e419d6a958d
Opcode Fuzzy Hash: 8899023dfc6eaa812f40f6bc09d7b9cbb1a888a27505193debebbfaaf8cbc333
Instruction Fuzzy Hash: C1016CB0902759BDE3008F5A8C85B52FFA8FF19354F00411B915C4BA41C7F5A864CBE5

Function 0012EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0012EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0012EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0012EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0012EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0012EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0012EB75

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 939b7ab0e6cbf075eba6949563a99f8706e189720721c2195e6bf9c0ca4d04fb
Instruction ID: a4de9333d34ae4e3cf74faf7a81af609adaad912c65964c5bf23abb522290253
Opcode Fuzzy Hash: 939b7ab0e6cbf075eba6949563a99f8706e189720721c2195e6bf9c0ca4d04fb
Instruction Fuzzy Hash: 0BF01772240758FFE6215B629C0EEEB3A7CEBCAB12F000158F601D9591A7A05A818AF5

Function 00117439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00117452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00117469
GetWindowDC.USER32(?), ref: 00117475
GetPixel.GDI32(00000000,?,?), ref: 00117484
ReleaseDC.USER32(?,00000000), ref: 00117496
GetSysColor.USER32(00000005), ref: 001174B0

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 5d39f3a99d55e5a3c6ec3837a32640e4e9e2f99a41f5c0d112b079de120a3476
Instruction ID: 2e66e3ffda473d64fcd95e5628be9af3fe26f58d6b972957a901cd93f3a7c0c2
Opcode Fuzzy Hash: 5d39f3a99d55e5a3c6ec3837a32640e4e9e2f99a41f5c0d112b079de120a3476
Instruction Fuzzy Hash: 4C014B31500315FFEB515FA4DC48BEABBB6FB04322F510164F916A7AA1CB311E91EB90

Function 0012C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C7620: _wcslen.LIBCMT ref: 000C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0012C6EE
_wcslen.LIBCMT ref: 0012C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0012C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0012C7CA

Strings

0, xrefs: 0012C6AF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 91e84cc5455b3b533b7e790be22ed93dc7c651103e536955adb046512a11d0d6
Instruction ID: 10c18c4ea0c7169c71e02e6a9d18c5b5c5b16817a4b3233b83832011ba50ed38
Opcode Fuzzy Hash: 91e84cc5455b3b533b7e790be22ed93dc7c651103e536955adb046512a11d0d6
Instruction Fuzzy Hash: AB51F1716043219BD7149F28E884BAF77E8AF49314F040A2DFA95E3291DB70DD64CBD2

Function 0014AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0014AEA3

Part of subcall function 000C7620: _wcslen.LIBCMT ref: 000C7625

GetProcessId.KERNEL32(00000000), ref: 0014AF38
CloseHandle.KERNEL32(00000000), ref: 0014AF67

Strings

<, xrefs: 0014AE6B
@, xrefs: 0014AE72

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 44f266dccd23c4bfa26b03adb69752baf2556c3debbdcb407808ab85a6c40de5
Instruction ID: 4df0c0bd07eb5199abf6723ce891d0f79aed648646556e079d7c9c484ac3a949
Opcode Fuzzy Hash: 44f266dccd23c4bfa26b03adb69752baf2556c3debbdcb407808ab85a6c40de5
Instruction Fuzzy Hash: 55713671A00619DFCB14DFA4C494A9EBBF0BF08314F458499E85AAB3A2CB74ED45CB91

Function 0012719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00127206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0012723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0012724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001272CF

Strings

DllGetClassObject, xrefs: 00127242

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4c7d089a5a43afb730991e3d03fca9889e427647f05770959e7ed69fa644129e
Instruction ID: ea06b45cceb865e3fcc751193150c9aa5a36d6fcaaf98972d9639ec9bf0ad0c6
Opcode Fuzzy Hash: 4c7d089a5a43afb730991e3d03fca9889e427647f05770959e7ed69fa644129e
Instruction Fuzzy Hash: 2F418D71A04314EFDB15DF94D884A9B7BA9EF44310F1580ADFD059F28AD7B0DA54CBA0

Function 00153D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00153E35
IsMenu.USER32(?), ref: 00153E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00153E92
DrawMenuBar.USER32 ref: 00153EA5

Strings

0, xrefs: 00153D89

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 02c9707213547990d139bce0d474604eb65136777bb78c4fa628e9b78e1877b9
Instruction ID: 355f451538e805bcef36b6b3d8ed9b624f86abd859623a73a440746569fc543d
Opcode Fuzzy Hash: 02c9707213547990d139bce0d474604eb65136777bb78c4fa628e9b78e1877b9
Instruction Fuzzy Hash: 4E414B75A00209EFDB10DF90D885ADAB7F5FF45395F044119ED259B250D770AE49CF60

Function 00121DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00121E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00121E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00121EA9

Part of subcall function 000C6B57: _wcslen.LIBCMT ref: 000C6B6A

Strings

ComboBox, xrefs: 00121DF0
ListBox, xrefs: 00121E25

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: c459a43a46a174410279003c89344ed2fe44d6e6f41a9c07060f86c9e783784d
Instruction ID: 0dfe07e80e0a6f97bc40a34681ee27f0abeb09d656032219bad99f8529e5816e
Opcode Fuzzy Hash: c459a43a46a174410279003c89344ed2fe44d6e6f41a9c07060f86c9e783784d
Instruction Fuzzy Hash: 97213771A00204BEDB15EF64EC46DFFB7B9DF51350B104129F825A72E1DB344E198660

Function 0014C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0014C9F1
_wcslen.LIBCMT ref: 0014CA68
_wcslen.LIBCMT ref: 0014CA9E
_wcslen.LIBCMT ref: 0014CAF9
_wcslen.LIBCMT ref: 0014CB2F
_wcslen.LIBCMT ref: 0014CB7F

Strings

HKLM, xrefs: 0014CA98, 0014CA9D
HKEY_LOCAL_MACHINE, xrefs: 0014CA62, 0014CA67

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 55fe8f7d5b6ca293464762affc0e4945aa5b2ea56946de9b4b9f99844b7b0db8
Instruction ID: 3ea5419ebb44ce23e9c79e378191bd55300aed54686436b86c29ebf566e653eb
Opcode Fuzzy Hash: 55fe8f7d5b6ca293464762affc0e4945aa5b2ea56946de9b4b9f99844b7b0db8
Instruction Fuzzy Hash: 1D313A73A0216A4BCB60EF2CC9405BF33915BA1750B754029E841BB3A5FB71CE84D7E0

Function 00152F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00152F8D
LoadLibraryW.KERNEL32(?), ref: 00152F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00152FA9
DestroyWindow.USER32(?), ref: 00152FB1

Strings

SysAnimate32, xrefs: 00152F68

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 122bd3a2a809ea87c891ee54c3af20e8a154fd758d893b3536095fde197c2b4d
Instruction ID: 389de86050da0f9a3bca4032f24ae50f2ec102d12e73f85930583d50dc92c913
Opcode Fuzzy Hash: 122bd3a2a809ea87c891ee54c3af20e8a154fd758d893b3536095fde197c2b4d
Instruction Fuzzy Hash: BD218C72204205EFEB104F64EC80FBB77B9EB5A366F10461AFD60EA190D771DC959BA0

Function 000E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000E4D1E,000F28E9,?,000E4CBE,000F28E9,001888B8,0000000C,000E4E15,000F28E9,00000002), ref: 000E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,000E4D1E,000F28E9,?,000E4CBE,000F28E9,001888B8,0000000C,000E4E15,000F28E9,00000002,00000000), ref: 000E4DC3

Strings

mscoree.dll, xrefs: 000E4D86
CorExitProcess, xrefs: 000E4D98

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 815151d89a7262a063c734d64d7b94252e95c97a0a8e65b41e7edd5e962f6314
Instruction ID: ee8fab756560f035d0085d820fefc488cd6f3517e21776bdb18887f96e6e5a0c
Opcode Fuzzy Hash: 815151d89a7262a063c734d64d7b94252e95c97a0a8e65b41e7edd5e962f6314
Instruction Fuzzy Hash: F5F03C35A40308EFDB519F95DC49BEEBBE5EB44752F0400A8B805A6660CB705A90CBD1

Function 000C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000C4EDD,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000C4EAE
FreeLibrary.KERNEL32(00000000,?,?,000C4EDD,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4EC0

Strings

kernel32.dll, xrefs: 000C4E94
Wow64DisableWow64FsRedirection, xrefs: 000C4EA8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a0f85571bacb0a5e79c359c664a37c3faca91c8b3935156194439a4a1bf8f02f
Instruction ID: e3f24cfd7a567f062b6165b5c94018558f3d86b975c2117652ee9631353ce635
Opcode Fuzzy Hash: a0f85571bacb0a5e79c359c664a37c3faca91c8b3935156194439a4a1bf8f02f
Instruction Fuzzy Hash: F8E08635A01B22DFD2611F256C68F5F6694BF81F637060119FC00E6500DB60CD4185E0

Function 000C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00103CDE,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000C4E74
FreeLibrary.KERNEL32(00000000,?,?,00103CDE,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E87

Strings

kernel32.dll, xrefs: 000C4E5B
Wow64RevertWow64FsRedirection, xrefs: 000C4E6E

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: e1054590682e83da9de697bd410757d6d10383af70c5c25bfc9033345f443d6c
Instruction ID: 10aa7ec4febd8ac90c766e34783451489792b0b410ce4231648e2aa4bf08586d
Opcode Fuzzy Hash: e1054590682e83da9de697bd410757d6d10383af70c5c25bfc9033345f443d6c
Instruction Fuzzy Hash: 2FD01235502B21DF96621F297C28ECF6A58BF85F523060519BD05AA555CF60CE41C5D0

Function 0014A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0014A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0014A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0014A468
CloseHandle.KERNEL32(?), ref: 0014A63D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 980696fee564cedd1d16edd53bc4a2039d19182f3771c741146350fc77de4b27
Instruction ID: f99fbc2fe9efdee113bdb5f00376c049d9cc25e82fa84a770bcb8736d2113944
Opcode Fuzzy Hash: 980696fee564cedd1d16edd53bc4a2039d19182f3771c741146350fc77de4b27
Instruction Fuzzy Hash: A6A1B0716043019FE720DF24C886F6AB7E5AF84714F55881DF59A9B3D2D7B0EC418B92

Function 00141D10 Relevance: 7.8, APIs: 5, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00143149: select.WS2_32(00000000,?,00000000,00000000,?), ref: 00143195

__WSAFDIsSet.WS2_32(00000000,?), ref: 00141DC0
WSAGetLastError.WS2_32 ref: 00141DF2
inet_ntoa.WS2_32(?), ref: 00141E8C
htons.WS2_32(?), ref: 00141EDB
_strlen.LIBCMT ref: 00141F35

Part of subcall function 001239E8: _strlen.LIBCMT ref: 001239F2

Part of subcall function 000C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,000DCF58,?,?,?), ref: 000C6DBA
Part of subcall function 000C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,000DCF58,?,?,?), ref: 000C6DED

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: c8d2d34eed00a35a399bf88c6c3630d4052802ca7c0687b4622b397603eb3919
Instruction ID: d915866c5e3be728bcbbd534ac675965cb461aa5af219c75bb05486ab4885274
Opcode Fuzzy Hash: c8d2d34eed00a35a399bf88c6c3630d4052802ca7c0687b4622b397603eb3919
Instruction Fuzzy Hash: 66A1CE71604340AFC324DF20C895F6A7BA5AF94318F94895CF45A5B2A3CB31ED8ACB91

Function 0012E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0012DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0012CF22,?), ref: 0012DDFD

Part of subcall function 0012DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0012CF22,?), ref: 0012DE16

Part of subcall function 0012E199: GetFileAttributesW.KERNEL32(?,0012CF95), ref: 0012E19A

lstrcmpiW.KERNEL32(?,?), ref: 0012E473
MoveFileW.KERNEL32(?,?), ref: 0012E4AC
_wcslen.LIBCMT ref: 0012E5EB
_wcslen.LIBCMT ref: 0012E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0012E650

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 522229b97f71d59972e4dc9e27ec87ceff1132d0c325f4078afacd60064ebf14
Instruction ID: 670af0b42a38d6db6e55823b4b6b851082972b6aaa35de19fcf1f3204b2912ba
Opcode Fuzzy Hash: 522229b97f71d59972e4dc9e27ec87ceff1132d0c325f4078afacd60064ebf14
Instruction Fuzzy Hash: F95153B24083959FC724EB90EC819DF73DCAF95340F40492EF689D3192EF74A6988766

Function 0014B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

Part of subcall function 0014C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0014B6AE,?,?), ref: 0014C9B5
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014C9F1
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014CA68
Part of subcall function 0014C998: _wcslen.LIBCMT ref: 0014CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0014BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0014BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0014BB63
RegCloseKey.ADVAPI32(?,?), ref: 0014BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0014BBB3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: e5e77795be80a398772c3bd24a69301680a47c232fedc38912fbd8bccac7a33b
Instruction ID: d28b93e3856744dc8ddb514ac532dc78a94645030a000818810e23ca1668c88b
Opcode Fuzzy Hash: e5e77795be80a398772c3bd24a69301680a47c232fedc38912fbd8bccac7a33b
Instruction Fuzzy Hash: 4B616C31208241AFD714DF24C8D5E6ABBE5FF84318F54899CF4998B2A2DB31ED45CB92

Function 00128BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00128BCD
VariantClear.OLEAUT32 ref: 00128C3E
VariantClear.OLEAUT32 ref: 00128C9D
VariantClear.OLEAUT32(?), ref: 00128D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00128D3B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2b7a0d1c284677a059128f1ec9754c952fc3cc41060e95628d60e34986fc2dfa
Instruction ID: a05c221047df2524d7e3b8a689dbfde00f8671fcdfdbebaa09b2d03f9f842889
Opcode Fuzzy Hash: 2b7a0d1c284677a059128f1ec9754c952fc3cc41060e95628d60e34986fc2dfa
Instruction Fuzzy Hash: 855159B5A01219EFDB14CF68D894EAAB7F8FF89310B158559E905DB350E730E921CFA0

Function 00138AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00138BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00138BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00138C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00138C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00138C5F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: eeb1d34b9625e573f7b80e7a84d8502ed8a64722d523a85eaf4e7dac9538adb0
Instruction ID: a1c345138d0aa051060291fe18ed7df0b694408a280f62cd068ea280c806e836
Opcode Fuzzy Hash: eeb1d34b9625e573f7b80e7a84d8502ed8a64722d523a85eaf4e7dac9538adb0
Instruction Fuzzy Hash: DC511835A006159FCB05DF64C881EADBBF5FF48314F088459E849AB362DB35ED51DBA0

Function 00148EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00148F40
GetProcAddress.KERNEL32(00000000,?), ref: 00148FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00148FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00149032
FreeLibrary.KERNEL32(00000000), ref: 00149052

Part of subcall function 000DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00131043,?,753CE610), ref: 000DF6E6
Part of subcall function 000DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0011FA64,00000000,00000000,?,?,00131043,?,753CE610,?,0011FA64), ref: 000DF70D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 51b532090521942c7f5c9ea0494c39ae2021dd0edd3a334cebb8482d76acf02d
Instruction ID: c40585d05bbe82e99b2ebfff2a120ce69578a4861bfc7eee649297b62c074f15
Opcode Fuzzy Hash: 51b532090521942c7f5c9ea0494c39ae2021dd0edd3a334cebb8482d76acf02d
Instruction Fuzzy Hash: 3B513635600605DFCB15DF68C494DADBBF1FF49324B4580A9E80A9B762DB31ED89CB90

Function 00156B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00156C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00156C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00156C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0013AB79,00000000,00000000), ref: 00156C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00156CC7

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 9c2bae1bad8bc8f710dc28544e4ca507d0099e89715370da3a8783a06a176be9
Instruction ID: b946714aeeb8eb5d3fc5feb23ee2e71c4033abe0697561862a49708655c759aa
Opcode Fuzzy Hash: 9c2bae1bad8bc8f710dc28544e4ca507d0099e89715370da3a8783a06a176be9
Instruction Fuzzy Hash: AC41D635604204EFD724CF28CC55FA97BA5EB09361F950228FCA9AF2E1C371AD85DAC0

Function 000F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000F20C3
_free.LIBCMT ref: 000F20E3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8a38d205a4ba14fcc708b70e68c6899bef41228852cec66a3358327d66d37c5a
Instruction ID: 58d14d93d475f18a91d2218ef85c13c0c2854fdf3489ffec56b43c1737b91eaa
Opcode Fuzzy Hash: 8a38d205a4ba14fcc708b70e68c6899bef41228852cec66a3358327d66d37c5a
Instruction Fuzzy Hash: 1741D332A003089FCB24DF78C881AADB7F5EF89314F154569E615EB792DB31AD01DB90

Function 000D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000D9141
ScreenToClient.USER32(00000000,?), ref: 000D915E
GetAsyncKeyState.USER32(00000001), ref: 000D9183
GetAsyncKeyState.USER32(00000002), ref: 000D919D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d60dfc8047f65869632cac979d2193073a116ab4b933ac3433ff6811a9153a6a
Instruction ID: 53df3745ed2c6a9a411ca68c8ca088ac6858aebfe65eaf59ca1e272333caf9b9
Opcode Fuzzy Hash: d60dfc8047f65869632cac979d2193073a116ab4b933ac3433ff6811a9153a6a
Instruction Fuzzy Hash: 3D416075A0860AFBDF199F64C844BEEB774FF05320F208226E825A73D0C7346994CBA1

Function 00133874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00133922
TranslateMessage.USER32(?), ref: 0013394B
DispatchMessageW.USER32(?), ref: 00133955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00133966

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5e6049affda6fdfce261c52e28f3429419d34348fdf011dd35d90bb8a4253c67
Instruction ID: 04172ca386666c26980e0d17df44222cfbceabf9c95cc5de7649ca78abe69b96
Opcode Fuzzy Hash: 5e6049affda6fdfce261c52e28f3429419d34348fdf011dd35d90bb8a4253c67
Instruction Fuzzy Hash: 7931D570904342EEEF35CB34D849BB637A8EB05308F04056EE472C65A0E3B49AC5CB55

Function 0013CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0013C21E,00000000), ref: 0013CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0013CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0013C21E,00000000), ref: 0013CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0013C21E,00000000), ref: 0013CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0013C21E,00000000), ref: 0013CFF2

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ee9fb0d9fd9e1859c408ef7e737433daa9e9f4686ac987671318f0c49c279cf6
Instruction ID: 09c3423ced454979a1c7cebd99538ac42e6bfac94cf85d9ac496ba870c6b7951
Opcode Fuzzy Hash: ee9fb0d9fd9e1859c408ef7e737433daa9e9f4686ac987671318f0c49c279cf6
Instruction Fuzzy Hash: 0B316B71500306EFDB24DFA5C8849ABBBFEEB14311F10842EF506E6601DB30AE41DBA0

Function 00121901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00121915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001219E2

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 55efd2e95ace8a38d1163678509c86f997f0a1a21089592b9756659a9b7dafb9
Instruction ID: c4eb4a62ed7d3f2ca8df01691fa29870492f848b3abe73891cb462da83a180d6
Opcode Fuzzy Hash: 55efd2e95ace8a38d1163678509c86f997f0a1a21089592b9756659a9b7dafb9
Instruction Fuzzy Hash: D8319171900229EFCF14CFA8DD99ADE7BB5EB54319F104225F921AB2D1C7709A94CB90

Function 00155706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00155745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0015579D
_wcslen.LIBCMT ref: 001557AF
_wcslen.LIBCMT ref: 001557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00155816

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 287d5e540b0b55b35a3de3da4ef5baaa42a432434abb5470be66161fd6903639
Instruction ID: 69c276bc6b3ffa90c51adbb7d1870a5ccd85534d926c82de883d01fbe27c08d6
Opcode Fuzzy Hash: 287d5e540b0b55b35a3de3da4ef5baaa42a432434abb5470be66161fd6903639
Instruction Fuzzy Hash: FB218571904618DADB209FA1CC85AED7BB9FF04726F108256ED39EE181E7708AC9CF50

Function 00140930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00140951
GetForegroundWindow.USER32 ref: 00140968
GetDC.USER32(00000000), ref: 001409A4
GetPixel.GDI32(00000000,?,00000003), ref: 001409B0
ReleaseDC.USER32(00000000,00000003), ref: 001409E8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0b768fc180a0dda05982502756395fe805cc073c7af47fd69e114b194e2cc5e5
Instruction ID: 3ae7095384eaa390a5e445eaf1e722d5e75475223cbd48a82212d09b6bbb2410
Opcode Fuzzy Hash: 0b768fc180a0dda05982502756395fe805cc073c7af47fd69e114b194e2cc5e5
Instruction Fuzzy Hash: 1F216D35600214EFD704EF65C885AAEBBE9EF58701F04846CF84A9B762CB30AD44CB90

Function 000FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000FCDE9

Part of subcall function 000F3820: RtlAllocateHeap.NTDLL(00000000,?,00191444), ref: 000F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000FCE0F
_free.LIBCMT ref: 000FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000FCE31

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 129ce3d3142454bae41996a5b0f83150edbe35a1f94bdf442cc4c534a3d591ae
Instruction ID: 88b53ea378201cdbf88c493156b1c0ab93c8abd9dec09650e4ce2ad4cb158033
Opcode Fuzzy Hash: 129ce3d3142454bae41996a5b0f83150edbe35a1f94bdf442cc4c534a3d591ae
Instruction Fuzzy Hash: 22018872A0171DBF33611A7A6D89DBF79ADEFC6BA13150129FA05C7901DA618D01A1F0

Function 000D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000D9693
SelectObject.GDI32(?,00000000), ref: 000D96A2
BeginPath.GDI32(?), ref: 000D96B9
SelectObject.GDI32(?,00000000), ref: 000D96E2

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2af06f765c6ea15dd036ba1eaef09794f3ec9068fc894614f94e30ddfa0e1066
Instruction ID: 71d228909d3141b82fdb6e57ed2ced9a99ff6276c34a96134a3b468ac6123681
Opcode Fuzzy Hash: 2af06f765c6ea15dd036ba1eaef09794f3ec9068fc894614f94e30ddfa0e1066
Instruction Fuzzy Hash: 46214970802306EFDB119F65EC58BAD7BB9BB5036AF104217F821A66E0D37098D1CBA4

Function 00125711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00125726
_memcmp.LIBVCRUNTIME ref: 00125744
_memcmp.LIBVCRUNTIME ref: 00125757
_memcmp.LIBVCRUNTIME ref: 0012576F
_memcmp.LIBVCRUNTIME ref: 00125787

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bc4aa5fc11381d476c3281bc8537a37f5b29bd164323ab1d10a3f333eea4e0d3
Instruction ID: a93867109d4f359e6f402fc2f314eecba62263871b11e45c30515c2d86bfa2ce
Opcode Fuzzy Hash: bc4aa5fc11381d476c3281bc8537a37f5b29bd164323ab1d10a3f333eea4e0d3
Instruction Fuzzy Hash: 4201B971681655FFD3089621ADC2FFB735E9B613A5F804034FD14AE242F770EE2582A0

Function 000F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000EF2DE,000F3863,00191444,?,000DFDF5,?,?,000CA976,00000010,00191440,000C13FC,?,000C13C6), ref: 000F2DFD
_free.LIBCMT ref: 000F2E32
_free.LIBCMT ref: 000F2E59
SetLastError.KERNEL32(00000000,000C1129), ref: 000F2E66
SetLastError.KERNEL32(00000000,000C1129), ref: 000F2E6F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2d69712bb4029901d929c257c03a008b1808b5b493d03e9f2a332572cc30bb6b
Instruction ID: 6e327fe2f3dcbefe30cbb0c482653443496252a69aaf12251ab7ad601b16c44a
Opcode Fuzzy Hash: 2d69712bb4029901d929c257c03a008b1808b5b493d03e9f2a332572cc30bb6b
Instruction Fuzzy Hash: 6701F932245B0CABC65267746C45D7F2999BBD17717310025FB2193E93EB708D417160

Function 0012000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 0012002B
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00120046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?,?), ref: 00120054
CoTaskMemFree.COMBASE(00000000), ref: 00120064
CLSIDFromString.COMBASE(?,?), ref: 00120070

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 638b3fe3b8cd6a7fdc8ced83bce8677b32c5fa4bdb983c2c7406482715991aa1
Instruction ID: a1ecdaa1c54751f66b64a71ac297b3c2fa697e974267ba801a29feb8036a8b77
Opcode Fuzzy Hash: 638b3fe3b8cd6a7fdc8ced83bce8677b32c5fa4bdb983c2c7406482715991aa1
Instruction Fuzzy Hash: 5201A772600314FFEB114F64EC44BAA7AEDEF48792F144214F905D6221D771DD5087A4

Function 0012E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0012E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0012E9A5
Sleep.KERNEL32(00000000), ref: 0012E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0012E9B7
Sleep.KERNEL32 ref: 0012E9F3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5722cfd8e1770e25627ec113d6ff09b00caf4f03cb4d30986c5d789fae415ad1
Instruction ID: 7e696ec471462dfb12bf3799b62137f7ab2d2f4082337ff6a3991765756c4a7d
Opcode Fuzzy Hash: 5722cfd8e1770e25627ec113d6ff09b00caf4f03cb4d30986c5d789fae415ad1
Instruction Fuzzy Hash: 41011731C01A39DBCF00AFE5E899AEDBBB8BB09705F010556E502B2241CB3495A4CBA1

Function 001210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00121114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 00121120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 0012112F
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00121136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0012114D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 1e87e32831bbcc18d5c7d10a1cc3a9ef4ec96ec3fdd70a9ad90af60ffcb91f25
Instruction ID: 6dc3499f66fdeb4a483e2d32bb9ed5e1c05717da8b5a265f3a481bbd5214dee2
Opcode Fuzzy Hash: 1e87e32831bbcc18d5c7d10a1cc3a9ef4ec96ec3fdd70a9ad90af60ffcb91f25
Instruction Fuzzy Hash: 21016D79100315FFDB114F64EC49A6A3F6EEF89361B140414FA41D7350DB31DC50CAA0

Function 00120FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00120FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00120FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00120FE5
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00120FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00121002

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 7a5c5489eca32673e393974af274d1c48aed29d375b5ecd38dc37a7b758cabb2
Instruction ID: ae8e797b54ed9d018ad681d0893b3e53d6a99649b88dd89e95091f0c9049a9ad
Opcode Fuzzy Hash: 7a5c5489eca32673e393974af274d1c48aed29d375b5ecd38dc37a7b758cabb2
Instruction Fuzzy Hash: E7F04F39100315FFDB214FA5AC89F5A3BADEF89762F104414F945CA291CA70DC908AA0

Function 00121014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0012102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00121036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00121045
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0012104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00121062

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 8da0688ff3aa13191febc7d76d0e7a451bd031ed38778d45327fc9a525967a93
Instruction ID: c1653278e230066f064cd2500560ca5a34502c43c411f12f79a10f8166c6cbda
Opcode Fuzzy Hash: 8da0688ff3aa13191febc7d76d0e7a451bd031ed38778d45327fc9a525967a93
Instruction Fuzzy Hash: 1DF04F39100355FFDB215FA5EC49F5A3BADEF89762F200414F945CA290CA70D8908AA0

Function 0013030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 00130324
CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 00130331
CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 0013033E
CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 0013034B
CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 00130358
CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 00130365

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b4de72970c704654712b5ffaae75d8b8ca4363b9257d67d64cff18660d0b4a00
Instruction ID: 36a4b1e9267a30400de3479db76df40592e8db6ac58a41bc8f677a82a173a13d
Opcode Fuzzy Hash: b4de72970c704654712b5ffaae75d8b8ca4363b9257d67d64cff18660d0b4a00
Instruction Fuzzy Hash: 31019872800B15DFCB32AF66D8A0812FBF9BF642153158A3ED19652931C3B1A998CE80

Function 000FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000FD752

Part of subcall function 000F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000), ref: 000F29DE
Part of subcall function 000F29C8: GetLastError.KERNEL32(00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000,00000000), ref: 000F29F0

_free.LIBCMT ref: 000FD764
_free.LIBCMT ref: 000FD776
_free.LIBCMT ref: 000FD788
_free.LIBCMT ref: 000FD79A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5f03b00cfb4c868c3fd05208f92faf1b8d152eefeb90203ecf35f2141a2de9a3
Instruction ID: 29d0ad801934bce89f955e85ee25156e8d546cc6de177cf0cbbc502a1666be2c
Opcode Fuzzy Hash: 5f03b00cfb4c868c3fd05208f92faf1b8d152eefeb90203ecf35f2141a2de9a3
Instruction Fuzzy Hash: 7FF0FF3258830EAB8661FB64F9C5C6A77DEBB447107A40806F258EBD12D774FC80A7B4

Function 00125C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00125C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00125C6F
MessageBeep.USER32(00000000), ref: 00125C87
KillTimer.USER32(?,0000040A), ref: 00125CA3
EndDialog.USER32(?,00000001), ref: 00125CBD

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: af7bffcce8f5a4dedd386e093c86a0018839ff9a539eeb7e050be94ff956a3f0
Instruction ID: 0b890fe14db93620f30d0b2c49164e126f61e0ddbf03dc2cfa188ebf058889ab
Opcode Fuzzy Hash: af7bffcce8f5a4dedd386e093c86a0018839ff9a539eeb7e050be94ff956a3f0
Instruction Fuzzy Hash: 4D018630500B14EFEB255F10ED8EFA677BDBB04B06F000559A583A55E1EBF0AAE48B90

Function 000F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000F22BE

Part of subcall function 000F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000), ref: 000F29DE
Part of subcall function 000F29C8: GetLastError.KERNEL32(00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000,00000000), ref: 000F29F0

_free.LIBCMT ref: 000F22D0
_free.LIBCMT ref: 000F22E3
_free.LIBCMT ref: 000F22F4
_free.LIBCMT ref: 000F2305

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dc920c5aa96564e4ec0faf0866ab35c775ef5bcb82463a1625611c681172c07c
Instruction ID: 5f342b14bb8839532de3aefccd9305d2b0104601d672d8c9e0fbd46469ae0059
Opcode Fuzzy Hash: dc920c5aa96564e4ec0faf0866ab35c775ef5bcb82463a1625611c681172c07c
Instruction Fuzzy Hash: AFF03A71884126AB8613BF54BC018AC3BA4BB19B60710050BF514D7FB2C7702AD1BFE4

Function 000D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000D95D4
StrokeAndFillPath.GDI32(?,?,001171F7,00000000,?,?,?), ref: 000D95F0
SelectObject.GDI32(?,00000000), ref: 000D9603
DeleteObject.GDI32 ref: 000D9616
StrokePath.GDI32(?), ref: 000D9631

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7a82e0304ac4b490f9c3c951ec0800a4157eb697475086fa59e983aec0f3d429
Instruction ID: dbeab94d337b0dc8d52bf98d906ebf92e563f548e991b312f249c0a3c6cd05f8
Opcode Fuzzy Hash: 7a82e0304ac4b490f9c3c951ec0800a4157eb697475086fa59e983aec0f3d429
Instruction Fuzzy Hash: 6EF0373400670AFFDB625F69ED5CB683BA1EB003AAF048226F425599F0C73189D1DF64

Function 00121874 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0012187F
CloseHandle.KERNEL32(?), ref: 00121894
CloseHandle.KERNEL32(?), ref: 0012189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001218A5
HeapFree.KERNEL32(00000000), ref: 001218AC

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 5d9e38e811384c4ddc0bc9332aaac19e9c45f74fcf74aa6c2fe3ab5aa437985d
Instruction ID: bc5fb2245f94799f2bddfb0cb5e538be1959224f7a1db5e28e55a6d2d2e6ffe0
Opcode Fuzzy Hash: 5d9e38e811384c4ddc0bc9332aaac19e9c45f74fcf74aa6c2fe3ab5aa437985d
Instruction Fuzzy Hash: 90E05276104705FFDA015FA5ED0C94ABB69FB49B22B508625F22689871CB32A4A1DB90

Function 000F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 000F10F9
__freea.LIBCMT ref: 000F1117

Part of subcall function 000F1537: _free.LIBCMT ref: 000F154F

Strings

am/pm, xrefs: 000F117A
a/p, xrefs: 000F11DE

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 043d16d4f16c46e711c3da1ee47e154d5f24f58a6ab5c6f830f73b0eabe8a73c
Instruction ID: 9ff2737b3f115868abc35045696de635fece3b78efbb9eb3296ba5fd037f80c1
Opcode Fuzzy Hash: 043d16d4f16c46e711c3da1ee47e154d5f24f58a6ab5c6f830f73b0eabe8a73c
Instruction Fuzzy Hash: C3D1DE7190020EDADB688F68C855AFEB7F1FF05310F280119EB01ABE91D7759E80EB91

Function 0013910C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 000C7620: _wcslen.LIBCMT ref: 000C7625

Part of subcall function 000C6B57: _wcslen.LIBCMT ref: 000C6B6A

_wcslen.LIBCMT ref: 00139506
_wcslen.LIBCMT ref: 0013952D
7523D1A0.COMDLG32(00000058), ref: 00139585

Strings

X, xrefs: 00139412

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$7523
String ID: X
API String ID: 1414850397-3081909835
Opcode ID: d4989b25f28c7665dbb988ca9ce39763fba8b131cde86687fb012eb0428abdf3
Instruction ID: 0547a395e86a7e0e2b814b578077bf1b9d020eb49b106e16dfb5cd973466fecb
Opcode Fuzzy Hash: d4989b25f28c7665dbb988ca9ce39763fba8b131cde86687fb012eb0428abdf3
Instruction Fuzzy Hash: E3E16B716083409FD724EF24C885BAEB7E4BF85314F04896DF8899B2A2DB71DD45CB92

Function 00147B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 000E0242: RtlEnterCriticalSection.NTDLL(0019070C), ref: 000E024D
Part of subcall function 000E0242: RtlLeaveCriticalSection.NTDLL(0019070C), ref: 000E028A

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

Part of subcall function 000E00A3: __onexit.LIBCMT ref: 000E00A9

__Init_thread_footer.LIBCMT ref: 00147BFB

Part of subcall function 000E01F8: RtlEnterCriticalSection.NTDLL(0019070C), ref: 000E0202
Part of subcall function 000E01F8: RtlLeaveCriticalSection.NTDLL(0019070C), ref: 000E0235

Strings

G, xrefs: 00147C7F
5, xrefs: 00147C78
Variable must be of type 'Object'., xrefs: 00147C3A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: fda4b939952021b6447c9c186eec047e93f9ddc143c5f1112adb95f374e0d3cd
Instruction ID: 50b11673c6e000f57f422b4bfd6d3b2de72804ca89b7037a0f5be6d29aeefad8
Opcode Fuzzy Hash: fda4b939952021b6447c9c186eec047e93f9ddc143c5f1112adb95f374e0d3cd
Instruction Fuzzy Hash: 61917870A04209EFCB14EF94D991DBDB7B2FF49304F148059F816AB2A2DB71AE85CB51

Function 00122716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0012B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001221D0,?,?,00000034,00000800,?,00000034), ref: 0012B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00122760

Part of subcall function 0012B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0012B3F8

Part of subcall function 0012B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0012B355
Part of subcall function 0012B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00122194,00000034,?,?,00001004,00000000,00000000), ref: 0012B365
Part of subcall function 0012B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00122194,00000034,?,?,00001004,00000000,00000000), ref: 0012B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0012281A

Strings

@, xrefs: 00122832

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b0543f6659b844c0bdff4520ecda633bfcd878c939e7a1a61d27224bea4ea4ab
Instruction ID: 70930119dd3e87963004a217d3f5ebc86fc4ec36f4c91b555ef1675440e5438a
Opcode Fuzzy Hash: b0543f6659b844c0bdff4520ecda633bfcd878c939e7a1a61d27224bea4ea4ab
Instruction Fuzzy Hash: 27412D72900228BFDB10DFA4DD81ADEBBB8EF15300F004059FA55B7181DB706E55CBA0

Function 000F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\xom6WSISuh.exe,00000104), ref: 000F1769
_free.LIBCMT ref: 000F1834
_free.LIBCMT ref: 000F183E

Strings

C:\Users\user\Desktop\xom6WSISuh.exe, xrefs: 000F1760, 000F1767, 000F1796, 000F17CE

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\xom6WSISuh.exe
API String ID: 2506810119-2306960568
Opcode ID: fd16331fffe92521b29b14be3ce279180464d5f3c51c284caa414dd160e7b248
Instruction ID: 7f61819c330f8462a6a59cbfc0f545b0390fb2cb257e425d46d215a8891373c1
Opcode Fuzzy Hash: fd16331fffe92521b29b14be3ce279180464d5f3c51c284caa414dd160e7b248
Instruction Fuzzy Hash: 3D31B171A0430DFFCB21EB999981DEEBBFCEB84350F244166E60497611DB704A81EB90

Function 0012C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0012C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0012C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00191990,00B624A8), ref: 0012C395

Strings

0, xrefs: 0012C2DF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: dc44fa1bf618d321511555fac3bb8570c6593337219b7d804a0c28d7e7b4c4f5
Instruction ID: 523b40525d9952b4af78ab7dcca7c7262adc0419d9965458090293cb29807037
Opcode Fuzzy Hash: dc44fa1bf618d321511555fac3bb8570c6593337219b7d804a0c28d7e7b4c4f5
Instruction Fuzzy Hash: 3041BE312043519FD724DF25E884B6EBBE8BF95320F008A1DFAA5972D1D730E914CBA2

Function 00154416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0015CC08,00000000,?,?,?,?), ref: 001544AA
GetWindowLongW.USER32 ref: 001544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001544D7

Strings

SysTreeView32, xrefs: 0015447C

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 747af6f29087c012aa78ee1dbd2d111aff8b9a976bd71cbff5207acd95741866
Instruction ID: 008eebb42409e0576dcacfa4fa424bdf95839a0324d4a0a2903df519f44eae17
Opcode Fuzzy Hash: 747af6f29087c012aa78ee1dbd2d111aff8b9a976bd71cbff5207acd95741866
Instruction Fuzzy Hash: 74319A31250205AFDF208E78DC45BEA7BA9EB08329F204315FD79A62E1D770EC949B50

Function 0014304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0014335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00143077,?,?), ref: 00143378

inet_addr.WS2_32(?), ref: 0014307A
_wcslen.LIBCMT ref: 0014309B
htons.WS2_32(00000000), ref: 00143106

Strings

255.255.255.255, xrefs: 00143095, 0014309A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c07e8c51cce65bdd1e7adcec94da97f2596211176323a22774eb13daff32ffe8
Instruction ID: a4e3dd74fed773adbd3ca7eebdfeab234d7cae1586d240215074856e37dda9e0
Opcode Fuzzy Hash: c07e8c51cce65bdd1e7adcec94da97f2596211176323a22774eb13daff32ffe8
Instruction Fuzzy Hash: 5B31D335200301DFDB14CF68C585EAA77E0EF54318F258199E9259B7A2DB72EE45C760

Function 00154653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00154705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00154713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0015471A

Strings

msctls_updown32, xrefs: 00154684

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4c31d95b911a3ce46d5df0eeb5b4ea630a0cbd6238381749c004429b2ececc5c
Instruction ID: aa443d9501adfe21d493926a497dd7507c36f0f4683adc80a7ffe76e66c93316
Opcode Fuzzy Hash: 4c31d95b911a3ce46d5df0eeb5b4ea630a0cbd6238381749c004429b2ececc5c
Instruction Fuzzy Hash: 0F219DB5600209EFEB11DF64DCC1DAB37ADEB5A3A9B000059FA109B391CB31EC95CB60

Function 001295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0012961D

Strings

#OnAutoItStartRegister, xrefs: 001295F3
#requireadmin, xrefs: 001295D9
#notrayicon, xrefs: 001295B7

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: dc73a6dbbd06fd1760a6b657bbbd71e1dbef1148ae0f06cf8e2aaf8b44bfcc6f
Instruction ID: ad928abcc11afc8ffc2156ec46df360a1d8a20d7717e3842be08f86c2112a0b5
Opcode Fuzzy Hash: dc73a6dbbd06fd1760a6b657bbbd71e1dbef1148ae0f06cf8e2aaf8b44bfcc6f
Instruction Fuzzy Hash: 4E215B32204271AAD331AB2DFC02FFB73D89F51300F10402AF949AB142EB919D66C3E5

Function 001537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00153840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00153850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00153876

Strings

Listbox, xrefs: 0015380F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d1671245cb824bf490c8afab56ad8b7710bcdec5de20ac3349efe6b1bede9d79
Instruction ID: 574e02928c6f4db7d5f51248f384777508bc7868c7f975050815be77ba51897d
Opcode Fuzzy Hash: d1671245cb824bf490c8afab56ad8b7710bcdec5de20ac3349efe6b1bede9d79
Instruction Fuzzy Hash: FB21B072600218BFEB218F64CC81FAB376AEF89791F108114F9209B190C771DC568BA0

Function 001349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00134A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00134A5C
SetErrorMode.KERNEL32(00000000,?,?,0015CC08), ref: 00134AD0

Strings

%lu, xrefs: 00134A6F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c01b3b549fd5f3c7f4934146e7db6ed561eaa38b00ca204107a59e0731434159
Instruction ID: 0e5db63174e46a988f02dcb8bfa8abe603817a94f7101d25dcce764a3d2a8685
Opcode Fuzzy Hash: c01b3b549fd5f3c7f4934146e7db6ed561eaa38b00ca204107a59e0731434159
Instruction Fuzzy Hash: D4310F75A00209AFDB10DF54C985EAE7BF8EF05308F148099F909DB252D775ED45CBA1

Function 001541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0015424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00154264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00154271

Strings

msctls_trackbar32, xrefs: 00154226

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fb6870eb4be131d63185a13d7aaef574b1b18b731b0d4fee5848c548c3c34228
Instruction ID: 5b6f855c76627bf5a90325cf00ac2cd44854ade436af67b35a9d4144a8241623
Opcode Fuzzy Hash: fb6870eb4be131d63185a13d7aaef574b1b18b731b0d4fee5848c548c3c34228
Instruction Fuzzy Hash: CB11E331240208BFEF205F29DC46FAB3BACEF95B59F110114FA65EA090D371D8919B20

Function 00122F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C6B57: _wcslen.LIBCMT ref: 000C6B6A

Part of subcall function 00122DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00122DC5
Part of subcall function 00122DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00122DD6
Part of subcall function 00122DA7: GetCurrentThreadId.KERNEL32 ref: 00122DDD
Part of subcall function 00122DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00122DE4

GetFocus.USER32 ref: 00122F78

Part of subcall function 00122DEE: GetParent.USER32(00000000), ref: 00122DF9

GetClassNameW.USER32(?,?,00000100), ref: 00122FC3
EnumChildWindows.USER32(?,0012303B), ref: 00122FEB

Strings

%s%d, xrefs: 00122FFF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 136d2123c2a548f9963da30c590a623b0fff2486d091bb46ef6446261c4c9e76
Instruction ID: 29ee919053ab3be76429d9a3aef2dd747c3e7158eaece97f74d3d6217bae698d
Opcode Fuzzy Hash: 136d2123c2a548f9963da30c590a623b0fff2486d091bb46ef6446261c4c9e76
Instruction Fuzzy Hash: B511E471200319ABCF14BFB09C95EEE37AAAF94304F044079F9199B252DF349A598B70

Function 00155882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001558EE
DrawMenuBar.USER32(?), ref: 001558FD

Strings

0, xrefs: 0015588F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 74dbfb4df364aab463f9c4f0b31fa456bbdb365fa673669b932b6849da631229
Instruction ID: 7d0618f89a3d9d2315dbd96690bdd18838041d9f533b5ef3c993916515b91bcb
Opcode Fuzzy Hash: 74dbfb4df364aab463f9c4f0b31fa456bbdb365fa673669b932b6849da631229
Instruction Fuzzy Hash: 6B016131500318EFDB119F51DC44BAEBBB5FB45366F108099E859DA261EB348A84DF71

Function 0011D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0011D3BF
FreeLibrary.KERNEL32 ref: 0011D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0011D3B9
X64, xrefs: 0011D2A8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 67a9246ead4631ef90ec1755aafb41c8aa3cf42b837e57bbe9d318bdab56b602
Instruction ID: 843111912f1cd98d8e6a3c2ae258016f35b64ec2cf95ae0fd5d02685cc91741b
Opcode Fuzzy Hash: 67a9246ead4631ef90ec1755aafb41c8aa3cf42b837e57bbe9d318bdab56b602
Instruction Fuzzy Hash: D0F0ECB5415B11DAD77C56109CC89E93314BF11711F658177E033F5095EB70C9C1C692

Function 0012007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa20f8bdc32a29c9d9bf954c5b369f69decf51bbd6bfbc091d69c41e32cf6e24
Instruction ID: 140dc9c4427a502f4f04f1e133e49f68c32d01f4728729ef2b451d28bd17b72d
Opcode Fuzzy Hash: fa20f8bdc32a29c9d9bf954c5b369f69decf51bbd6bfbc091d69c41e32cf6e24
Instruction Fuzzy Hash: A4C18D75A0022AEFDB05CFA4D894EAEB7B5FF48304F118698E405EB252C731ED91CB90

Function 0014342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00143459
CoUninitialize.COMBASE ref: 00143463
VariantInit.OLEAUT32(?), ref: 0014346E
VariantClear.OLEAUT32(?), ref: 0014371B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 8c2ff499e8f9ac70b36e945e77a782bb36e563d3b2985c5723c2c4b8ab7ce4cd
Instruction ID: d4f2990d62423e16dbac07b43c11ac4cb43829ad6fffd25b553ebb2a4d181417
Opcode Fuzzy Hash: 8c2ff499e8f9ac70b36e945e77a782bb36e563d3b2985c5723c2c4b8ab7ce4cd
Instruction Fuzzy Hash: D9A112756047019FCB00DF28C585A6EB7E5EF88724F05885DF99A9B362DB70EE01CB92

Function 00120436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 001205F0
CoTaskMemFree.COMBASE(00000000), ref: 00120608
CLSIDFromProgID.COMBASE(?,?), ref: 0012062D
_memcmp.LIBVCRUNTIME ref: 0012064E

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: e9fd9455bc94be2cb42aa23e6b3f3882285749722879432e31fa64b6e16a5f9c
Instruction ID: 74666082e43c0e102d0f7c99f6ecfe4c9a757a4207b8a6abcef4088b6c1984f7
Opcode Fuzzy Hash: e9fd9455bc94be2cb42aa23e6b3f3882285749722879432e31fa64b6e16a5f9c
Instruction Fuzzy Hash: A9813C71A00219EFCB05DF94C988EEEB7B9FF89315F204558E506AB251DB71AE06CF60

Function 00101391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001014C0

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 20006c60b6ff4c69f743f3d51e61689b1acd8af8ef532028a3dcc48716b998bf
Instruction ID: 4652eee0b3faf86ad37614c447c0efcde027551edf4762597d85d63f4cea990a
Opcode Fuzzy Hash: 20006c60b6ff4c69f743f3d51e61689b1acd8af8ef532028a3dcc48716b998bf
Instruction Fuzzy Hash: B8413931A00505BFDB256FB98C45AFE3AA4FF52330F144229F958D71E3EBB888419262

Function 00156278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00B6E880,?), ref: 001562E2
ScreenToClient.USER32(?,?), ref: 00156315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00156382

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: cf7aa37cb3f36a3621df46b684cd979d749c9ad3f7c6f0e9666e4e1bdbb2282b
Instruction ID: e32eddbc66bb03d23f336c6588e703a1f37e9a81fea50f6ac3c6e529ce3953c8
Opcode Fuzzy Hash: cf7aa37cb3f36a3621df46b684cd979d749c9ad3f7c6f0e9666e4e1bdbb2282b
Instruction Fuzzy Hash: 2E513D74A00209EFCF10DF68D881AAE7BB5FF55365F508169F8699B2A0D730ED85CB90

Function 000FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa26b9a0038ebd457965aadf402db539ef03af945ade92458bcb4317f3f4152d
Instruction ID: 8ef4029f8a1e02ad19b60985b5ab059d78e893697a79cbee99464319d5e06b3a
Opcode Fuzzy Hash: aa26b9a0038ebd457965aadf402db539ef03af945ade92458bcb4317f3f4152d
Instruction Fuzzy Hash: B441E976900708BFD724AF38CD41BBE7BE9EB84710F10452AF651DBA82D775A9019B80

Function 001356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00135783
GetLastError.KERNEL32(?,00000000), ref: 001357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001357FA

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2969d0fd16115a25dcc9b1f2a89905a0279fe264521c9bd9304380a5ec690e9d
Instruction ID: cb0e92969092b4d44ad96ee3edcce2164422ffc7cbc21b11be961ed8967da12c
Opcode Fuzzy Hash: 2969d0fd16115a25dcc9b1f2a89905a0279fe264521c9bd9304380a5ec690e9d
Instruction Fuzzy Hash: BF411739600A10DFCB11EF15C445A5EBBE2EF89720F598498E84AAB362CB70FD41DF91

Function 000FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,000E6D71,00000000,00000000,000E82D9,?,000E82D9,?,00000001,000E6D71,8BE85006,00000001,000E82D9,000E82D9), ref: 000FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000FD9AB
__freea.LIBCMT ref: 000FD9B4

Part of subcall function 000F3820: RtlAllocateHeap.NTDLL(00000000,?,00191444), ref: 000F3852

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0f0833421b00e9986f9bc391eb160dbcc1fa2b18ca91cb720d65ff05d23a97e1
Instruction ID: 800333e01272c33c5e6cf6d94e5971878e2b06d3dc1a670259845a8cab23f6a6
Opcode Fuzzy Hash: 0f0833421b00e9986f9bc391eb160dbcc1fa2b18ca91cb720d65ff05d23a97e1
Instruction Fuzzy Hash: EE31CE72A0020AAFDB259FA5DC45EFE7BA6EB40310B05416AFD04DA151EB75CE50DBA0

Function 001552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00155352
GetWindowLongW.USER32(?,000000F0), ref: 00155375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00155382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001553A8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 54f38615145cc719df36c6efe18e0f95a45c8edd91cb99ee773a10ef868928b9
Instruction ID: e78f15492936e14a999a339069147b8eb0fa61a4856b8523ca8560d0f9d27364
Opcode Fuzzy Hash: 54f38615145cc719df36c6efe18e0f95a45c8edd91cb99ee773a10ef868928b9
Instruction Fuzzy Hash: 6631B434A55A08EFEB749F14CC25BE83767BB043D2F584112FE299E2E1C7B09988D741

Function 0012AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0012ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0012AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0012AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0012ACC6

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e275dc8c3266b06bc4737ba39e0e89b6846a6ac07d4d248c82eb9b94ccf5461b
Instruction ID: f4af0d687ffba7f4fffba653c7e76c2b9bd81ed11d6b7b080cb0c1110595987c
Opcode Fuzzy Hash: e275dc8c3266b06bc4737ba39e0e89b6846a6ac07d4d248c82eb9b94ccf5461b
Instruction Fuzzy Hash: FB312830A04328AFFF38CF64EC047FE7BA5AF85310F84421AE481562D1C3749AB58792

Function 00157674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0015769A
GetWindowRect.USER32(?,?), ref: 00157710
PtInRect.USER32(?,?,00158B89), ref: 00157720
MessageBeep.USER32(00000000), ref: 0015778C

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 7f46257fa5d0b57ed5d4011eb64d81bcc205696a05a9053bbf202423a061e4d2
Instruction ID: 7735b5eb68cd4792f07715b995a37310c8838926209ed6c65e6301c6f1348354
Opcode Fuzzy Hash: 7f46257fa5d0b57ed5d4011eb64d81bcc205696a05a9053bbf202423a061e4d2
Instruction Fuzzy Hash: 5841AF34605255EFCB02CF58E89AEA977F4FB49306F1540A9E8249F2A1C330A989CF90

Function 001516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001516EB

Part of subcall function 00123A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00123A57
Part of subcall function 00123A3D: GetCurrentThreadId.KERNEL32 ref: 00123A5E
Part of subcall function 00123A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001225B3), ref: 00123A65

GetCaretPos.USER32(?), ref: 001516FF
ClientToScreen.USER32(00000000,?), ref: 0015174C
GetForegroundWindow.USER32 ref: 00151752

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7525dd0112dd8b72b2adfc673519dcc830772e909257143bd7f48ce3c2579857
Instruction ID: e39e0f7ba58f6ddae5272824f5c4e81efb0b9350a501799bd9d0c371b9ad6cf0
Opcode Fuzzy Hash: 7525dd0112dd8b72b2adfc673519dcc830772e909257143bd7f48ce3c2579857
Instruction Fuzzy Hash: 53314371D00249AFD700DFA9C881DEEB7F9EF48304B50806DE425E7212D7359E45CBA0

Function 0012D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0012D501
Process32FirstW.KERNEL32(00000000,?), ref: 0012D50F
Process32NextW.KERNEL32(00000000,?), ref: 0012D52F
CloseHandle.KERNEL32(00000000), ref: 0012D5DC

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 401e9615c1a488a16f111969d39878b2e60b2ff885b9ffe9b0cfba81e119978f
Instruction ID: 89d8c9e9ba4e58502fd5f0b023bf39af2253e79737c76553f1c4cda71f1892f0
Opcode Fuzzy Hash: 401e9615c1a488a16f111969d39878b2e60b2ff885b9ffe9b0cfba81e119978f
Instruction Fuzzy Hash: 3D317E711083019FD300EF54E885EAFBBF8EF99354F54092DF581861A2EB719999CBA2

Function 0012D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0015CB68), ref: 0012D2FB
GetLastError.KERNEL32 ref: 0012D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0012D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0015CB68), ref: 0012D376

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 93ac2561c79dbd02d24f8c48d340666f8d7e019d90b3aa6e9c735d911a3b78e4
Instruction ID: 7de5004ab907fa81fbd86cfe9ee96c98003c06da25edb7d2fe8a1c59cbf8080e
Opcode Fuzzy Hash: 93ac2561c79dbd02d24f8c48d340666f8d7e019d90b3aa6e9c735d911a3b78e4
Instruction Fuzzy Hash: 0F218DB0508311DF8310DF28E8859AE77E4FF56364F504A1DF499C72A2DB309959CB93

Function 00121571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00121014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0012102A
Part of subcall function 00121014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00121036
Part of subcall function 00121014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00121045
Part of subcall function 00121014: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0012104C
Part of subcall function 00121014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00121062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001215BE
_memcmp.LIBVCRUNTIME ref: 001215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00121617
HeapFree.KERNEL32(00000000), ref: 0012161E

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: 27cb08893f6e0cb4468aeb374ebddc55911b81b841cfda1198cceb776dba9141
Instruction ID: d126fd11002577295b32230b9097f9d08f6cdeba1b885667c998cf28184cb005
Opcode Fuzzy Hash: 27cb08893f6e0cb4468aeb374ebddc55911b81b841cfda1198cceb776dba9141
Instruction Fuzzy Hash: 2B219A31E00218FFDF00DFA4D945BEEB7B8EFA4355F188499E441AB241E770AA55CBA0

Function 00152782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0015280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00152824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00152832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00152840

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 80fb0bbd3dbbcf073f23285c8db3f48167c5ab51ed9014e8c4774e494f9c3366
Instruction ID: 31bba675f517956098f32396970f04f6ead17580ba6388db52125dfec78a8eab
Opcode Fuzzy Hash: 80fb0bbd3dbbcf073f23285c8db3f48167c5ab51ed9014e8c4774e494f9c3366
Instruction Fuzzy Hash: 89219032204611EFD714DB24C845FAA7B95AF56325F14815CF8268F6A2C771EC86C7D0

Function 001278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00128D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0012790A,?,000000FF,?,00128754,00000000,?,0000001C,?,?), ref: 00128D8C
Part of subcall function 00128D7D: lstrcpyW.KERNEL32(00000000,?,?,0012790A,?,000000FF,?,00128754,00000000,?,0000001C,?,?,00000000), ref: 00128DB2
Part of subcall function 00128D7D: lstrcmpiW.KERNEL32(00000000,?,0012790A,?,000000FF,?,00128754,00000000,?,0000001C,?,?), ref: 00128DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00128754,00000000,?,0000001C,?,?,00000000), ref: 00127923
lstrcpyW.KERNEL32(00000000,?,?,00128754,00000000,?,0000001C,?,?,00000000), ref: 00127949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00128754,00000000,?,0000001C,?,?,00000000), ref: 00127984

Strings

cdecl, xrefs: 0012797B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1434f511678d5548b00eb8c569a4d9291541135254114f9e296fa7ffbcdc5a54
Instruction ID: d70b34c5b0f10afbbbd4f46f774ee419498087b9d379920309a3baf5129099bb
Opcode Fuzzy Hash: 1434f511678d5548b00eb8c569a4d9291541135254114f9e296fa7ffbcdc5a54
Instruction Fuzzy Hash: DA11063A200352AFCF156F34E844D7B77A5FF45364B00402AF906CB3A4EB319861C7A1

Function 00157CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00157D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00157D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00157D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0013B7AD,00000000), ref: 00157D6B

Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: b07def83a732ce2c5b7493330ad9c766716cb3200f902db2e6d88344ddbb0e62
Instruction ID: 5a7aff582a56e7f79f0d2a86fb57e34c2a14909572f3aea7f97950f7522ef3d5
Opcode Fuzzy Hash: b07def83a732ce2c5b7493330ad9c766716cb3200f902db2e6d88344ddbb0e62
Instruction Fuzzy Hash: CB11CD31214755EFCB108FA8EC04AAA3BA5BF45362B114729FC39DB2F0E7319994CB90

Function 00155660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001556BB
_wcslen.LIBCMT ref: 001556CD
_wcslen.LIBCMT ref: 001556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00155816

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: af647d079aa09a203a97e73b22a0d42befb2ff658070f527994e19e6ed4c3751
Instruction ID: faedacecb7b079ceddde45aa54d454b7b6c40150e6d5d40cfb788fd7c018558e
Opcode Fuzzy Hash: af647d079aa09a203a97e73b22a0d42befb2ff658070f527994e19e6ed4c3751
Instruction Fuzzy Hash: 2B11D671A00604EADF209F61CC95AEE777CEF10766B104026FD25EE081E770CA88CB60

Function 001214CE Relevance: 6.1, APIs: 4, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00121506
CloseHandle.KERNEL32(00000004), ref: 00121520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0012154F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 5f6227ca41c7a357fd9a5bced16900bdc6ac5e9e21e80d740f867c981fedea63
Instruction ID: cb742495d1963dfb0d85c21db20141a912d1e92036ecb8521de50a4011a17f11
Opcode Fuzzy Hash: 5f6227ca41c7a357fd9a5bced16900bdc6ac5e9e21e80d740f867c981fedea63
Instruction Fuzzy Hash: EA11447250024DFFDB11CFA8ED49BDA7BA9EB48705F044064FA05A60A0C3718EA0DBA0

Function 000F1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55688b62effe2a5526434a2b6cde107393a47df57199f0d6ff63fc0dccb49a8a
Instruction ID: 17f1165609386c9880958cafff686437077eeedb8aefa3da2af135f126e44036
Opcode Fuzzy Hash: 55688b62effe2a5526434a2b6cde107393a47df57199f0d6ff63fc0dccb49a8a
Instruction Fuzzy Hash: 860162B2209A1EBEF7611A786CC1FB766ADDF413B8B341325F721A59D2DB608C4061A0

Function 00121A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00121A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00121A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00121A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00121A8A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 811310a1a073faea1d2f31a124a8ff5fb0b913483f95f63b88b2af4e1bb4b92e
Instruction ID: 2a1c6cc10cb1535b7567c54c1578c6e0190e2377408007e2864dc69f3e32ea59
Opcode Fuzzy Hash: 811310a1a073faea1d2f31a124a8ff5fb0b913483f95f63b88b2af4e1bb4b92e
Instruction Fuzzy Hash: 7411273A901229FFEB10DBA4C985FADBB79EB18750F2000A1EA00B7290D7716E50DB94

Function 0012E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0012E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0012E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0012E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0012E24D

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 3d734a48f17922cf81408f9437a9ed0347efa1c29a1790564d02ed5847dd1a2a
Instruction ID: 4b048ef6537beb9f3771a9c4f19a2ca6e3e785e662c5c371fd38efd24893f06f
Opcode Fuzzy Hash: 3d734a48f17922cf81408f9437a9ed0347efa1c29a1790564d02ed5847dd1a2a
Instruction Fuzzy Hash: 36110876904365FFC7019FA8AC05A9E7FADEB45321F10421AF925E7691D3708A808BA0

Function 000ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,000ECFF9,00000000,00000004,00000000), ref: 000ED218
GetLastError.KERNEL32 ref: 000ED224
__dosmaperr.LIBCMT ref: 000ED22B
ResumeThread.KERNEL32(00000000), ref: 000ED249

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b434d752c6325948d743f7add12bbbcfb04c669eaeaabc487adf65799818043c
Instruction ID: 3b61852498900c805f8ae008adc19dc925eaf45c920757402f8faf70ffc9c5de
Opcode Fuzzy Hash: b434d752c6325948d743f7add12bbbcfb04c669eaeaabc487adf65799818043c
Instruction Fuzzy Hash: B8012636805248BFC7205FA7DC05BAE3B69EF81331F10025EFA24A61D1CB718841D6A0

Function 000C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000C604C
GetStockObject.GDI32(00000011), ref: 000C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 000C606A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 43ad090990e3f323d80fdff850e9843c3206a44b05aad776b21f13872f2660f9
Instruction ID: 1287eeaf26e87f2f87df580236384bf742f0935efe4cb483226055f0253edbeb
Opcode Fuzzy Hash: 43ad090990e3f323d80fdff850e9843c3206a44b05aad776b21f13872f2660f9
Instruction Fuzzy Hash: DA115E72501609FFEF224F949C54FEF7BA9EF1C355F150115FA1466150D732ACA09B90

Function 000E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 000E3B56

Part of subcall function 000E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 000E3AD2
Part of subcall function 000E3AA3: ___AdjustPointer.LIBCMT ref: 000E3AED

_UnwindNestedFrames.LIBCMT ref: 000E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 000E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 000E3BA4

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: c29a8c94b6cfaf17b75cc823f3b5dc4f8d5095e70e9e3b454a061cd1d8282620
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D7010072100189BFDF125E96CC46DEB7F6DEF98754F044054FE4866122C736D961DBA0

Function 000F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000C13C6,00000000,00000000,?,000F301A,000C13C6,00000000,00000000,00000000,?,000F328B,00000006,FlsSetValue), ref: 000F30A5
GetLastError.KERNEL32(?,000F301A,000C13C6,00000000,00000000,00000000,?,000F328B,00000006,FlsSetValue,00162290,FlsSetValue,00000000,00000364,?,000F2E46), ref: 000F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000F301A,000C13C6,00000000,00000000,00000000,?,000F328B,00000006,FlsSetValue,00162290,FlsSetValue,00000000), ref: 000F30BF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ff07ab37262f860fc2557e2879dcb3638503e50973fbb78ceb9241d9035d9ae2
Instruction ID: 53ac30f2727a46e474d74fc2f41a2414431a5e6f4fad5538246ab4a681c15bc7
Opcode Fuzzy Hash: ff07ab37262f860fc2557e2879dcb3638503e50973fbb78ceb9241d9035d9ae2
Instruction Fuzzy Hash: 0801D43230132AEFCB714AB99C54A7B7BD8AF05BB1B100621FA05E7A40CF21D981D6E0

Function 00127464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0012747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00127497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001274CA

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e0d782357d96183525a9970bf71ad673c62f5da785eb7c7dd8b19098ab955b4d
Instruction ID: 9d8086fe413ae227ab718cfb27d500ed43ed01ce1fa985791dede7bef7940d57
Opcode Fuzzy Hash: e0d782357d96183525a9970bf71ad673c62f5da785eb7c7dd8b19098ab955b4d
Instruction Fuzzy Hash: 1011C0B1209360EFE720AF14EC08FA37FFCEB00B00F108569A616DA591D7B0E954DBA1

Function 0012B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0012ACD3,?,00008000), ref: 0012B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0012ACD3,?,00008000), ref: 0012B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0012ACD3,?,00008000), ref: 0012B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0012ACD3,?,00008000), ref: 0012B126

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 127bae2073eef5212a4aec2389173524c9b03542aa48fa38a4bda71aba130080
Instruction ID: 8b604d23a39c10258e0c71522f56c6206ee31d21a667480fc0f9c3630310d499
Opcode Fuzzy Hash: 127bae2073eef5212a4aec2389173524c9b03542aa48fa38a4bda71aba130080
Instruction Fuzzy Hash: 0E113C71C05A39DBCF04AFA4F9A86EEBB78FF09711F114085D941B6141CB3056608B95

Function 00157E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00157E33
ScreenToClient.USER32(?,?), ref: 00157E4B
ScreenToClient.USER32(?,?), ref: 00157E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00157E8A

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 47c7042000d0ff6a0e89fa9e5e34e3cefcc10b5a25749bbaf7112c66411c214f
Instruction ID: 20b76d947c6cba400b91e069236fd0eb6c71874a52d5f973648dc3b81018dc83
Opcode Fuzzy Hash: 47c7042000d0ff6a0e89fa9e5e34e3cefcc10b5a25749bbaf7112c66411c214f
Instruction Fuzzy Hash: 151163B9D0024AEFDB41CF98C8859EEBBF5FB08311F104056E911E6610D734AA94CF90

Function 00122DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00122DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00122DD6
GetCurrentThreadId.KERNEL32 ref: 00122DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00122DE4

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: fe62b11faf6eebfd1ff1998d2e3d8a3bbba2f1127e531f70895fa90fb17243ff
Instruction ID: 5380fb42fb313400a98b59ace4d83c881a7bb8eea34c155c187364d76db16aaa
Opcode Fuzzy Hash: fe62b11faf6eebfd1ff1998d2e3d8a3bbba2f1127e531f70895fa90fb17243ff
Instruction Fuzzy Hash: 50E06D72101338BBD7201BB2AC0DEEB3E6CEB42BA2F000015F105D95809AA48980C6F0

Function 00158863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000D9693
Part of subcall function 000D9639: SelectObject.GDI32(?,00000000), ref: 000D96A2
Part of subcall function 000D9639: BeginPath.GDI32(?), ref: 000D96B9
Part of subcall function 000D9639: SelectObject.GDI32(?,00000000), ref: 000D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00158887
LineTo.GDI32(?,?,?), ref: 00158894
EndPath.GDI32(?), ref: 001588A4
StrokePath.GDI32(?), ref: 001588B2

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: b162f5da58bd7644744c4d41e9fe985549d364f8696e15ff2416bd6e9d59aca3
Instruction ID: 6545be7ec4a0f443d010cb5797108fecc51821cead222d374c7e470d1698f754
Opcode Fuzzy Hash: b162f5da58bd7644744c4d41e9fe985549d364f8696e15ff2416bd6e9d59aca3
Instruction Fuzzy Hash: 7DF05E3A041359FEDB126F94AC09FCE3F59AF06312F048001FA21694E2C7755591CFE5

Function 000D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000D98CC
SetTextColor.GDI32(?,?), ref: 000D98D6
SetBkMode.GDI32(?,00000001), ref: 000D98E9
GetStockObject.GDI32(00000005), ref: 000D98F1

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 39645783c03668560f5a75dd4a5b5b7dfed226c259317220db9cef907625adf1
Instruction ID: baa82235b9ca9b3b9af8662e25601c4e15d631cbe32a8aa3b1eb3dad159c1b06
Opcode Fuzzy Hash: 39645783c03668560f5a75dd4a5b5b7dfed226c259317220db9cef907625adf1
Instruction Fuzzy Hash: 6CE06D31244780EEDB215F78AC09BE83F61AB52336F04822AF6FA585E1C77146809B21

Function 0012162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00121634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001211D9), ref: 0012163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001211D9), ref: 00121648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001211D9), ref: 0012164F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: fe09611abc96e9289b93defb5327a4392ac0b843650aa8afca744ecf548353d7
Instruction ID: 17a9d7aa1a0c289c449be4845a2e8ace485ab1f83db82fc57ea32d14d129dadf
Opcode Fuzzy Hash: fe09611abc96e9289b93defb5327a4392ac0b843650aa8afca744ecf548353d7
Instruction Fuzzy Hash: EFE04F75602321EFD7601FA0AD0DB4B3B68AF54B92F144808F245CD080D7644480C790

Function 0011D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0011D858
GetDC.USER32(00000000), ref: 0011D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0011D882
ReleaseDC.USER32(?), ref: 0011D8A3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 03e7dc9e5dab3e301f94913d416cc247cf520534a6236a2a3459ee746334dcde
Instruction ID: 9a3924759927e36a0dca458ba588ee91214ebe4874df88ef21ea076839b43e28
Opcode Fuzzy Hash: 03e7dc9e5dab3e301f94913d416cc247cf520534a6236a2a3459ee746334dcde
Instruction Fuzzy Hash: 62E01AB4800304DFCF419FA0D808A6DBBB1FB08312F108019F80AEB750C7384A82EF90

Function 0011D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0011D86C
GetDC.USER32(00000000), ref: 0011D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0011D882
ReleaseDC.USER32(?), ref: 0011D8A3

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1fbd7449d924112380fc5c11a3c303b26cef01a2226dbd0f7715ea39393b6115
Instruction ID: 08a75bbb2edbfb1cc04651fac4bcf8c057427ab7c7a0fbd6f2482ec3e94e6f0e
Opcode Fuzzy Hash: 1fbd7449d924112380fc5c11a3c303b26cef01a2226dbd0f7715ea39393b6115
Instruction Fuzzy Hash: BBE09A75800304DFCF519FA0D808A6DBBB5FB48712B148459F94AEB750C7385A42EF90

Function 00134D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 000C7620: _wcslen.LIBCMT ref: 000C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00134ED4

Strings

LPT, xrefs: 00134DFB
*, xrefs: 00134E10

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 6c659d8f5f01c02657a153e754c37c44e1999e294d68def0d4b56f5fc42c3753
Instruction ID: 24ebeaa50edb660d248db61a0ccb75f3532bc65f69eb284c82933b61b7ac9c2f
Opcode Fuzzy Hash: 6c659d8f5f01c02657a153e754c37c44e1999e294d68def0d4b56f5fc42c3753
Instruction Fuzzy Hash: CD916C75A002049FCB14DF58C484EAEBBF5BF49304F198099E84A9F3A2C775EE85CB90

Function 00124D9F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00124F4B

Strings

AutoIt3GUI, xrefs: 00124EB3
Container, xrefs: 00124EBA

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: fd6523ff9edc1ba20af4c184b917a2212a50d2183d09ccf6b629cb89ec478723
Instruction ID: b5ad5789a9b20b51a81aacc992c48c42186161350d7709b43d89a733d5367dd4
Opcode Fuzzy Hash: fd6523ff9edc1ba20af4c184b917a2212a50d2183d09ccf6b629cb89ec478723
Instruction Fuzzy Hash: B4814870200711AFDB14DF68C984A6ABBF9FF48705F11856EF94ADB291DBB0E941CB60

Function 000EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000EE30D

Strings

pow, xrefs: 000EE2E5, 000EE302

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4adeffd14eb6958e17bbefbecd319c10e827a64c21c268e094347c8d824e7be0
Instruction ID: c54ebbc3772fa74029bb4fb1705591589a0170d3315e1822c3eb4bf75e924392
Opcode Fuzzy Hash: 4adeffd14eb6958e17bbefbecd319c10e827a64c21c268e094347c8d824e7be0
Instruction Fuzzy Hash: 0651C061A0C18E9ACB257B25CD053BD3BE4EB40740F3049A9E1D953AE9EB308CC1AA43

Function 000DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 000DE1B1

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: c7d6b4683fc727a100783c036e2fae0b82cda9dd39241364f056c724b4a6eaef
Instruction ID: 5ef1341e69ab29ea2f6c44a2419b71fb2108e780664abfd71c634dfaa6df2d66
Opcode Fuzzy Hash: c7d6b4683fc727a100783c036e2fae0b82cda9dd39241364f056c724b4a6eaef
Instruction Fuzzy Hash: D351E1359043869EEB19EFA8C481AFE7BE4EF55310F64406AEC519B2D1D7309D82CBA0

Function 000DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 000DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 000DF2BB

Strings

@, xrefs: 000DF2AF

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a2820fb96d838d814b5cdf96376c6f38f9776c4a02e5e36cfadef16c9d25d580
Instruction ID: 8ff3cce9c03feabd3c2b0badf5a327817842ebd4fe15aff87daa0fc1813827ce
Opcode Fuzzy Hash: a2820fb96d838d814b5cdf96376c6f38f9776c4a02e5e36cfadef16c9d25d580
Instruction Fuzzy Hash: 75513771408744ABE320AF14DC86BAFBBF8FB84300F81885DF1D941196EB718569CB67

Function 00145745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001457E0
_wcslen.LIBCMT ref: 001457EC

Strings

CALLARGARRAY, xrefs: 001457E6, 001457EB

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 49b9c23d167decf631441150bf71a18e54901e48737c74841a7b74efd4fdbf35
Instruction ID: b651d68b735c9721f051c698207b020c3398757f9d6c050ae90a3679b60d86d6
Opcode Fuzzy Hash: 49b9c23d167decf631441150bf71a18e54901e48737c74841a7b74efd4fdbf35
Instruction Fuzzy Hash: 9F419471E0020ADFCB14DFA9C8859FEBBB6FF59314F104069E515A72A2DB309D81CBA0

Function 0013D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0013D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0013D13A

Strings

|, xrefs: 0013D10B

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a8225a8bf73c7abed1c08538cf9a8035fd21e67e1b0fc29308c9455b9a9dac1a
Instruction ID: 2b4866ce4bfa2f9f6c2f199037c7bfe1a6eb1ff9f4f5245806c27b87c86f2203
Opcode Fuzzy Hash: a8225a8bf73c7abed1c08538cf9a8035fd21e67e1b0fc29308c9455b9a9dac1a
Instruction Fuzzy Hash: 45313D71D00209ABCF15EFA5DC85EEE7FB9FF04300F000059F815A6162DB32AA56CB60

Function 0015356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00153621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0015365C

Strings

static, xrefs: 001535BC

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d34c118a29adffd87730303404b06601a70bd1ea34dff30406cf36edd19ebff7
Instruction ID: c6f39ef7acc13139873eebce04692700a3a61c6ceb52cc5bc3c067ccae055ba4
Opcode Fuzzy Hash: d34c118a29adffd87730303404b06601a70bd1ea34dff30406cf36edd19ebff7
Instruction Fuzzy Hash: EF317A71110604AEDB109F28D880EFB73A9FF88761F10961DF8B59B290DB31A9869760

Function 00154537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0015461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00154634

Strings

', xrefs: 0015458E

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 7fcfe72eb8cce06ef911cc510c994c06f78d5721caecdbc8de31160c7b98bb0a
Instruction ID: 2e43ca9b1203facc0503bcc1d06375fa905289b2da9dc896bb1377f2a36fa5f0
Opcode Fuzzy Hash: 7fcfe72eb8cce06ef911cc510c994c06f78d5721caecdbc8de31160c7b98bb0a
Instruction Fuzzy Hash: 6D311674A0130AEFDB14CFA9C990BDA7BB5FB09305F10406AED14AB341E770A985CF90

Function 001531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0015327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00153287

Strings

Combobox, xrefs: 00153249

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9a247d441a60a5547de56ed437399b734c5015ca05fe7a2111df6b186ab3fda9
Instruction ID: 45f4be2c4ef013517de6c0e189b89fecc169478a8b5c004bcb99ea0d336640dd
Opcode Fuzzy Hash: 9a247d441a60a5547de56ed437399b734c5015ca05fe7a2111df6b186ab3fda9
Instruction Fuzzy Hash: 7A11B271300608BFEF259F54DC80EFB376AEB943A5F104129F938AB290D7319D959760

Function 00153710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 000C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000C604C
Part of subcall function 000C600E: GetStockObject.GDI32(00000011), ref: 000C6060
Part of subcall function 000C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 000C606A

GetWindowRect.USER32(00000000,?), ref: 0015377A
GetSysColor.USER32(00000012), ref: 00153794

Strings

static, xrefs: 00153757

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 521ad57226d8a94aad1ecf84798a4b8b519991dd7ebefc47e2353176ba285585
Instruction ID: bb44183cfedf7894bee1570878b5663cfd9ad8706f2a466a09a1775c61e473ab
Opcode Fuzzy Hash: 521ad57226d8a94aad1ecf84798a4b8b519991dd7ebefc47e2353176ba285585
Instruction Fuzzy Hash: B11159B2A1020AEFDB00DFA8CC45EEA7BB8FB08345F004514FD65E7250E735E8559B50

Function 0013CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0013CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0013CDA6

Strings

<local>, xrefs: 0013CD66

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: e6b5e2c621bd1fd984527b197a919a8a5bd24e59ea644c76b3f57ccdf2ef7cd8
Instruction ID: ee290d228ee05edcdbb6aa1e288183b14e8bf88a2a9ae16061f54ade5f1a08a4
Opcode Fuzzy Hash: e6b5e2c621bd1fd984527b197a919a8a5bd24e59ea644c76b3f57ccdf2ef7cd8
Instruction Fuzzy Hash: 7D11C275205631BAD7384FA68C49EE7BEACEF127A4F00422AB109A7080D7709940D7F0

Function 00153429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001534BA

Strings

edit, xrefs: 0015348F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 30f2651b59b558c6f953a82a7177b2363e70cd088670b06efc3bbe9e526064d3
Instruction ID: 5beccc9d688042092cdec4c695868b6844016ac3140560ec16448efe1616add5
Opcode Fuzzy Hash: 30f2651b59b558c6f953a82a7177b2363e70cd088670b06efc3bbe9e526064d3
Instruction Fuzzy Hash: D7116D71100208EFEB124E64DC44AEB376AEB153B5F504724FD719B1D0C771DD999750

Function 00126C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00126CB6
_wcslen.LIBCMT ref: 00126CC2

Strings

STOP, xrefs: 00126CBC, 00126CC1

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: c0d5aeeec840b5a7fefc64aa442c1aba8072aaef7a554cc15f550b7768f59aa3
Instruction ID: 98af179847d0cc5088e532365c7a6b6a0e183187fad9ba0b5cab2e343669eb3d
Opcode Fuzzy Hash: c0d5aeeec840b5a7fefc64aa442c1aba8072aaef7a554cc15f550b7768f59aa3
Instruction Fuzzy Hash: CA01D232A0053A8BCB20AFFDEC819BF77B5EB617547510529E8A2A71D1EB31D960C690

Function 00121CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00121D4C

Strings

ComboBox, xrefs: 00121CEB
ListBox, xrefs: 00121D16

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 69875d99f803492efa3f732e3d211b132daa77e98ed5616a232af87c1498e3cd
Instruction ID: aa5358293a4df2c7745149b34660b30f2803a207fc7e4139105acb24b16f1885
Opcode Fuzzy Hash: 69875d99f803492efa3f732e3d211b132daa77e98ed5616a232af87c1498e3cd
Instruction Fuzzy Hash: 8C01D875601228FBCB08EFE4EC59DFE7769EB66350B44091AF832573C2EB3059288760

Function 00121BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00121C46

Strings

ComboBox, xrefs: 00121BE5
ListBox, xrefs: 00121C10

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 948fcfca07eae753faf90308bf311d2791a0326a89a7a2bef3806da3b538f42b
Instruction ID: 3865505470f60baca1d3fd0afd6397d4ee4423f644069c3e7eff138c64121e2d
Opcode Fuzzy Hash: 948fcfca07eae753faf90308bf311d2791a0326a89a7a2bef3806da3b538f42b
Instruction Fuzzy Hash: 1F0167756811187BCB18FB90E956EFF77A99B25340F140019A416772C2EB249F3C87B5

Function 00121C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00121CC8

Strings

ComboBox, xrefs: 00121C69
ListBox, xrefs: 00121C94

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8fa8e4f85510a1b4c83472b54cc5d69e06c917a04f9057feef8acf1458998049
Instruction ID: 7f4740ebbab7bd4f1c9f65ac77f444f3086315226b7e81e964e64167b707a798
Opcode Fuzzy Hash: 8fa8e4f85510a1b4c83472b54cc5d69e06c917a04f9057feef8acf1458998049
Instruction Fuzzy Hash: AA01D67568022877CB04FBA0DA56EFE77A99B31340F540029B81273282EB209F38C7B1

Function 00121D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C9CB3: _wcslen.LIBCMT ref: 000C9CBD

Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00121DD3

Strings

ComboBox, xrefs: 00121D75
ListBox, xrefs: 00121DA0

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 56f569ff60cac8f901a18c093953d30dc3bcdd51e2cf3301d9c269cb8307b3d3
Instruction ID: 3a26d6819d5d38b8a0739aa145ffdbb171f5be3535e7b42b8a82c896d23fdeb9
Opcode Fuzzy Hash: 56f569ff60cac8f901a18c093953d30dc3bcdd51e2cf3301d9c269cb8307b3d3
Instruction Fuzzy Hash: 58F0A971A41228B7D714FBE4DC5AFFE7768AB21350F440919B432672C2DB605A288660

Function 0014747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00147493
_wcslen.LIBCMT ref: 001474B9

Strings

3, 3, 16, 1, xrefs: 00147483

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: d6b4e08805b5855b4ef86875176dfffff6bf421ff332bf280ae3fea6705678c4
Instruction ID: 72aba16aeedd1d01038284d9b7c35ba7109720ec8f98a045a7d31c865c76579d
Opcode Fuzzy Hash: d6b4e08805b5855b4ef86875176dfffff6bf421ff332bf280ae3fea6705678c4
Instruction Fuzzy Hash: D8E02B02204260149231227AACC19BF5789DFC9750718182BF981E22F7EB94CD9193F1

Function 00120B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00120B23

Strings

AutoIt, xrefs: 00120B17
Error allocating memory., xrefs: 00120B1C

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: a8a6480486c1ed3237e7e67d82b4f3b61cf80bfb63f455c637645fa82febe962
Instruction ID: b497d935ceefffc428ef07f9e164a95eecf8f1c96e060d0721c1ec1b944a6195
Opcode Fuzzy Hash: a8a6480486c1ed3237e7e67d82b4f3b61cf80bfb63f455c637645fa82febe962
Instruction Fuzzy Hash: 65E0D8312443186ED2203B957C03FC97B85CF09F55F10446BFB58695C38BE2259046E9

Function 000E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(00190A88,00000000,00190A74,000E0D71,?,?,?,000C100A), ref: 000DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,000C100A), ref: 000E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000C100A), ref: 000E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000E0D7F

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 156779dc952e715e7b1003198834865cce243b7c3e435bab9b8b8eee3315e589
Instruction ID: 08ab6df9a05a67394b15aa1910d59a637a69fed563120ebcd7b97bef85a15c3b
Opcode Fuzzy Hash: 156779dc952e715e7b1003198834865cce243b7c3e435bab9b8b8eee3315e589
Instruction Fuzzy Hash: 5EE06D74204341CFD3609FB9D8087967BE0EB00745F01892DE892DAA52DBF5E4C8CBA1

Function 0011D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0011D220

Strings

%.3d, xrefs: 0011D22B
X64, xrefs: 0011D2A8

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 0d8d623c6b9dd0b18be798a3fc7de17b52d25feff83a3d294fed470b0952ee59
Instruction ID: eb8bce1e9d741ea56f71f1d972f71fec7e4d409eb0fa8694b2249e15763d7e85
Opcode Fuzzy Hash: 0d8d623c6b9dd0b18be798a3fc7de17b52d25feff83a3d294fed470b0952ee59
Instruction Fuzzy Hash: 8AD01261808219E9CB5C96D0EC459F9B37CFB19341F618473F81791040E734D5886B62

Function 00152322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0015232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0015233F

Part of subcall function 0012E97B: Sleep.KERNEL32 ref: 0012E9F3

Strings

Shell_TrayWnd, xrefs: 00152325

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1935afc4de01c3fdccfe32bc1e980a891f704fc0e011dea36defebf1d46fa746
Instruction ID: 424b2878ce6d68d5f28f374a3464f64698d356b7b3d6766036641e7a4be95276
Opcode Fuzzy Hash: 1935afc4de01c3fdccfe32bc1e980a891f704fc0e011dea36defebf1d46fa746
Instruction Fuzzy Hash: 07D0C976394310BAE668BB70AC1FFC67A549B10B15F0049167645AA1D0DAA0A8818A94

Function 00152356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0015236C
PostMessageW.USER32(00000000), ref: 00152373

Part of subcall function 0012E97B: Sleep.KERNEL32 ref: 0012E9F3

Strings

Shell_TrayWnd, xrefs: 00152365

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a9f7162eb8017c5aecdb6bd7b56444f46da331ef866de92bcd4859ca1594ba94
Instruction ID: 3665c2c9e7e03b31a58c0e280893813c81cebe220cc8f8a6cc2793fe9b8246c7
Opcode Fuzzy Hash: a9f7162eb8017c5aecdb6bd7b56444f46da331ef866de92bcd4859ca1594ba94
Instruction Fuzzy Hash: 88D0C9723D1310BEE668BB70AC1FFC676549B14B15F4049167645AA1D0DAA0A8818A94

Function 000FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 000FBE93
GetLastError.KERNEL32 ref: 000FBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000FBEFC

Memory Dump Source

Source File: 00000000.00000002.1755056882.00000000000C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1755038060.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.0000000000182000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000018C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.000000000019A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755056882.00000000001E7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755245875.00000000001ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755265673.00000000001EE000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_xom6WSISuh.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 7ea89eafef56f0bd70ae3cc4e3c041059ac361ccd8ce3e2a506c416288021723
Instruction ID: 0404d657a9bc5467b117c5579d690e834103ce724a262660a2ed0071fd0dcaa7
Opcode Fuzzy Hash: 7ea89eafef56f0bd70ae3cc4e3c041059ac361ccd8ce3e2a506c416288021723
Instruction Fuzzy Hash: 4641C13460420AEFCB718F65CC44ABA7BE5EF41320F294169FA599B5A2DB318D04EF60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xom6WSISuh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut1E99.tmp

C:\Users\user\AppData\Local\Temp\aut2530.tmp

C:\Users\user\AppData\Local\Temp\aut6391.tmp

C:\Users\user\AppData\Local\Temp\chiffons

C:\Users\user\AppData\Local\oxman\gehlenite.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
xom6WSISuh.exe

Function 000C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 000C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Function 000C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00102BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0010065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 000C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 000C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 000C2CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Function 000F8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 00BE5CA8 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Function 000C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre